Overview

overview

10

Static

static

93c4ed64dc...7f.exe

windows7-x64

10

93c4ed64dc...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe

  • Size

    129KB

  • MD5

    32ceef1cc2a15e91db6645b0e1c94b54

  • SHA1

    cf76717ac222d121d8ff7843627b1e31a21b8240

  • SHA256

    93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f

  • SHA512

    9385e85035d75519158123b8463c8f33599eef64bda32b526a5cd7ecd7b50a5bfaa1ccaba416ae1db08af344de64a98cc041a5dba9f724359c6336c23e3cfe2f

  • SSDEEP

    3072:Z+WNkNXcl6hRICWl3BmFGTd2ko7o1jzzX5mTout:Z+WNOnh6CWl3VMbS3T8ToS

Score
10/10
blackmoonbankerpersistencetrojanvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe
    "C:\Users\Admin\AppData\Local\Temp\93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\DETCAXZ.exe
      C:\Users\Admin\AppData\Local\Temp\DETCAXZ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        PID:1124
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\DETCAXZ.exe"
        3⤵
          PID:1044
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\93c4ed64dc4c94a5ee75d3b71bcd05779e6144ad3e16801d0c7dd6edcf33727f.exe"
        2⤵
          PID:888

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DETCAXZ.exe
        Filesize

        80.1MB

        MD5

        16bf5055b4b0e5db136da3e6940b3a48

        SHA1

        b372531b266cc93fe38c596ccda872e2add67f93

        SHA256

        1ec8e6565c13745d2073bcacdea5d53082b053bca8a47abf965e5922bdfdce17

        SHA512

        e30ad97a83ca2dbc6ebdf36fb7694f3bca87db186a1eae7bd9069a85447d38fa9cae493e51bf80f558f2b3102f23d83ebf6ea87a6a230fce939d59b70c2266da

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DETCAXZ.exe
        Filesize

        80.1MB

        MD5

        16bf5055b4b0e5db136da3e6940b3a48

        SHA1

        b372531b266cc93fe38c596ccda872e2add67f93

        SHA256

        1ec8e6565c13745d2073bcacdea5d53082b053bca8a47abf965e5922bdfdce17

        SHA512

        e30ad97a83ca2dbc6ebdf36fb7694f3bca87db186a1eae7bd9069a85447d38fa9cae493e51bf80f558f2b3102f23d83ebf6ea87a6a230fce939d59b70c2266da

        Download Submit
      • C:\Windows\SysWOW64\HIMYM.DLL
        Filesize

        100KB

        MD5

        c9b14c8e3af048a7ef6546f2981dc16f

        SHA1

        f146e301b8ef68159cc3d45f529f9c68e4941b4e

        SHA256

        fc3850ce2af7a4d437f4030009d440a3f2f394c7ee2f8c5a7e12a1a7b0d79a48

        SHA512

        9de8f0ff94a9b7ee204b4b8cae01c11518e52d18dc2f2d6ce94232f4d052bd28c59143675c189ef25c7bcbb622232bbec72a3286250c08dce927c710f9beaa45

        Download Submit
      • C:\Windows\SysWOW64\HIMYM.DLL
        Filesize

        100KB

        MD5

        c9b14c8e3af048a7ef6546f2981dc16f

        SHA1

        f146e301b8ef68159cc3d45f529f9c68e4941b4e

        SHA256

        fc3850ce2af7a4d437f4030009d440a3f2f394c7ee2f8c5a7e12a1a7b0d79a48

        SHA512

        9de8f0ff94a9b7ee204b4b8cae01c11518e52d18dc2f2d6ce94232f4d052bd28c59143675c189ef25c7bcbb622232bbec72a3286250c08dce927c710f9beaa45

        Download Submit
      • memory/396-141-0x000000000C270000-0x000000000C2A6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/396-137-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/396-136-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/396-133-0x0000000000000000-mapping.dmp
        Download
      • memory/396-143-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/888-144-0x0000000000000000-mapping.dmp
        Download
      • memory/1044-142-0x0000000000000000-mapping.dmp
        Download
      • memory/1124-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4808-132-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

        Download