Overview

overview

10

Static

static

88543a3734...e4.exe

windows7-x64

10

88543a3734...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88543a3734f2d2f49d64eac9cbd9a0b4ad39ef049a593b495155db5807be8be4.exe

  • Size

    224KB

  • MD5

    608cd26c9f0bf7848a9fa42e2f9df214

  • SHA1

    8d9e045a0e44f7e4049188b07f498f56ce43fb1d

  • SHA256

    88543a3734f2d2f49d64eac9cbd9a0b4ad39ef049a593b495155db5807be8be4

  • SHA512

    3fc8ad1f5c4c05ca5bda85ac5d4e06b1efd6edcc2c9f99e16bfac7f06fe4018991858ac1642932516c9be8b90c9c35fd5007f03594251ac878c3432dd2b3c000

  • SSDEEP

    6144:mf796MRAjXvujSLdvNJPSR+KxRL7Y0a2XRbNlU0:O79WjXvVGXY0dBplU0

Score
10/10
blackmoonaspackv2bankerpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88543a3734f2d2f49d64eac9cbd9a0b4ad39ef049a593b495155db5807be8be4.exe
    "C:\Users\Admin\AppData\Local\Temp\88543a3734f2d2f49d64eac9cbd9a0b4ad39ef049a593b495155db5807be8be4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Program Files\Info\360siom.exe
      "C:\Program Files\Info\360siom.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\calc.exe
        calc.exe
        3⤵
        • Adds Run key to start application
        PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • Deletes itself
      PID:988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Info\360siom.exe
    Filesize

    76KB

    MD5

    170b67264b306aca215bf72bd36b4f53

    SHA1

    0be7190a02ee3bab0389d8473fb515b59889bdca

    SHA256

    be7f35ced141ab9c2f8a964f2eaf5249921f433560f9386f0dd228d8042cebc3

    SHA512

    98d23934df6ecbfc171594fdfdf21ca31a499605dc27f2796b8c7067a6fdaa2988e1134b42fff60cd7eee81b09cc861dbd1cf386aaf68ca1ae909aede2b840ba

    Download Submit

  • C:\Program Files\Info\360siom.exe
    Filesize

    76KB

    MD5

    170b67264b306aca215bf72bd36b4f53

    SHA1

    0be7190a02ee3bab0389d8473fb515b59889bdca

    SHA256

    be7f35ced141ab9c2f8a964f2eaf5249921f433560f9386f0dd228d8042cebc3

    SHA512

    98d23934df6ecbfc171594fdfdf21ca31a499605dc27f2796b8c7067a6fdaa2988e1134b42fff60cd7eee81b09cc861dbd1cf386aaf68ca1ae909aede2b840ba

    Download Submit

  • C:\Program Files\Info\PotPlayer.dll
    Filesize

    45KB

    MD5

    05d65650e23ced5d763530105dd1b7ef

    SHA1

    c1d606d187ec363582667c1a206fcc3a7e5ea289

    SHA256

    7ea795367b2ffb30424367e84e2365b32b0b0ef4815d78eb635c819cc71e7685

    SHA512

    bb7307791aef6c521c00f46c5cd02a6743157c7260bb13f906ccd5a061235a0f70d9a68410e0b53cbf3c5b842bcf35cc31db7554846ffe1e874f2d40c421e374

    Download Submit

  • C:\Program Files\Info\V3like.lnk
    Filesize

    118KB

    MD5

    04efeb8e35d023d3701bca55c489b983

    SHA1

    2a3723a5c2ba80d9d66e058c8f5e5a46249b2786

    SHA256

    cabbab7edc0db61fee3a185d6191dec1f610da839026b8a32c56393726e39682

    SHA512

    aebe8ba35de45978d108e3fca0cfd5be68d9ae01196664a6f94a7512d69216ed5df4827a8fbe45e9ecf605e5d0f5017b4a13b2ab1220976108392da6a1d8be73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
    Filesize

    300B

    MD5

    d70b5604236ee86dbd092dbcae56a5b3

    SHA1

    550f2e406bc9ba32df7c29ca8a3f877f05b8984b

    SHA256

    451d76a6ef03a7555790c0f65512d6a43bdbf03d61b0d38dacc035c2aa670d69

    SHA512

    d54e8b46f46350e3b2e3bb6499f4a92fbdaedf83e9053c659a6895eb0c68d1abe7e61b2b8fb90e3b827f100bad619b4970638d8d7e69a5df73e8f8fc2ed46d63

    Download Submit

  • \Program Files\Info\360siom.exe
    Filesize

    76KB

    MD5

    170b67264b306aca215bf72bd36b4f53

    SHA1

    0be7190a02ee3bab0389d8473fb515b59889bdca

    SHA256

    be7f35ced141ab9c2f8a964f2eaf5249921f433560f9386f0dd228d8042cebc3

    SHA512

    98d23934df6ecbfc171594fdfdf21ca31a499605dc27f2796b8c7067a6fdaa2988e1134b42fff60cd7eee81b09cc861dbd1cf386aaf68ca1ae909aede2b840ba

    Download Submit

  • \Program Files\Info\PotPlayer.dll
    Filesize

    45KB

    MD5

    05d65650e23ced5d763530105dd1b7ef

    SHA1

    c1d606d187ec363582667c1a206fcc3a7e5ea289

    SHA256

    7ea795367b2ffb30424367e84e2365b32b0b0ef4815d78eb635c819cc71e7685

    SHA512

    bb7307791aef6c521c00f46c5cd02a6743157c7260bb13f906ccd5a061235a0f70d9a68410e0b53cbf3c5b842bcf35cc31db7554846ffe1e874f2d40c421e374

    Download Submit

  • memory/576-73-0x00000000003D0000-0x00000000003EF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/576-62-0x00000000003D0000-0x00000000003EF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1780-64-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-68-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-70-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-71-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-66-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-63-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-78-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1780-79-0x0000000000401000-0x0000000000419000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

    Filesize

    8KB

    Download