Resubmissions

27-02-2023 09:32

230227-lhsmdacf9v 10

27-02-2023 09:25

230227-ldly2acf61 10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2023 09:25

General

  • Target

    5.exe

  • Size

    4.1MB

  • MD5

    d1e3796faa8febcb5727af4cf10fa912

  • SHA1

    329a3ad3cdbb1c05ae60d5a7e232e11dc55ff4bb

  • SHA256

    b568fd0c4e510808e3c4368f2a5ad7a579675a41e4d010541d3308dcc1ab0237

  • SHA512

    1fe38416a1d868a506ac3ba317f0d306c9c8d6d8d6609b5d275944aa32faf29d30bd5a6df1fbf946bff942344e28926bc131204c29549c4d498f5089e006e499

  • SSDEEP

    98304:hGGReDAApdZ4WATvMu3ehwtwrEEcm9GR+NcKJrJ10dqcx+MItpqcws:hGIAp74dL33h7QGR+KKJrnOH6

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5.txt
    Filesize

    120KB

    MD5

    3aea5b78bac5359a799c2714fecccd1a

    SHA1

    5d3203b328ecfc7a55c0ded1032d209e9f273367

    SHA256

    c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

    SHA512

    9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

  • C:\Users\Admin\AppData\Local\Temp\qxx.zip
    Filesize

    26B

    MD5

    17df3b34c7d09ae0ee694735fdeb7ecf

    SHA1

    2457cd98147c41b58c22593202d064e50bba6fd2

    SHA256

    b8c13f9c76fea2138a097498ba5d48108354baa6d00602b4d7eff6bbbf2eaf5c

    SHA512

    4c3518c4c59ca6750777efaeebae2d3c04790da3706ba78a6d60486b2945262103ce1e337aafe736932bf8d35b886816c9443450b5ade1ed06cde03bf567cd10

  • C:\Users\Public\Documents\sjsw.log
    Filesize

    151B

    MD5

    b0bf3cd227bdcee4c5653c4e9ff011fb

    SHA1

    f83449655fda9630ed5647596d8118c5e8c048ea

    SHA256

    a720968a2bb0ae18e8d72404aa77ab757e7f195904853cbb6767bded705abe39

    SHA512

    a376919699da8c4acb3a29fece8ed1919b3e75f7fb9ea87e326597c7e3b3dd3d81d0f12f4389d6e88cdf5c6fe19291defe29f2bd1f16d6093af7444ead1e9e83

  • memory/4540-143-0x0000000003B10000-0x0000000003B88000-memory.dmp
    Filesize

    480KB

  • memory/4540-134-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/4540-144-0x0000000003B90000-0x0000000003B93000-memory.dmp
    Filesize

    12KB

  • memory/4540-142-0x0000000003B10000-0x0000000003B88000-memory.dmp
    Filesize

    480KB

  • memory/4540-136-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/4540-135-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/4540-133-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB

  • memory/4540-166-0x0000000004110000-0x00000000042B3000-memory.dmp
    Filesize

    1.6MB

  • memory/4540-173-0x0000000003D70000-0x0000000003E60000-memory.dmp
    Filesize

    960KB

  • memory/4540-172-0x0000000004090000-0x0000000004091000-memory.dmp
    Filesize

    4KB

  • memory/4540-174-0x00000000043A0000-0x00000000045B5000-memory.dmp
    Filesize

    2.1MB

  • memory/4540-175-0x0000000003B10000-0x0000000003B88000-memory.dmp
    Filesize

    480KB

  • memory/4540-176-0x0000000000400000-0x0000000000EF3000-memory.dmp
    Filesize

    10.9MB