Analysis
-
max time kernel
11s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 08:18
Behavioral task
behavioral1
Sample
龙神5.16免费版/3KM2.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
龙神5.16免费版/3KM2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
龙神5.16免费版/SKY.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
龙神5.16免费版/SKY.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
龙神5.16免费版/龍神辅助免费2013.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
龙神5.16免费版/龍神辅助免费2013.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
龙神5.16免费版/龙神辅助官网.url
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
龙神5.16免费版/龙神辅助官网.url
Resource
win10v2004-20241007-en
General
-
Target
龙神5.16免费版/SKY.dll
-
Size
733KB
-
MD5
aa1d57ec487edb3d00281ecc8446e262
-
SHA1
a6f2de04e6fe3cd325c285a3e9620473dc0ce5a8
-
SHA256
23c2652bc50f2fcc75bccd85acd2d3001dedd8ad860101642f9d055474726ff6
-
SHA512
3dcad1fb2c9e807aa2e6a493f103b210cbd89d9f22071b40fece991d8303fc7afbc89e83c9f24789840a7315e2e781078500abbc582eb95db0ee2d15dd841392
-
SSDEEP
12288:3gi7mpVdet6O95j4ZSLIP6DJVNApOsldlmwhjouHHXZfraqftTQzk3wer:QImdaF/js+opOMmwdnJftT93z
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral3/memory/2008-4-0x0000000010000000-0x000000001033C000-memory.dmp family_blackmoon behavioral3/memory/2008-15-0x0000000010000000-0x000000001033C000-memory.dmp family_blackmoon -
resource yara_rule behavioral3/memory/2008-0-0x0000000010000000-0x000000001033C000-memory.dmp vmprotect behavioral3/memory/2008-2-0x0000000010000000-0x000000001033C000-memory.dmp vmprotect behavioral3/memory/2008-1-0x0000000010000000-0x000000001033C000-memory.dmp vmprotect behavioral3/memory/2008-4-0x0000000010000000-0x000000001033C000-memory.dmp vmprotect behavioral3/memory/2008-15-0x0000000010000000-0x000000001033C000-memory.dmp vmprotect -
Program crash 1 IoCs
pid pid_target Process procid_target 2880 2008 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2008 rundll32.exe 2008 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2008 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2008 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 108 wrote to memory of 2008 108 rundll32.exe 29 PID 2008 wrote to memory of 2880 2008 rundll32.exe 30 PID 2008 wrote to memory of 2880 2008 rundll32.exe 30 PID 2008 wrote to memory of 2880 2008 rundll32.exe 30 PID 2008 wrote to memory of 2880 2008 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\龙神5.16免费版\SKY.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\龙神5.16免费版\SKY.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 3443⤵
- Program crash
PID:2880
-
-