Overview

overview

10

Static

static

10

70c1395c20...fa.exe

windows7-x64

10

70c1395c20...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70c1395c202359a6d45426a2ba8d045dfbb9dcfbd0b294173e2403310be3f1fa.exe

  • Size

    10.8MB

  • MD5

    1c974b9aaf3a98cd2221591db21f9f93

  • SHA1

    19cc90e4969a97971d5a45bccd35bf5612644de7

  • SHA256

    70c1395c202359a6d45426a2ba8d045dfbb9dcfbd0b294173e2403310be3f1fa

  • SHA512

    54df741f40a3d641d6f9b711e614f14eb4b207d255d3b8ced850dcf90701cb16626cf1027f9a8bd5d3412e5edd3b8b83c644dc39afe579d57cabff78617a5f8a

  • SSDEEP

    196608:lU6na3D1MLj1Zd//tYL/LQ1K+AHtIa8SL:lUbM5/aL/RHtpxL

Score
10/10
blackmoonbankerbootkitpersistencetrojanupxvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70c1395c202359a6d45426a2ba8d045dfbb9dcfbd0b294173e2403310be3f1fa.exe
    "C:\Users\Admin\AppData\Local\Temp\70c1395c202359a6d45426a2ba8d045dfbb9dcfbd0b294173e2403310be3f1fa.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\rom1076.tmp.exe > C:\Users\Admin\AppData\Local\Temp\rom1076.tmp
      2⤵
        PID:1756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\rom12B8.tmp.exe > C:\Users\Admin\AppData\Local\Temp\rom12B8.tmp
        2⤵
          PID:1004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.91chg.com/
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1700

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Bootkit

      1
      T1067

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        61KB

        MD5

        3dcf580a93972319e82cafbc047d34d5

        SHA1

        8528d2a1363e5de77dc3b1142850e51ead0f4b6b

        SHA256

        40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

        SHA512

        98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7529085cb2ce7211d3873de2fe19a433

        SHA1

        89a7099667415cfb16af3fa5f4ab03390b9e7bbe

        SHA256

        ed6007fabe80c7b51f59cca035d5d5de1019c7df402a9e00b76dad07812a0448

        SHA512

        b7310bf530a0c8d9252afac136238934a9339f0bbc14b6f1f9e222f553aae28cdb1dd8df9383943b53e2f5b314eceae256077254bb79aa1b2b764c14ad84a34e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
        Filesize

        5KB

        MD5

        7d21ba3d51fad5d08ac11b8710bb3801

        SHA1

        da1b820bc5957fd8f275c26b64b74cafc399e388

        SHA256

        4742c3972ad8cf95378d9f80cfb7f793cbd1626682c5a2880dbe1c92629561d2

        SHA512

        57fdfc7d5a94385c8fb9678eca7bb0e1fe3f8b8544b237d1586d24ee55d44daf54cea9d925f9d09a899a1b6fce92911b51cf758b7aa61bca0c85185511fd070f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
        Filesize

        6KB

        MD5

        b9fcdde0ba29d21729b7f68f4b3de809

        SHA1

        f2410ea2eb8d43b02327a27c75d77d219ef020a3

        SHA256

        7e2e933e1175b8c9e555762540dc5508de9c47a962608b4afd9f1869cdc2ba29

        SHA512

        94e97e1697dc36a4e5cfbc4a728106a0e0f7d6b4f5abdb753ac5c565dc55a14377dbdd7d168c43430113e0d51d8735640e8a54c239cb566e1cb3f594957b2e53

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\899P31UD.txt
        Filesize

        603B

        MD5

        8efdbfc7e35c5eff2b9896b3a93660e0

        SHA1

        c16dae64e59baddaf7fc11fa4d0633e980642e3a

        SHA256

        009633b5cc3438b8c56a851e2ca79b965b20f4dd625f55ef10097bc72de1bf06

        SHA512

        640dbafd86ca5661239d80094468b8e5766b38cb968dc03a529a282ab24be1458d047f52b1e4aea8a62674f10dc82f6f356414ccf5a83b1296a28bad61f5b37b

        Download Submit
      • memory/1004-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1756-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1808-61-0x0000000000400000-0x0000000000F03000-memory.dmp
        Filesize

        11.0MB

        Download
      • memory/1808-62-0x00000000003B0000-0x00000000003D6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1808-60-0x00000000003B0000-0x00000000003D6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1808-58-0x00000000003B0000-0x00000000003D6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1808-56-0x0000000000400000-0x0000000000F03000-memory.dmp
        Filesize

        11.0MB

        Download
      • memory/1808-55-0x0000000000400000-0x0000000000F03000-memory.dmp
        Filesize

        11.0MB

        Download