Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
-
submitted
07/07/2023, 20:17
General
-
Target
9176b2ebf6ed8e16b858217cb3fb90bd37a384996e690bc8b2115f890fd79dcb.exe
-
Size
1.0MB
-
MD5
95b68eb1f710b4aab83b1d1231e60df1
-
SHA1
57ccb646028c48dd45f794f344ff2729278580c1
-
SHA256
9176b2ebf6ed8e16b858217cb3fb90bd37a384996e690bc8b2115f890fd79dcb
-
SHA512
0caffe64c5baf9a05c0c1e69a27d9f01807292a8bc2f28d96a63b0337100fab8736d4d4940f31e07db96ab905f5275471b858eb4d912e4fb0d26fa476164b56b
-
SSDEEP
12288:t0weR7JscTtqyv35cN5ycd4Hnsd2ITCTqlCTVL7nnn7S002B7q24ghc+PKd+70E:I5icTsyWV4HarcqcxnnXB7qJgDPKwF
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 9 IoCs
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9176b2ebf6ed8e16b858217cb3fb90bd37a384996e690bc8b2115f890fd79dcb.exe"C:\Users\Admin\AppData\Local\Temp\9176b2ebf6ed8e16b858217cb3fb90bd37a384996e690bc8b2115f890fd79dcb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\9176b2ebf6ed8e16b858217cb3fb90bd37a384996e690bc8b2115f890fd79dcb.txt2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD53aea5b78bac5359a799c2714fecccd1a
SHA15d3203b328ecfc7a55c0ded1032d209e9f273367
SHA256c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3
SHA5129513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3
-
Filesize
256B
MD58862f58dc8964caab2d25212c190e5c7
SHA10423633dadf783da4ded533b7d8ffcb8503f813c
SHA2560658be24a171ac6b5d755c480dc22d22fdcf4754ded9b777ff4364a3bc2a75f5
SHA51276f311d770c6b2585b79f6965b0f30af3819a66768a905303832bd1e21516b319317a1717a2417ec0283901d8a15bb5cc518cb6094a813f859e43cfd9387253a
-
Filesize
256B
MD58862f58dc8964caab2d25212c190e5c7
SHA10423633dadf783da4ded533b7d8ffcb8503f813c
SHA2560658be24a171ac6b5d755c480dc22d22fdcf4754ded9b777ff4364a3bc2a75f5
SHA51276f311d770c6b2585b79f6965b0f30af3819a66768a905303832bd1e21516b319317a1717a2417ec0283901d8a15bb5cc518cb6094a813f859e43cfd9387253a
-
Filesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
Filesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
Filesize
12KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
2.0MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
156KB
-
Filesize
968KB
-
Filesize
92KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
408KB