Overview

overview

10

Static

static

10

5cedc86c7b...af.exe

windows7-x64

10

5cedc86c7b...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    247s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe

  • Size

    114KB

  • MD5

    af30ea13a0721fb3e3b95c9824306941

  • SHA1

    feaa318b3f735c8c0f6377adc98489256edca988

  • SHA256

    5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af

  • SHA512

    d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab

  • SSDEEP

    1536:PYOoVTjI9O31bY2/CyON4CsS2c92NYu3qb5KeopfL3dDtI+RZ7:PYO4I9OlbTq72WuS5VgL3dDtIE

Score
10/10
blackmoonbankerpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe
    "C:\Users\Admin\AppData\Local\Temp\5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Program Files (x86)\Nril\syetom.exe
      "C:\Program Files (x86)\Nril\syetom.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:4204

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Nril\syetom.exe
    Filesize

    114KB

    MD5

    af30ea13a0721fb3e3b95c9824306941

    SHA1

    feaa318b3f735c8c0f6377adc98489256edca988

    SHA256

    5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af

    SHA512

    d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab

    Download Submit
  • C:\Program Files (x86)\Nril\syetom.exe
    Filesize

    114KB

    MD5

    af30ea13a0721fb3e3b95c9824306941

    SHA1

    feaa318b3f735c8c0f6377adc98489256edca988

    SHA256

    5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af

    SHA512

    d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab

    Download Submit
  • memory/4204-132-0x0000000000000000-mapping.dmp
    Download