Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2022, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    107KB

  • MD5

    5b2dbd6f2668a6d4a304007a7554806c

  • SHA1

    cb40d7f273af19a4474dbe0a96bddb68a8e535df

  • SHA256

    a299fe9f7c5902b0faa026ef0c9aa59292dfe3fa9983e1abd801472cb2d3e26d

  • SHA512

    8226086ac4e1f6a3c40d3b8f69d88d78262696a51101eb94aec3b82f6abb35e633da640dc8826ab2753009bf12d40f51a0e48ccc32f738d69c0e5b0124b72281

  • SSDEEP

    1536:swSFvo7h95drZApq4nVNlobB+3aA4XrPZlfyo63EnOGkE+Z7XbT7mNhcbAsgFnxM:b93Inri+KAo/xOZ1X7bbAsE

Score
10/10
blackmoonbankerpersistencetrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:904
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:516
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c z.exe f.sys b.sys
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\temp\z.exe
        z.exe f.sys b.sys
        3⤵
        • Executes dropped EXE
        • Sets service image path in registry
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c z.exe b.sys
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\temp\z.exe
        z.exe b.sys
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\z.exe
    Filesize

    19KB

    MD5

    5a553b1c9a9dd4a03331d9b33951adad

    SHA1

    c26e3652ef52539924d873631295a0bd74f4791f

    SHA256

    9dd7c4d245afd85ca1fbaf786d629e1a941616c6f6fb8cb55300d3fa5cacdb79

    SHA512

    f02709fb20e4646e8b7342983d3ba9428f824cde84d9223d55be300d74e8a2d60388ee603eb25e52f92a412e0467d6cc9ff603f3b506afb1fb286e391d82a567

    Download Submit

  • C:\Windows\Temp\z.exe
    Filesize

    19KB

    MD5

    5a553b1c9a9dd4a03331d9b33951adad

    SHA1

    c26e3652ef52539924d873631295a0bd74f4791f

    SHA256

    9dd7c4d245afd85ca1fbaf786d629e1a941616c6f6fb8cb55300d3fa5cacdb79

    SHA512

    f02709fb20e4646e8b7342983d3ba9428f824cde84d9223d55be300d74e8a2d60388ee603eb25e52f92a412e0467d6cc9ff603f3b506afb1fb286e391d82a567

    Download Submit

  • \Windows\Temp\z.exe
    Filesize

    19KB

    MD5

    5a553b1c9a9dd4a03331d9b33951adad

    SHA1

    c26e3652ef52539924d873631295a0bd74f4791f

    SHA256

    9dd7c4d245afd85ca1fbaf786d629e1a941616c6f6fb8cb55300d3fa5cacdb79

    SHA512

    f02709fb20e4646e8b7342983d3ba9428f824cde84d9223d55be300d74e8a2d60388ee603eb25e52f92a412e0467d6cc9ff603f3b506afb1fb286e391d82a567

    Download Submit

  • memory/1072-65-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1408-55-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1408-69-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download