Overview

overview

10

Static

static

7

1de2e0e806...30.exe

windows7-x64

10

1de2e0e806...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2023, 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe

  • Size

    889KB

  • MD5

    b2360d22132c3fe3dc5a15b7fd067bad

  • SHA1

    63dc22bf87622588701b64f0f2dff7c5d103443b

  • SHA256

    1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730

  • SHA512

    43ad8d720190e7db1b519f2abca2855b257ab49c8e9c0b08691c00052d3b1369d8bccb6ffe366fd3c835ff6c7d91ba009b0b30b170ca59c214c01d9cb5cd2467

  • SSDEEP

    12288:2076zUu2kLGh6sPmozu119YICnZ8sq6iq39ncG/z0O9nxQX/eZqd:LQUuPGckzu5JCnCaioZxQX/eI

Score
10/10
blackmoongh0stratbankerpersistencerattrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe
    "C:\Users\Admin\AppData\Local\Temp\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Public\Music\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe
      "C:\Users\Public\Music\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.txt
    Filesize

    120KB

    MD5

    3aea5b78bac5359a799c2714fecccd1a

    SHA1

    5d3203b328ecfc7a55c0ded1032d209e9f273367

    SHA256

    c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

    SHA512

    9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

    Download Submit

  • C:\Users\Public\Documents\sjsw.log
    Filesize

    235B

    MD5

    c1ddb75a4b5d3b5902e1acf91b377ad5

    SHA1

    e30b5b79501192edc552e18b43bba6001aa111a5

    SHA256

    77a8a804893145e7ac072ce243a30715f4a83e8be876ea9b06bc26e8933036f9

    SHA512

    49f9a9a8ac1c39fcc21fc9764f12a22a66324c2fd2e6dcc0417fc11b985cd9ef89bd6c228a4b62524d8c4e17fb94cdad989572044e014c99eee43a568766dcc4

    Download Submit

  • C:\Users\Public\Documents\zy.txt
    Filesize

    66KB

    MD5

    d70ed4778e67fe2dfea2e6b49251160d

    SHA1

    a9357aac2ab0fa260b646e628c2cbbacf4a16bd7

    SHA256

    78a07514c888d6b24d602f0c2972800bcbb2ac1ca7cd24b56d74666dbf73d568

    SHA512

    15a373af9a570f241f76b247850b39d513bce8bdfa29000e0d56e081c90743192907a2238a31d0c2cca4456b6000577bcf622817758748de799f46cbfc746bbb

    Download Submit

  • C:\Users\Public\Music\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe
    Filesize

    889KB

    MD5

    b2360d22132c3fe3dc5a15b7fd067bad

    SHA1

    63dc22bf87622588701b64f0f2dff7c5d103443b

    SHA256

    1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730

    SHA512

    43ad8d720190e7db1b519f2abca2855b257ab49c8e9c0b08691c00052d3b1369d8bccb6ffe366fd3c835ff6c7d91ba009b0b30b170ca59c214c01d9cb5cd2467

    Download Submit

  • C:\Users\Public\Music\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe
    Filesize

    889KB

    MD5

    b2360d22132c3fe3dc5a15b7fd067bad

    SHA1

    63dc22bf87622588701b64f0f2dff7c5d103443b

    SHA256

    1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730

    SHA512

    43ad8d720190e7db1b519f2abca2855b257ab49c8e9c0b08691c00052d3b1369d8bccb6ffe366fd3c835ff6c7d91ba009b0b30b170ca59c214c01d9cb5cd2467

    Download Submit

  • \Users\Public\Downloads\tcmd.dll
    Filesize

    2KB

    MD5

    7943effe67a4647e06def2348949020e

    SHA1

    eabd561f0639a975de259633f63896d82c3f878d

    SHA256

    3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

    SHA512

    c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

    Download Submit

  • \Users\Public\Music\1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730.exe
    Filesize

    889KB

    MD5

    b2360d22132c3fe3dc5a15b7fd067bad

    SHA1

    63dc22bf87622588701b64f0f2dff7c5d103443b

    SHA256

    1de2e0e806b4200a5c1077057b4bcaa9e2a47803eb62f9d64e02ecb6938e4730

    SHA512

    43ad8d720190e7db1b519f2abca2855b257ab49c8e9c0b08691c00052d3b1369d8bccb6ffe366fd3c835ff6c7d91ba009b0b30b170ca59c214c01d9cb5cd2467

    Download Submit

  • memory/1968-53-0x0000000000400000-0x00000000005D4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1968-59-0x0000000000400000-0x00000000005D4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1968-60-0x0000000003390000-0x0000000003564000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2584-98-0x0000000004210000-0x0000000004303000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2584-104-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2584-71-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-73-0x0000000000640000-0x0000000000643000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2584-72-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-62-0x0000000000400000-0x00000000005D4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2584-100-0x0000000004210000-0x0000000004303000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2584-101-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2584-102-0x0000000004210000-0x0000000004303000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2584-75-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-103-0x0000000000400000-0x00000000005D4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2584-105-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2584-108-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2584-117-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-122-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-119-0x0000000003B00000-0x0000000003B67000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2584-123-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download