Overview

overview

10

Static

static

8f2fdc0a52...b8.exe

windows7-x64

10

8f2fdc0a52...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    214s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe

  • Size

    141KB

  • MD5

    b87df20eda8aea1594ce221ee1fc550a

  • SHA1

    a5e985819ed2be3433b7caa8901e2b6bcb237fc9

  • SHA256

    8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8

  • SHA512

    77a1c83ad951bde5561ae6377f91ce2643962a51f98005b56fa6874ae8e0c35256d715e784703ff2d2cb273cf19d500316661d59ddc37a6712843781c504cef5

  • SSDEEP

    3072:iS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:iS1twl2he9RIc0kBzuu+s

Score
10/10
blackmoonbankerpersistencetrojanvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
    "C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\7275917.txt,M
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:1008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\7275917.bat
        3⤵
          PID:1076
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"
        2⤵
        • Deletes itself
        PID:1760

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7275917.bat
      Filesize

      134B

      MD5

      24620b3413f719c3bdeb1e8db07a0884

      SHA1

      b1f1b2122aa0d9e472b30b0fc95108f0de6bd572

      SHA256

      a396ce3fff484e6f62f6ad562292ffe05b0259ae2dc4a997e3a4340fbe01fcbc

      SHA512

      59dc22f0ec4e0e56ad01dec815c909775f0a7fc4694ee3c28afdf52746eb892db47c7696bf3af86bde0fffc6a1004818feeaa74afb2fd2f5850cf0e906688bb2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7275917.txt
      Filesize

      105KB

      MD5

      a7df87290a05904215cef9c89588b675

      SHA1

      b67c3c1c891cf7680729106d4c77b2c1cabe463b

      SHA256

      b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae

      SHA512

      2b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      Filesize

      80.1MB

      MD5

      6c769718760dcdfef5fa626237aa63c6

      SHA1

      554565c6685bab8e1586ff57b99f065d63315b03

      SHA256

      53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

      SHA512

      7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      Filesize

      80.1MB

      MD5

      6c769718760dcdfef5fa626237aa63c6

      SHA1

      554565c6685bab8e1586ff57b99f065d63315b03

      SHA256

      53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

      SHA512

      7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

      Download Submit
    • \Users\Admin\AppData\Local\Temp\7275917.txt
      Filesize

      105KB

      MD5

      a7df87290a05904215cef9c89588b675

      SHA1

      b67c3c1c891cf7680729106d4c77b2c1cabe463b

      SHA256

      b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae

      SHA512

      2b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94

      Download Submit
    • \Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      Filesize

      80.1MB

      MD5

      6c769718760dcdfef5fa626237aa63c6

      SHA1

      554565c6685bab8e1586ff57b99f065d63315b03

      SHA256

      53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

      SHA512

      7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

      Download Submit
    • \Users\Admin\AppData\Local\Temp\TuxYwz569.exe
      Filesize

      80.1MB

      MD5

      6c769718760dcdfef5fa626237aa63c6

      SHA1

      554565c6685bab8e1586ff57b99f065d63315b03

      SHA256

      53a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4

      SHA512

      7d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15

      Download Submit
    • memory/592-64-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/592-68-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/592-69-0x00000000001C0000-0x00000000001E4000-memory.dmp
      Filesize

      144KB

      Download
    • memory/592-61-0x0000000000000000-mapping.dmp
      Download
    • memory/920-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/920-67-0x000000000C0F0000-0x000000000D0F0000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/920-58-0x0000000000400000-0x0000000000461000-memory.dmp
      Filesize

      388KB

      Download
    • memory/920-57-0x0000000000400000-0x0000000000461000-memory.dmp
      Filesize

      388KB

      Download
    • memory/920-55-0x0000000000400000-0x0000000000461000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1008-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1076-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-75-0x0000000000000000-mapping.dmp
      Download