Analysis
-
max time kernel
517s -
max time network
435s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2025, 02:18
Behavioral task
behavioral1
Sample
yunyu1.dll
Resource
win10v2004-20250314-en
windows10-2004-x64
8 signatures
600 seconds
Behavioral task
behavioral2
Sample
out.dll
Resource
win10v2004-20250314-en
windows10-2004-x64
3 signatures
600 seconds
General
-
Target
yunyu1.dll
-
Size
3.3MB
-
MD5
5cebb26986fc489229f5c83efeff3edb
-
SHA1
394d4ec00bbed12415f6f7df068f76606b2fb9b8
-
SHA256
7a3ab1c009b5d827ab2245cb26cb9c70999542ebc0c4f40d97ca4116421cfad4
-
SHA512
61af80903d690a01c7c542b050654be5f318099871a7ba602ecf79a6f7d335f172b10f5cac33cb7139dd7773b68f236a8f8e4dd482486197fb7b81288900e99f
-
SSDEEP
98304:wSm9lpNfXVZI057IFL1v0X+JMYE49Lt5UrrIz+6Kf6g/FUKZeRn2RXA09LWBpSv6:wSYUq+JMcKIz7KvFM2SBpSc78T9W7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/4476-2-0x0000000010000000-0x0000000010558000-memory.dmp family_blackmoon behavioral1/memory/4476-3-0x0000000010000000-0x0000000010558000-memory.dmp family_blackmoon -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 4476 rundll32.exe -
resource yara_rule behavioral1/memory/4476-0-0x0000000010000000-0x0000000010558000-memory.dmp upx behavioral1/memory/4476-2-0x0000000010000000-0x0000000010558000-memory.dmp upx behavioral1/memory/4476-3-0x0000000010000000-0x0000000010558000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe 4476 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 6044 wrote to memory of 4476 6044 rundll32.exe 86 PID 6044 wrote to memory of 4476 6044 rundll32.exe 86 PID 6044 wrote to memory of 4476 6044 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yunyu1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:6044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yunyu1.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4476
-