Overview

overview

10

Static

static

aa0f430e5c...d7.exe

windows7-x64

10

aa0f430e5c...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe

  • Size

    2.0MB

  • MD5

    cc888e112e6212bc0a77c5628ceb2e23

  • SHA1

    7c16d0c6349af720642109c67435236a3239d273

  • SHA256

    aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7

  • SHA512

    3b6c1121eac1d9609e2e20f923d6b80020701402a70abd3eaa7c2dc8035b047ff011c057ff101e59e4f8dcffbdd4f486f9224fb5c2336163cb9771a0612b0557

  • SSDEEP

    49152:P96pwkZmHLcZEQ8L09njnxvcjxFSKmQV00ObPT+Db0KZCgHk9:5okLcZEoZg3SV3+D4jn

Score
10/10
blackmoonbankerevasiontrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
    "C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\Desktop\good\good.exe
      "C:\Users\Admin\Desktop\good\good.exe" i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1972
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://pan.lanzou.com/p/282851105
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9393a5ebfc289b784ee4ffbed173b459

    SHA1

    3f28987d6c4a963b8c457d86a1a1d95b23771c5e

    SHA256

    c7d6e58fd7a402320f3ebf4126af0de5f133fac4d6e292e927c775095913ae38

    SHA512

    f739793ef807e837426fa6e6af77b2608e4a8c51b7bef3f68d98c5b871b94dfe13589b3cf60f556df003bf23e89c1cda33b2db8d24bf8dfa44f8e123e39bcb76

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
    Filesize

    1KB

    MD5

    91c3cdaf9847ce5cda26ed997c9bfb1e

    SHA1

    4573ba61f61928e448bddd75573b9c34d7a0bca4

    SHA256

    0c3aa4a31c626c789d2dcf1af09d00831818a40c4026875f45697c4b2e7b7a63

    SHA512

    9daef1c01d3695acc418b7796bc280090b34eef3af0e6933a61aebf83e5804ba8d4c77ebd5b4283679f881c9c7dc5bae8e2f6a9e87c6940d0a1380bd4798250d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WW9KZ7J8.txt
    Filesize

    601B

    MD5

    544b639da2506957941c0c2446197f90

    SHA1

    8fe0daf188995474bcbfe48efcc1ab5966f73ad8

    SHA256

    ebf22cabc6b7935cf77c70e21628c0fb3d872eddb7c2c5c4107e2a9bc5c54a9e

    SHA512

    d9d39af60cfbc92f67809fbbe353576c0b3bd1126461a5ebe0363d9d1760c0ecdff0df17fb52b4f7824fddc17b0c4ecd1a119fb41dafdc784c6df1284643de97

    Download Submit
  • C:\Users\Admin\Desktop\good\cfg.ini
    Filesize

    105B

    MD5

    2660d292cd135fbef3a113a41c6063e9

    SHA1

    177b90dc51e08238331adafb04cc534f807fee7f

    SHA256

    eb0bb128f5c245dbc9429c3b40fdb4721db3b820fa4c1454eb82f8af1260f3e6

    SHA512

    6bd11f302795d8ca8c7268efb6cb1b9ce6a14dfb062918c0a9f686550c4d256cc6ccfe814533d8b57bf54e38d8358a3922c7984b6a1243b65e8d204b74314706

    Download Submit
  • C:\Users\Admin\Desktop\good\good.exe
    Filesize

    107KB

    MD5

    446d420e57d1818aa690364f59a487c0

    SHA1

    627bb0a8f70bef07494a9e0c078b1659d23da8de

    SHA256

    ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

    SHA512

    9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

    Download Submit
  • C:\Users\Admin\Desktop\good\good.exe
    Filesize

    107KB

    MD5

    446d420e57d1818aa690364f59a487c0

    SHA1

    627bb0a8f70bef07494a9e0c078b1659d23da8de

    SHA256

    ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

    SHA512

    9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

    Download Submit
  • \Users\Admin\Desktop\good\good.exe
    Filesize

    107KB

    MD5

    446d420e57d1818aa690364f59a487c0

    SHA1

    627bb0a8f70bef07494a9e0c078b1659d23da8de

    SHA256

    ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

    SHA512

    9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

    Download Submit
  • \Users\Admin\Desktop\good\good.exe
    Filesize

    107KB

    MD5

    446d420e57d1818aa690364f59a487c0

    SHA1

    627bb0a8f70bef07494a9e0c078b1659d23da8de

    SHA256

    ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

    SHA512

    9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

    Download Submit
  • \Users\Admin\Desktop\good\good.exe
    Filesize

    107KB

    MD5

    446d420e57d1818aa690364f59a487c0

    SHA1

    627bb0a8f70bef07494a9e0c078b1659d23da8de

    SHA256

    ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d

    SHA512

    9d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3

    Download Submit
  • memory/1416-69-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-95-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-73-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-71-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-79-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-77-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-75-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-81-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-83-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-87-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-85-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-91-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-89-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-93-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-97-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-54-0x0000000075F01000-0x0000000075F03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1416-99-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-100-0x0000000000400000-0x000000000092D000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1416-65-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-67-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-55-0x0000000000400000-0x000000000092D000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1416-63-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-59-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-61-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-58-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-109-0x0000000000400000-0x000000000092D000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1416-110-0x00000000777A0000-0x0000000077920000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1416-111-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-57-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1416-56-0x00000000777A0000-0x0000000077920000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1972-103-0x0000000000000000-mapping.dmp
    Download