Overview

overview

10

Static

static

79db798700...7d.exe

windows7-x64

10

79db798700...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe

  • Size

    131KB

  • MD5

    9ec2385aa31573102fb1a53a283270e5

  • SHA1

    038483847c3d93d90c01fa4c0bb3e920e3e8aeda

  • SHA256

    79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d

  • SHA512

    4945d5aec4878eebe058d77287f226dd9264a1cc523fa8a531b8a1fc5bcf39a06d31fc37a37fe1c0e2403f13356ffdff30d8445ffaac8435e4e7c95fb3cdfd05

  • SSDEEP

    3072:Jb5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:JsBPzjVbSwZGCk6cDy+DmqfmsSStboSj

Score
10/10
blackmoonbankerpersistencetrojanvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe
    "C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
      C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240610921.txt,M
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240610921.bat
        3⤵
          PID:4984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe"
        2⤵
          PID:1160

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240610921.bat
        Filesize

        132B

        MD5

        94c81f4fa825da5f7cd0ab04a1a57fe0

        SHA1

        5b47232a4a31c98c935112704c6a125a874d1a57

        SHA256

        413d25d0266693bcfc838d8abae2ff1990399728064f8fa486db7a4cbd2ea5bb

        SHA512

        a63d50b52405a8c8aeefb9db349838805ec7dd50598a5a558d923301ee00d61cc98df3fc71e716e81be38b017f0c9ee59def855e6a8a06f0d8d8c2e61c2a301c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\240610921.txt
        Filesize

        105KB

        MD5

        b89a7dbe0cc3b12970215a02dfb49c6c

        SHA1

        ce545bc075ae333cde63460ef3c3c3e8f4649265

        SHA256

        036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

        SHA512

        3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\240610921.txt
        Filesize

        105KB

        MD5

        b89a7dbe0cc3b12970215a02dfb49c6c

        SHA1

        ce545bc075ae333cde63460ef3c3c3e8f4649265

        SHA256

        036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52

        SHA512

        3881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
        Filesize

        80.1MB

        MD5

        5fdbaa2d49424a48ddd895eff5e03ad6

        SHA1

        e053f3ff549bc7e33d2c2d58d586560c0d95bc53

        SHA256

        9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

        SHA512

        0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\VnrYne173.exe
        Filesize

        80.1MB

        MD5

        5fdbaa2d49424a48ddd895eff5e03ad6

        SHA1

        e053f3ff549bc7e33d2c2d58d586560c0d95bc53

        SHA256

        9c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe

        SHA512

        0ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d

        Download Submit
      • memory/1160-144-0x0000000000000000-mapping.dmp
        Download
      • memory/1372-138-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/1372-139-0x000000000C2A0000-0x000000000C2D9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/1372-137-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/1372-136-0x0000000000400000-0x0000000001400000-memory.dmp
        Filesize

        16.0MB

        Download
      • memory/1372-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4900-132-0x0000000000400000-0x000000000043F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4900-145-0x0000000000400000-0x000000000043F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4984-141-0x0000000000000000-mapping.dmp
        Download
      • memory/5064-140-0x0000000000000000-mapping.dmp
        Download