Analysis

  • max time kernel
    189s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 06:21

General

  • Target

    86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe

  • Size

    131KB

  • MD5

    d3723895ae8ed74410ef996de6c82c7f

  • SHA1

    3c4aba83a38fa42d11896b1d10570d9b17cf693c

  • SHA256

    86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2

  • SHA512

    8f5e645e1ba6a23887479693f659ed64235f67406d7cd9c02bdd78830cf551036b0fea47db6b0a658483d0a8f27fc29ec59e99b943eac333f5b1553ce633938b

  • SSDEEP

    3072:2b5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:2sBPzjVbSwZGCk6cDy+DmqfmsSStboSj

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe
    "C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
      C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240643671.txt,M
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240643671.bat
        3⤵
          PID:4164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\86c9a8d2660fa8e958fead2a2ebcf1904696175d105a628e8ec91dfdc5063fa2.exe"
        2⤵
          PID:3552

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240643671.bat
        Filesize

        132B

        MD5

        94c81f4fa825da5f7cd0ab04a1a57fe0

        SHA1

        5b47232a4a31c98c935112704c6a125a874d1a57

        SHA256

        413d25d0266693bcfc838d8abae2ff1990399728064f8fa486db7a4cbd2ea5bb

        SHA512

        a63d50b52405a8c8aeefb9db349838805ec7dd50598a5a558d923301ee00d61cc98df3fc71e716e81be38b017f0c9ee59def855e6a8a06f0d8d8c2e61c2a301c

      • C:\Users\Admin\AppData\Local\Temp\240643671.txt
        Filesize

        105KB

        MD5

        b89a7dbe0cc3b12970215a02dfb49c6c

        SHA1

        ce545bc075ae333cde63460ef3c3c3e8f4649265

        SHA256

        036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

        SHA512

        3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

      • C:\Users\Admin\AppData\Local\Temp\240643671.txt
        Filesize

        105KB

        MD5

        b89a7dbe0cc3b12970215a02dfb49c6c

        SHA1

        ce545bc075ae333cde63460ef3c3c3e8f4649265

        SHA256

        036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

        SHA512

        3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

      • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
        Filesize

        80.1MB

        MD5

        5fdbaa2d49424a48ddd895eff5e03ad6

        SHA1

        e053f3ff549bc7e33d2c2d58d586560c0d95bc53

        SHA256

        9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

        SHA512

        0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

      • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
        Filesize

        80.1MB

        MD5

        5fdbaa2d49424a48ddd895eff5e03ad6

        SHA1

        e053f3ff549bc7e33d2c2d58d586560c0d95bc53

        SHA256

        9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

        SHA512

        0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

      • memory/2024-132-0x0000000000400000-0x000000000043F000-memory.dmp
        Filesize

        252KB

      • memory/2108-138-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

      • memory/2108-139-0x000000000C270000-0x000000000C2A9000-memory.dmp
        Filesize

        228KB

      • memory/2108-137-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

      • memory/2108-136-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

      • memory/2108-133-0x0000000000000000-mapping.dmp
      • memory/2108-145-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

      • memory/2736-140-0x0000000000000000-mapping.dmp
      • memory/3552-146-0x0000000000000000-mapping.dmp
      • memory/4164-141-0x0000000000000000-mapping.dmp