Analysis
-
max time kernel
114s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
01-07-2023 07:52
General
-
Target
ed04378d4fe8fd0814a4435d8.exe
-
Size
1.8MB
-
MD5
4b24bb7eb024e319888f9e7e00fe4243
-
SHA1
c3607f61d72e6ec43cf7bf4f41d166eecaa27f58
-
SHA256
ed04378d4fe8fd0814a4435d86b7097706413094c476b29f2539b08ae9592bc2
-
SHA512
48c27f416e07307ee046ccab04fe868b0cf25fe178b002bcc1075adbc47d3fb7ae92b0e8709cdbd159f54755bd7c492e343d8da149d2a9a227836a8d315a0fc3
-
SSDEEP
49152:iRTQWltDVTODlosbWp6FjTxEeliYZ8+Y7JKQa:itzlnY/bW0FjTOKZJaJI
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed04378d4fe8fd0814a4435d8.exe"C:\Users\Admin\AppData\Local\Temp\ed04378d4fe8fd0814a4435d8.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f3⤵
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f4⤵
-
-
-
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\v.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k C:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Public\xiaodaxzqxia\jecxz.exe"C:\Users\Public\xiaodaxzqxia\jecxz.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2919001220530604\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2919001220530604\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD557490d63002c5b24cdb22a044d7c18aa
SHA13fd2deed98ceda244a0c8428cebc269baae5597c
SHA25657c2e2d376a64ec7b9d6be1edb1432c99fa579e2d8bf34e33ebe8c1596de84dd
SHA512d3986a26e0b313f5854645a1ff21792c336aa2dc4d84a48781505e98035f6137a3f63f459728e7d9320f96ac997f39d1adbe36dc25047be5414c7e302606998d
-
Filesize
9KB
MD52342b3ba19855ddd8c3e311b2842bdbb
SHA1ecec63f62d445bdcc369af3f29df566611c7d4a5
SHA256257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6
SHA512f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9
-
Filesize
291KB
MD566bbcc42fe6cf9c1b890ec4a9049a9d7
SHA1dd6bf3e2ca01625a1c2d1cd59ec523b55978d32e
SHA2564950e959cb8ac30540acf2544bbe6a0bdf78e7ea2ce558f248c7f902df29b9ae
SHA51256daaa94dab1ec09d3a328f78e794d6040822ef26ee5370020e59a9da0e0be7e7c95c4e1805d24cf9270a475219e4dd98aa3a71afc6785df406f99a17110ddb0
-
Filesize
1.1MB
MD5b6672f5964eb4f8495ac54286af46c2c
SHA1cc41541c3dfec64af741154dddf28a0a5b0c7876
SHA2562b5fb8e16196b2c9f79406b5266de3f5a0709d7522e40f82f411df91e5d9b6b3
SHA512fb0a0cf37fcb88e647ff444eb3b7fd4445ebad38726172d91f26bb8ec41998e655a2ab27e4e7abba4b628bb694d07d5197311368de59e7b67309ae605468e0e6
-
Filesize
1.2MB
MD5a65e53c974a4e61728ecb632339a0978
SHA127e6ec4f8e34b40f1e08503245700c182b918ce9
SHA256ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a
SHA512b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e
-
Filesize
1.2MB
MD5a65e53c974a4e61728ecb632339a0978
SHA127e6ec4f8e34b40f1e08503245700c182b918ce9
SHA256ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a
SHA512b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e
-
Filesize
107B
MD5bcb223ea9c0598f04684216bcd0e12a6
SHA12661c8fbca3654a29fa261def7f16ea23a6f3165
SHA256ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37
SHA51277e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682
-
Filesize
124KB
MD50ae1550ae663898ee1aaab5438cf1098
SHA12f34e17397c083f7f6a5972fc989bf5f603a4996
SHA25630690ccaa855ed9b1eb767045e4731cf828746e00c40b386770ced5e8ccf514c
SHA51248ce7af1c7aed2a884a185715f4f131bbf7a7514da095b109bd087d5e70ec3db01d59ac4cb380f7efdc8d41ee23a8921b6aba31c85772ca16965970eb80ccd2c
-
Filesize
124KB
MD50ae1550ae663898ee1aaab5438cf1098
SHA12f34e17397c083f7f6a5972fc989bf5f603a4996
SHA25630690ccaa855ed9b1eb767045e4731cf828746e00c40b386770ced5e8ccf514c
SHA51248ce7af1c7aed2a884a185715f4f131bbf7a7514da095b109bd087d5e70ec3db01d59ac4cb380f7efdc8d41ee23a8921b6aba31c85772ca16965970eb80ccd2c
-
Filesize
263B
MD5c7d8b33e05722104d63de564a5d92b01
SHA1fd703f1c71ac1dae65dc34f3521854604cec8091
SHA256538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a
SHA51254a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e
-
Filesize
275B
MD5be7bbc9c7f6b505918f84b006b871965
SHA162f62090deb64ebdd93e2d48a1b85b3d0082415b
SHA256259d09385d3e18e569e36542ea92eee43747ec48244659ca21ff6e20e9a9d91d
SHA51284afc35227b5b590b5db0bb0e3c1c991202c0d6eef6ecc3ec9d7c097dce3e60d32c85915c7103efa413586a62e0ee7ae773fe13186a2f37825d1f20ac3f705e9
-
Filesize
329KB
MD562d2156e3ca8387964f7aa13dd1ccd5b
SHA1a5067e046ed9ea5512c94d1d17c394d6cf89ccca
SHA25659cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa
SHA512006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB