Overview

overview

10

Static

static

a7afadcf47...89.exe

windows7-x64

10

a7afadcf47...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 07:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe

  • Size

    1.7MB

  • MD5

    03f2cc5579453efedb3a98f9b7387d42

  • SHA1

    85a1565b26f15e36f6799e9907cf820700e7dff7

  • SHA256

    a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289

  • SHA512

    30f0e51b3f03eb429904bf15b2e8a15b7781715fff388cb64312cc1bdf13973a1e1304cb470de8cac10d2da6de8ba6acd43ac3c6aa3b4adcbab40864f5d6ba03

  • SSDEEP

    49152:OG7UzKxGCJ/rD7GcHgA2EJUuTHIyPdbqvAoztFbG5d:OGmKxGSD7GcHgNEVTo2dbqvrzSd

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
    "C:\Users\Admin\AppData\Local\Temp\a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\.a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
      C:\Users\Admin\AppData\Local\Temp\.a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Local\Temp\data.dll
        data.dll
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\NOTEPAD.exe
            NOTEPAD C:\Windows\SysWOW64\ʹÓý̳ÌÓë¸üÐÂ˵Ã÷.txt
            5⤵
            • Drops file in System32 directory
            PID:1296
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe "http://www.shuangy.com/waigua.html"
        3⤵
          PID:2040
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe "http://www.shuangy.com"
        2⤵
          PID:1000
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.shuangy.com/
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1204
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275461 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1928
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
          PID:1620

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                Filesize

                61KB

                MD5

                fc4666cbca561e864e7fdf883a9e6661

                SHA1

                2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

                SHA256

                10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

                SHA512

                c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                304B

                MD5

                3bf854fd3a094099087be1428c5e8d90

                SHA1

                2a74df36eef1f4f8da8bdebafaf12f21c5a5d153

                SHA256

                7f871a80327d16b15a0771a94fc4648e955d83b2c55cfc6acfcccc25b7833a7b

                SHA512

                91e8c3380b02bc8aa334ee63e50a43e6ab53f4e5a7b4a1ed41a026a028df62ad43b4c61e590a690e7d27981ef4499bda0f06b59e66a29b83170ab24d9f7525b6

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat
                Filesize

                4KB

                MD5

                169693188b285a2e4c4d7278e73ea91f

                SHA1

                e40a67fe786f2e726e0755df03051d019ddfeac1

                SHA256

                6a498a181af2765be785d484e3299b49a850ae54c0774c9cba2f4754d0c65de6

                SHA512

                58ee2ea51cae12b5484c575989f2a5decf9a134168e7a5b97083fdf42367313b860f9f1c41e18ebfa1661fc9b5152438af1e6dd657092fc3fc0ba350eb41c3f8

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LZLYL77D\favicon[2].ico
                Filesize

                4KB

                MD5

                2078a69bf68e43b1a9b3ea4caa01cdeb

                SHA1

                705231be423060e06cf18dc76ea61c629898cbb0

                SHA256

                e471a9f02d1bb949155890f497d7b6188766b88154bf5aecc713d0ce4513723a

                SHA512

                4e2032974a289732be0d2d059cde6f60635e06a3748e9f478cc14b88013a7f45d7a764d32ee68f2d237f1300aff24df6167592a818b3273d7339e6f5430736e7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\.a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
                Filesize

                1.7MB

                MD5

                ad82dba72c0767b7a1dc1cb98d9c586a

                SHA1

                17cc3bdff44de676549739cce95e790c38a84442

                SHA256

                0fe58b71d53d0ce64dab2895556e349fe52c6c7da19162b075994ca7c95b82df

                SHA512

                6e937a8c7a3425d394a15792d9db484e94a6b261b70dafce3063d793f72b6724cd201e03a2122d5966e31325dffa1166ce2a5d31a941c3322e7761ee43909988

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\data.dll
                Filesize

                1.6MB

                MD5

                f9c24a384df9341adcf6f607796af1fa

                SHA1

                d812521b224c41a5a215969d5ec1e867a9acf243

                SHA256

                0f90c2e77c506a0e03e4c7b673669eaf78ff3e17d0b60d90611684cc2d5fb0bb

                SHA512

                c8f9d15a3b5f8690ee5c60e7e63dadf7fc6675e698573c6f2aa37705655b4b7e82fc7007be277ed6eab96d0428c2e11b510dd428e4efbfa2ebe8fc01d4983e8a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\data.dll
                Filesize

                1.6MB

                MD5

                f9c24a384df9341adcf6f607796af1fa

                SHA1

                d812521b224c41a5a215969d5ec1e867a9acf243

                SHA256

                0f90c2e77c506a0e03e4c7b673669eaf78ff3e17d0b60d90611684cc2d5fb0bb

                SHA512

                c8f9d15a3b5f8690ee5c60e7e63dadf7fc6675e698573c6f2aa37705655b4b7e82fc7007be277ed6eab96d0428c2e11b510dd428e4efbfa2ebe8fc01d4983e8a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6WH7HYS8.txt
                Filesize

