Analysis
-
max time kernel
204s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-11-2022 19:42
General
-
Target
0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe
-
Size
82KB
-
MD5
3c86ad63c6884aacde7f7c574a9a5593
-
SHA1
9f9793fe31566dd24750efe8fc8a6a0c43f023af
-
SHA256
0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa
-
SHA512
aee9dc5bf4dfef41cb5c868e48dc8cc344c3604edf097fdeb6a5a6109b229831dc970e72b0af452b2d270e2c21bf54913079076a6ff19381623450068f9ec95b
-
SSDEEP
1536:/sVyZh7S+jOvKCuv+5eKQ2vES36M7o5jUabtHnIwGsdbMK:/d2KC++5eKQ2vEK37oV3toHa
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe"C:\Users\Admin\AppData\Local\Temp\0927e4d14df517b0488aac0631fbbeeea13fa5d8a6ec00bc4749c6669dc966fa.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\elxplorerpnnsg.exe"C:\Users\Admin\AppData\Local\Temp\elxplorerpnnsg.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\elxplorerpnnsg.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
C:\Users\Admin\AppData\Local\Temp\elxplorerpnnsg.exeFilesize
82KB
MD542c16b514ef73745f9fca9f84289f6b9
SHA18ef055eb653ec775125f4ac94c7fcca0a1433a01
SHA256899ca3c945498b2981fcb44fd113b1e6a5498fd843e54a422cbe11c19ffdc197
SHA512835347bd674358658b462e91836a878600330b3c4b81cd530643f03d06e24c2886928f589817a219666c2c513299db7a48bbe814285a6868e23eca96b5e81c1b
-
C:\Users\Admin\AppData\Local\Temp\lpath.iniFilesize
102B
MD57dfe9d8c9eaf32e43b7704b6a41b0be9
SHA11b267b7393cfffa419b4aa73e897d23b23c3f941
SHA2566c643606f63abfb0bd68d2dcd154384bcff84c7fa2e4193c6908c0244ab19972
SHA5121c50fed4f8b7b608b8fd2f594c7f0022b4166723b419baffb5bcd47042cc9b3c3036202ab0e9e8ae755158921179b11407f48a9105683372538f58a2af9ab169
-
memory/1228-132-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1228-137-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3576-133-0x0000000000000000-mapping.dmp
-
memory/3576-136-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB