Overview

overview

10

Static

static

8

b7f74c02e8...0e.exe

windows7-x64

10

b7f74c02e8...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • submitted
    25-07-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7f74c02e8e4dc10eb8f11d0e107310e.exe

  • Size

    1.2MB

  • MD5

    b7f74c02e8e4dc10eb8f11d0e107310e

  • SHA1

    d7efa03c14830997e55c78365ee15bd8c1c01971

  • SHA256

    3ac761271417ecf9e5e8e6152f3c9bbcaf8863286da6933f5fc4c7a2462a31e9

  • SHA512

    d64d3224075ca55efe055dca5f9fcb658b4541db94db1908a05924827b1d6d290e5f0bab83477a13fc29292793e32e420d6183155076235f8ebc26363b2e5c44

Score
10/10
blackmoonbankerpersistencetrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe
    "C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe
      2⤵
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\sc.exe
        sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
        3⤵
        • Launches sc.exe
        PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4368
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
    Filesize

    936KB

    MD5

    2148ed98f723563683990f569d23bf43

    SHA1

    25cfad1a06933f65f7d110a81d7adbfa83c19005

    SHA256

    b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

    SHA512

    8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

    Download Submit

  • C:\Windows\SysWOW64\Delete00.bat
    Filesize

    133B

    MD5

    fe72e026fa4c2520aa971558762d04c9

    SHA1

    8efaf78444b8d155d7174a5500f3980b4c53c0ff

    SHA256

    e0d8793794aafd2f6619820c93f9f9a8f7c59c0187339d4c4330c9c67a8efbaf

    SHA512

    21384f6f4826b306ec1b760161faec85a643b660418438773bba9deb18a668ee4e6e6edeb75137a290df06e4c3619bc03dfc98fb0099ad00200340a34378c7cd

    Download Submit

  • \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp
    Filesize

    936KB

    MD5

    2148ed98f723563683990f569d23bf43

    SHA1

    25cfad1a06933f65f7d110a81d7adbfa83c19005

    SHA256

    b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

    SHA512

    8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

    Download Submit

  • memory/2116-131-0x0000000000000000-mapping.dmp

    Download

  • memory/2116-132-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2116-135-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2116-136-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2116-142-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2184-140-0x0000000000000000-mapping.dmp

    Download

  • memory/4108-134-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4108-130-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4368-144-0x0000000000000000-mapping.dmp

    Download

  • memory/4396-141-0x0000000001BF0000-0x0000000001BFB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4396-145-0x0000000001BF0000-0x0000000001BFB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4492-137-0x0000000000000000-mapping.dmp

    Download