Analysis
-
max time kernel
82s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 21:17
Behavioral task
behavioral1
Sample
859ba1a21b3ce7168c45c375fb29b8a452466075f3ed528870a5ea0deff6dc9aN.dll
Resource
win7-20240903-en
General
-
Target
859ba1a21b3ce7168c45c375fb29b8a452466075f3ed528870a5ea0deff6dc9aN.dll
-
Size
144KB
-
MD5
af716af2364fa04c83c61dc70a550d40
-
SHA1
d1628077b4965a0ce4986291fb2a1d58570c51af
-
SHA256
859ba1a21b3ce7168c45c375fb29b8a452466075f3ed528870a5ea0deff6dc9a
-
SHA512
53c6254a180cd148e832f3baf58a2f774b1855411c74a7dda0a0d5cbb00101e2aec09cfbbcd35a34447d8b347252a0f21c5f486368e58621799a144cca7b32a6
-
SSDEEP
3072:S5VK0lTSG9xoC+CQpiU5M+U3mjfv2JxhGtB90N4w:N0T9xB+CUQmjfvIxhGtBWN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral1/memory/2832-24-0x0000000000400000-0x0000000000D25000-memory.dmp family_blackmoon behavioral1/memory/2832-53-0x0000000000400000-0x0000000000D25000-memory.dmp family_blackmoon behavioral1/memory/2832-13597-0x0000000000400000-0x0000000000D25000-memory.dmp family_blackmoon behavioral1/memory/2832-13599-0x0000000000400000-0x0000000000D25000-memory.dmp family_blackmoon -
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/memory/1088-8-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-7-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-9-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-5-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-3-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-2-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/1088-10-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat -
Gh0strat family
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2832 MpMgSvc.exe 6364 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe -
Loads dropped DLL 23 IoCs
pid Process 1088 svchost.exe 1088 svchost.exe 2832 MpMgSvc.exe 2832 MpMgSvc.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 6364 Eternalblue-2.2.0.exe 2832 MpMgSvc.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe 7844 Eternalblue-2.2.0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 944 set thread context of 1088 944 rundll32.exe 31 -
resource yara_rule behavioral1/files/0x000a0000000122ea-15.dat upx behavioral1/memory/1088-23-0x0000000003350000-0x0000000003C75000-memory.dmp upx behavioral1/memory/2832-24-0x0000000000400000-0x0000000000D25000-memory.dmp upx behavioral1/memory/2832-53-0x0000000000400000-0x0000000000D25000-memory.dmp upx behavioral1/memory/2832-13597-0x0000000000400000-0x0000000000D25000-memory.dmp upx behavioral1/memory/2832-13599-0x0000000000400000-0x0000000000D25000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eternalblue-2.2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eternalblue-2.2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpMgSvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2832 MpMgSvc.exe 2832 MpMgSvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 944 wrote to memory of 1088 944 rundll32.exe 31 PID 1088 wrote to memory of 2832 1088 svchost.exe 33 PID 1088 wrote to memory of 2832 1088 svchost.exe 33 PID 1088 wrote to memory of 2832 1088 svchost.exe 33 PID 1088 wrote to memory of 2832 1088 svchost.exe 33 PID 2832 wrote to memory of 6364 2832 MpMgSvc.exe 34 PID 2832 wrote to memory of 6364 2832 MpMgSvc.exe 34 PID 2832 wrote to memory of 6364 2832 MpMgSvc.exe 34 PID 2832 wrote to memory of 6364 2832 MpMgSvc.exe 34 PID 2832 wrote to memory of 7844 2832 MpMgSvc.exe 36 PID 2832 wrote to memory of 7844 2832 MpMgSvc.exe 36 PID 2832 wrote to memory of 7844 2832 MpMgSvc.exe 36 PID 2832 wrote to memory of 7844 2832 MpMgSvc.exe 36
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\859ba1a21b3ce7168c45c375fb29b8a452466075f3ed528870a5ea0deff6dc9aN.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\WINDOWS\Temp\MpMgSvc.exe"C:\WINDOWS\Temp\MpMgSvc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.117 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6364
-
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.117 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
3.2MB
MD53809c59565787ee7398fe9222d4bd669
SHA168842768c9ae9deb1d1d7ed2b27846c392b47103
SHA256c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
SHA5122f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098
-
Filesize
22KB
MD5b367f4afd79a1a2bcb00c243fd08a296
SHA1323cd083d52b9f00773a392dbd8209f4cd80432b
SHA256e9f96c28f8ebefda5ba8726b144cd782aaec3fad65196243ae9d729c8882ffca
SHA512ec8f03902037c9419137aa9fa58ab499480071c66ab8d58eb4d81b1c22e5196bc377f0f2bde0fcb4c6deafaf43dcc74d10ca71105cc1b46311466dba0e5e33e3
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa