Resubmissions

27-02-2023 09:32

230227-lhsmdacf9v 10

27-02-2023 09:25

230227-ldly2acf61 10

Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2023 09:25

General

  • Target

    5.exe

  • Size

    4.1MB

  • MD5

    d1e3796faa8febcb5727af4cf10fa912

  • SHA1

    329a3ad3cdbb1c05ae60d5a7e232e11dc55ff4bb

  • SHA256

    b568fd0c4e510808e3c4368f2a5ad7a579675a41e4d010541d3308dcc1ab0237

  • SHA512

    1fe38416a1d868a506ac3ba317f0d306c9c8d6d8d6609b5d275944aa32faf29d30bd5a6df1fbf946bff942344e28926bc131204c29549c4d498f5089e006e499

  • SSDEEP

    98304:hGGReDAApdZ4WATvMu3ehwtwrEEcm9GR+NcKJrJ10dqcx+MItpqcws:hGIAp74dL33h7QGR+KKJrnOH6

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5.txt
    Filesize

    120KB

    MD5

    3aea5b78bac5359a799c2714fecccd1a

    SHA1

    5d3203b328ecfc7a55c0ded1032d209e9f273367

    SHA256

    c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

    SHA512

    9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

  • C:\Users\Admin\AppData\Local\Temp\qxx.zip
    Filesize

    26B

    MD5

    17df3b34c7d09ae0ee694735fdeb7ecf

    SHA1

    2457cd98147c41b58c22593202d064e50bba6fd2

    SHA256

    b8c13f9c76fea2138a097498ba5d48108354baa6d00602b4d7eff6bbbf2eaf5c

    SHA512

    4c3518c4c59ca6750777efaeebae2d3c04790da3706ba78a6d60486b2945262103ce1e337aafe736932bf8d35b886816c9443450b5ade1ed06cde03bf567cd10

  • C:\Users\Public\Documents\sjsw.log
    Filesize

    158B

    MD5

    5ef7c7ed88027bcef3a264eea0ac481d

    SHA1

    108b38b6dd56f0fabc752c0555291c0d8ef3b309

    SHA256

    ff4fb80c351dd190d0131aa1869e337b22b6f21f8b30717a95561448c705d3b0

    SHA512

    65c454375126397ef012f220ea0601f33261ddb923c656c41af1292ecae5bba4bdf9df7e5d9c12eff1544ca459079bbca7dcd0d907d7fd5f1c5da9a60afdfff9

  • memory/2016-63-0x00000000046C0000-0x0000000004738000-memory.dmp
    Filesize

    480KB

  • memory/2016-85-0x0000000004070000-0x0000000004073000-memory.dmp
    Filesize

    12KB

  • memory/2016-62-0x00000000046C0000-0x0000000004738000-memory.dmp
    Filesize

    480KB

  • memory/2016-57-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/2016-56-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/2016-55-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/2016-84-0x00000000046C0000-0x0000000004738000-memory.dmp
    Filesize

    480KB

  • memory/2016-54-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/2016-86-0x0000000004E20000-0x0000000004FA0000-memory.dmp
    Filesize

    1.5MB

  • memory/2016-92-0x00000000047A0000-0x00000000047A1000-memory.dmp
    Filesize

    4KB

  • memory/2016-93-0x0000000004BD0000-0x0000000004CE0000-memory.dmp
    Filesize

    1.1MB

  • memory/2016-94-0x0000000004740000-0x0000000004787000-memory.dmp
    Filesize

    284KB

  • memory/2016-95-0x00000000046C0000-0x0000000004738000-memory.dmp
    Filesize

    480KB

  • memory/2016-96-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB