Overview

overview

10

Static

static

10

ef4121272b...83.exe

windows7-x64

10

ef4121272b...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.exe

  • Size

    2.0MB

  • MD5

    9b738f674a2a254854151fa7b18e4a7e

  • SHA1

    c83df066d665312e5e5bbaeeb774550ece50a73d

  • SHA256

    ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883

  • SHA512

    5c60adaf7a2d4a53fa7ddda416d42718a4313db8017ec08779a384d7a08337048ac8d39c07b37f417716fd7a35f9813bc5437516c775dc43400c401480b73383

  • SSDEEP

    24576:PSH25PwcN2jx23LdZNtWFKVaIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECi:PlDoOTNtGKQIvfuRVy/Pur2Mgi

Score
10/10
blackmoonbankerbootkitpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 13 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.exe
    "C:\Users\Admin\AppData\Local\Temp\ef4121272bc4145be82dc33c67572981bbdfeb0c0d1941aa9a00e2a59b956883.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ippatch.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3628
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ipsee.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4036
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ipsee.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4592
      • C:\Users\Admin\AppData\Roaming\ipsee.exe
        "C:\Users\Admin\AppData\Roaming\ipsee.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4040
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      PID:4588
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:2896
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:3004
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:472
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:1012
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:2332

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk
    Filesize

    771B

    MD5

    bbb7a8009ad0e79f0af09403e5a6d4e3

    SHA1

    f96f6bcc245edfe834c2e411a231198ee6966dd9

    SHA256

    aa6e3992b469a84b82f76580dac47f16db85f2af154a0e923e72a5e6e59e7a5e

    SHA512

    b4e7a8421b3bd1ecb58463d7a0f3a4864650588c775c5128c4f53690ddb4ed4808f70ec075e733358aba47ae575bbe9550e6a1facd67f6d75ee984729269e196

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll
    Filesize

    154B

    MD5

    40b80bda339faae4739d77caa3ebd0eb

    SHA1

    54e11813769d714dbf3153ec6f2620b919a00fca

    SHA256

    c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

    SHA512

    ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll
    Filesize

    154B

    MD5

    40b80bda339faae4739d77caa3ebd0eb

    SHA1

    54e11813769d714dbf3153ec6f2620b919a00fca

    SHA256

    c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

    SHA512

    ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RCX82ED.tmp
    Filesize

    2.0MB

    MD5

    9c1291be0896335f6ef8cc5b53815d4e

    SHA1

    3160682126f53c171b4a082e155212c9eb128879

    SHA256

    23c1e9c4db905d72c150cd32c928c5d55c484919340805ef9d711b6cc5ebc960

    SHA512

    9ba55e6e04d5971dfbe7cc44be827914cdfc0a7fa1e8feae10963876e732cde1a84a8b5d9baa0d00bf0873bd2991ab0f14011753dfe49fbe6c46d5f06eabea57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ippatch.exe
    Filesize

    2.0MB

    MD5

    9c1291be0896335f6ef8cc5b53815d4e

    SHA1

    3160682126f53c171b4a082e155212c9eb128879

    SHA256

    23c1e9c4db905d72c150cd32c928c5d55c484919340805ef9d711b6cc5ebc960

    SHA512

    9ba55e6e04d5971dfbe7cc44be827914cdfc0a7fa1e8feae10963876e732cde1a84a8b5d9baa0d00bf0873bd2991ab0f14011753dfe49fbe6c46d5f06eabea57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ippatch.exe
    Filesize

    2.0MB

    MD5

    9c1291be0896335f6ef8cc5b53815d4e

    SHA1

    3160682126f53c171b4a082e155212c9eb128879

    SHA256

    23c1e9c4db905d72c150cd32c928c5d55c484919340805ef9d711b6cc5ebc960

    SHA512

    9ba55e6e04d5971dfbe7cc44be827914cdfc0a7fa1e8feae10963876e732cde1a84a8b5d9baa0d00bf0873bd2991ab0f14011753dfe49fbe6c46d5f06eabea57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ippatch.exe
    Filesize

    2.0MB

    MD5

    9c1291be0896335f6ef8cc5b53815d4e

    SHA1

    3160682126f53c171b4a082e155212c9eb128879

    SHA256

    23c1e9c4db905d72c150cd32c928c5d55c484919340805ef9d711b6cc5ebc960

    SHA512

    9ba55e6e04d5971dfbe7cc44be827914cdfc0a7fa1e8feae10963876e732cde1a84a8b5d9baa0d00bf0873bd2991ab0f14011753dfe49fbe6c46d5f06eabea57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ipsee.exe
    Filesize

    868KB

    MD5

    067426c2f905adfe1c96d5f4ead767e5

    SHA1

    f2c7e585939f3ae53705a5ffdc4efc22e248a3c6

    SHA256

    d0d165e7f9cc53624b9aa02fa7a878d8b28d5a0fd4d781d321490f03c50be13c

    SHA512

    72eae4c5a15377d67115e1c928b63f1479a79979740c95faa25e8110b3f10272e36943653201fd19687b18839791c823aee5ef6f546904fd445b451e75551018

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ipsee.exe
    Filesize

    868KB

    MD5

    067426c2f905adfe1c96d5f4ead767e5

    SHA1

    f2c7e585939f3ae53705a5ffdc4efc22e248a3c6

    SHA256

    d0d165e7f9cc53624b9aa02fa7a878d8b28d5a0fd4d781d321490f03c50be13c

    SHA512

    72eae4c5a15377d67115e1c928b63f1479a79979740c95faa25e8110b3f10272e36943653201fd19687b18839791c823aee5ef6f546904fd445b451e75551018

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ipsee.exe
    Filesize

    868KB

    MD5

    067426c2f905adfe1c96d5f4ead767e5

    SHA1

    f2c7e585939f3ae53705a5ffdc4efc22e248a3c6

    SHA256

    d0d165e7f9cc53624b9aa02fa7a878d8b28d5a0fd4d781d321490f03c50be13c

    SHA512

    72eae4c5a15377d67115e1c928b63f1479a79979740c95faa25e8110b3f10272e36943653201fd19687b18839791c823aee5ef6f546904fd445b451e75551018

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    00abc8db8174b8514e7bcc5c29ba3b5b

    SHA1

    96a80a6cab9cbbd00cc412979c2b967bb7b74392

    SHA256

    eb7e3757d6914640cd79587604c06dda7ec40a25e39651a8a71c33abcbbb4521

    SHA512

    e481427cf16c527a5d85799ba5acb37576514e504bcfe6234c64edf9b66421142443d787641e8da59c70c0d1fb61ed38b359f93f0496ac4a732f25c844811a6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    7fffac9b45c90a477516d0dc9a949fcd

    SHA1

    faaf678fb503ec7986cf172d646d0c78ff95b56c

    SHA256

    5dbc6a38cbde8fb873f3cb8429c92f1695a4e1aae8e2260aa57bdea6bdab5aab

    SHA512

    5ac937059b53349b1e70f476b8bd1eed9db867da272e2d7652921fe6e90298f727a13d2265157ddafb9df2cd5b161394b760079d7dd38622b0a0d30436a3cb2e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    b2eec57a707a2a69c44ec720b1c1c26f

    SHA1

    9ef1676b741a933ea7758e90eba38c591cd87ed0

    SHA256

    8311341a166708c6730426804396e424036063af4d52c896178a9b9698b3ce9a

    SHA512

    c900cf1d7d556986657eee1194315053eda72889e036c6ec17f56168c9c292344b004f2a37039c08b9819199c1cf2852ee7bd991ad9ba4546ee57c8d157fb64f

    Download Submit