Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • submitted
    25-07-2022 08:25

General

  • Target

    b7f74c02e8e4dc10eb8f11d0e107310e.exe

  • Size

    1MB

  • MD5

    b7f74c02e8e4dc10eb8f11d0e107310e

  • SHA1

    d7efa03c14830997e55c78365ee15bd8c1c01971

  • SHA256

    3ac761271417ecf9e5e8e6152f3c9bbcaf8863286da6933f5fc4c7a2462a31e9

  • SHA512

    d64d3224075ca55efe055dca5f9fcb658b4541db94db1908a05924827b1d6d290e5f0bab83477a13fc29292793e32e420d6183155076235f8ebc26363b2e5c44

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload ⋅ 4 IoCs
  • Sets DLL path for service in the registry ⋅ 2 TTPs 1 IoCs
  • UPX packed file ⋅ 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL ⋅ 1 IoCs
  • Drops file in System32 directory ⋅ 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Launches sc.exe ⋅ 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 24 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe
    "C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe
      Sets DLL path for service in the registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\sc.exe
        sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
        Launches sc.exe
        PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat
        Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          Runs ping.exe
          PID:4368
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:4396

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
                      MD5

                      2148ed98f723563683990f569d23bf43

                      SHA1

                      25cfad1a06933f65f7d110a81d7adbfa83c19005

                      SHA256

                      b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

                      SHA512

                      8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

                    • C:\Windows\SysWOW64\Delete00.bat
                      MD5

                      fe72e026fa4c2520aa971558762d04c9

                      SHA1

                      8efaf78444b8d155d7174a5500f3980b4c53c0ff

                      SHA256

                      e0d8793794aafd2f6619820c93f9f9a8f7c59c0187339d4c4330c9c67a8efbaf

                      SHA512

                      21384f6f4826b306ec1b760161faec85a643b660418438773bba9deb18a668ee4e6e6edeb75137a290df06e4c3619bc03dfc98fb0099ad00200340a34378c7cd

                    • \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp
                      MD5

                      2148ed98f723563683990f569d23bf43

                      SHA1

                      25cfad1a06933f65f7d110a81d7adbfa83c19005

                      SHA256

                      b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

                      SHA512

                      8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

                    • memory/2116-131-0x0000000000000000-mapping.dmp
                    • memory/2116-132-0x0000000000400000-0x0000000000611000-memory.dmp
                    • memory/2116-135-0x0000000000400000-0x0000000000611000-memory.dmp
                    • memory/2116-136-0x0000000000400000-0x0000000000611000-memory.dmp
                    • memory/2116-142-0x0000000000400000-0x0000000000611000-memory.dmp
                    • memory/2184-140-0x0000000000000000-mapping.dmp
                    • memory/4108-134-0x0000000000400000-0x00000000005CA000-memory.dmp
                    • memory/4108-130-0x0000000000400000-0x00000000005CA000-memory.dmp
                    • memory/4368-144-0x0000000000000000-mapping.dmp
                    • memory/4396-141-0x0000000001BF0000-0x0000000001BFB000-memory.dmp
                    • memory/4396-145-0x0000000001BF0000-0x0000000001BFB000-memory.dmp
                    • memory/4492-137-0x0000000000000000-mapping.dmp