Overview

overview

10

Static

static

40e78f2861...13.exe

windows7-x64

10

40e78f2861...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe

  • Size

    163KB

  • MD5

    ac13d94cacaf23b6e81a2701ff974319

  • SHA1

    957df0b2f9f1e73a0d866e3ef2f82c2c5078061c

  • SHA256

    40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13

  • SHA512

    003870b0e296396ae645bd42a00ed3306ec68581d9158a5ceb09d235c3bac7b1ea9edd00717950839003761e348a3475b503ca55054312fb6624d191456fa76e

  • SSDEEP

    3072:eRHYIPwGaXaBOV/fXj5NvfeNKRQsoCoc0AAlFcbEVB/9ggwBI:elYIPfRo5L5NTR7oe0AgcwF9jwBI

Score
10/10
blackmoonbankerpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 6 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe
    "C:\Users\Admin\AppData\Local\Temp\40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\wr.exe
      C:\Windows\wr.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\wr.exe
    Filesize

    17KB

    MD5

    ead93401f3f9a67b01eee18e93cfe9ff

    SHA1

    e65efd0e5a4286a9a221ef9747c95ed3436312bd

    SHA256

    f9ef8acc245ad8abee4d767c04781c7f7e5b1fa4aea9f6e4682c31e1e51183ff

    SHA512

    a234953431a18b9bf4f06908cec9cc195d825687d9863b807cb9af8284fc54ee4ec1f3d6ae92bafcd26c50d6d6739c46fa857dc199456a695654a6f4b0932f0b

    Download Submit
  • C:\Windows\wr.exe
    Filesize

    17KB

    MD5

    ead93401f3f9a67b01eee18e93cfe9ff

    SHA1

    e65efd0e5a4286a9a221ef9747c95ed3436312bd

    SHA256

    f9ef8acc245ad8abee4d767c04781c7f7e5b1fa4aea9f6e4682c31e1e51183ff

    SHA512

    a234953431a18b9bf4f06908cec9cc195d825687d9863b807cb9af8284fc54ee4ec1f3d6ae92bafcd26c50d6d6739c46fa857dc199456a695654a6f4b0932f0b

    Download Submit
  • memory/1812-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-136-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1812-138-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1812-140-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/3256-132-0x0000000000400000-0x000000000046F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/3256-137-0x0000000000400000-0x000000000046F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/3256-139-0x0000000000400000-0x000000000046F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/3256-141-0x0000000000400000-0x000000000046F000-memory.dmp
    Filesize

    444KB

    Download