                130B

                MD5

                608b353c76a8ab5292b5b9ba0acf1cd6

                SHA1

                5c88c53275ee9533daeeb388276f02e2ce613671

                SHA256

                093b4dde07ba3d3cd057d4c5d6b9784be8be2cd69baef1400288cb89eac80d45

                SHA512

                ab5b99bf76aa2c2c2e309a34b6463c6faa0c60600fe93fd649b3e0c0bee4ae62af67c24b3916d8fea7ada1a854fac63d3d8361c4ab0e1633007774f5272b2308

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KJ604YLU.txt
                Filesize

                101B

                MD5

                c48729f8b2f4ed7bb00123c81a26faba

                SHA1

                f30772b547cc07e30fd6072edc4b5ace920d9263

                SHA256

                d048ae4fd37d43c9c627241babd4c8efca779bab2235718bc9d4dda18578a6c4

                SHA512

                066c5505691f2fd31ff2d0997d99ce884c6fc6307a18c47b28c13058fde3ae4eba1424c6761b27ec58977dc46901077e3b8776e3976db7d0843ac58edc9435b1

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YA1XLDJF.txt
                Filesize

                608B

                MD5

                8b772ffda862f5d7ceee45cb820e560b

                SHA1

                18b9462e1369a15716c486783bf1ece0cc98290b

                SHA256

                d8b59451d49d2c945d964583bc80842ee01ce78a987a750fa32ff5bfe0f271ea

                SHA512

                8fed0d031d2d24a5b4f160e33966a64e61d70145508ab26212cf20ee1de3e86090d4ed5b934528b95f3931c41bebc9a442f16330e6cd78efdfb479cf4de8a48f

                Download Submit

              • \Users\Admin\AppData\Local\Temp\.a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
                Filesize

                1.7MB

                MD5

                ad82dba72c0767b7a1dc1cb98d9c586a

                SHA1

                17cc3bdff44de676549739cce95e790c38a84442

                SHA256

                0fe58b71d53d0ce64dab2895556e349fe52c6c7da19162b075994ca7c95b82df

                SHA512

                6e937a8c7a3425d394a15792d9db484e94a6b261b70dafce3063d793f72b6724cd201e03a2122d5966e31325dffa1166ce2a5d31a941c3322e7761ee43909988

                Download Submit

              • \Users\Admin\AppData\Local\Temp\.a7afadcf473eb1ec7dea3dcdb34a0c975ae0f5cf3ce4cd7e252ed7629d721289.exe
                Filesize

                1.7MB

                MD5

                ad82dba72c0767b7a1dc1cb98d9c586a

                SHA1

                17cc3bdff44de676549739cce95e790c38a84442

                SHA256

                0fe58b71d53d0ce64dab2895556e349fe52c6c7da19162b075994ca7c95b82df

                SHA512

                6e937a8c7a3425d394a15792d9db484e94a6b261b70dafce3063d793f72b6724cd201e03a2122d5966e31325dffa1166ce2a5d31a941c3322e7761ee43909988

                Download Submit

              • \Users\Admin\AppData\Local\Temp\data.dll
                Filesize

                1.6MB

                MD5

                f9c24a384df9341adcf6f607796af1fa

                SHA1

                d812521b224c41a5a215969d5ec1e867a9acf243

                SHA256

                0f90c2e77c506a0e03e4c7b673669eaf78ff3e17d0b60d90611684cc2d5fb0bb

                SHA512

                c8f9d15a3b5f8690ee5c60e7e63dadf7fc6675e698573c6f2aa37705655b4b7e82fc7007be277ed6eab96d0428c2e11b510dd428e4efbfa2ebe8fc01d4983e8a

                Download Submit

              • \Users\Admin\AppData\Local\Temp\data.dll
                Filesize

                1.6MB

                MD5

                f9c24a384df9341adcf6f607796af1fa

                SHA1

                d812521b224c41a5a215969d5ec1e867a9acf243

                SHA256

                0f90c2e77c506a0e03e4c7b673669eaf78ff3e17d0b60d90611684cc2d5fb0bb

                SHA512

                c8f9d15a3b5f8690ee5c60e7e63dadf7fc6675e698573c6f2aa37705655b4b7e82fc7007be277ed6eab96d0428c2e11b510dd428e4efbfa2ebe8fc01d4983e8a

                Download Submit

              • memory/328-71-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/904-72-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/904-70-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/904-84-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1000-68-0x00000000731F1000-0x00000000731F3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1828-80-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1828-74-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1828-89-0x00000000005DF000-0x000000000077E000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/1828-90-0x0000000000401000-0x00000000005DF000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1828-87-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1828-86-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1828-98-0x00000000005DF000-0x000000000077E000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/1828-88-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1828-77-0x0000000000400000-0x0000000000785000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/1964-69-0x0000000002E70000-0x00000000031F5000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/2008-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2040-93-0x0000000071301000-0x0000000071303000-memory.dmp

                Filesize

                8KB

                Download