Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
25-11-2022 19:42
General
-
Target
0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe
-
Size
82KB
-
MD5
3c86ad63c6884aacde7f7c574a9a5593
-
SHA1
9f9793fe31566dd24750efe8fc8a6a0c43f023af
-
SHA256
0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa
-
SHA512
aee9dc5bf4dfef41cb5c868e48dc8cc344c3604edf097fdeb6a5a6109b229831dc970e72b0af452b2d270e2c21bf54913079076a6ff19381623450068f9ec95b
-
SSDEEP
1536:/sVyZh7S+jOvKCuv+5eKQ2vES36M7o5jUabtHnIwGsdbMK:/d2KC++5eKQ2vEK37oV3toHa
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe"C:\Users\Admin\AppData\Local\Temp\0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exe"C:\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
C:\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
C:\Users\Admin\AppData\Local\Temp\lpath.iniFilesize
102B
MD57dfe9d8c9eaf32e43b7704b6a41b0be9
SHA11b267b7393cfffa419b4aa73e897d23b23c3f941
SHA2566c643606f63abfb0bd68d2dcd154384bcff84c7fa2e4193c6908c0244ab19972
SHA5121c50fed4f8b7b608b8fd2f594c7f0022b4166723b419baffb5bcd47042cc9b3c3036202ab0e9e8ae755158921179b11407f48a9105683372538f58a2af9ab169
-
\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
\Users\Admin\AppData\Local\Temp\elxplorerbhmui.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
memory/944-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/944-55-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/944-56-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/944-63-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1964-59-0x0000000000000000-mapping.dmp
-
memory/1964-62-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1964-66-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB