Overview

overview

10

Static

static

1

TseFDup.msi

windows7-x64

8

TseFDup.msi

windows10-1703-x64

8

TseFDup.msi

windows10-2004-x64

8

desk-zhonw....9.msi

windows7-x64

10

desk-zhonw....9.msi

windows10-1703-x64

10

desk-zhonw....9.msi

windows10-2004-x64

7

py-hzz.msi

windows7-x64

10

py-hzz.msi

windows10-1703-x64

10

py-hzz.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02-09-2023 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    py-hzz.msi

  • Size

    118.5MB

  • MD5

    647864bf491144519120e6aef0ccee2b

  • SHA1

    aa0f4f5ae485cc31c80d1241442bd07710db353e

  • SHA256

    1e87ebcf8bf36d40079573ee61efb7f4e7f70b46c85ca1888899490b4be5f98d

  • SHA512

    12bdbed6a35d0c22e3266f1356ad8261d66d539be4e344084aeb7a3d05d438081ffd328ba6da9028f745b17e50af96b27e80ebc7cec2969acda308657c7019c1

  • SSDEEP

    3145728:n92fD6MoAr3Z1q3oeZJDN/Mfm1eoT1Fl0f5yQBtmpX4:gfD6Moc3a3oeZnMGBRsdtmR

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\py-hzz.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2300
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe
      "C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe" /Install
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2464
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000004A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe
    Filesize

    3.0MB

    MD5

    1e1b42b6c885280e082ac373f7b59f3f

    SHA1

    1e6646b827f5089aefedac669f62ef55a19d7ad2

    SHA256

    14b6a49fb11961fb851c51b3dbca5ee8cb02d86e5dfcf7cdbd9edcd06f2c118c

    SHA512

    56826f422d8f68d6c9a6b7cd23c0a48fa7ee48c4e90588f630d4b08588b63e8cfff230549272d8411cd2fe229f158ddc108a48cba658064ded4e76e0d9064c64

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\BGDNQG38.htm
    Filesize

    399KB

    MD5

    7465dec6024accd6657347c43d7e4146

    SHA1

    8f9eef39e9815cb02c0e0d41c63afa06c8dd411a

    SHA256

    319b1191e1f4ea8a6e633db14736306b946714f7dc200cbb217804388d4e176f

    SHA512

    4ca505db71406a882eadf5b76dfb96dc04782935f090f90d3ca12402dd5f35d8aff77f9a61eae7f9eb78695443afd918ba8b6fa7b2db199a7b478d3c64f5bdac

    Download Submit

  • \Users\Public\Videos\study59\1.dll
    Filesize

    1.9MB

    MD5

    efb4f7f2c29f4b812ec344782c751ead

    SHA1

    84e6ec5323d1c535dcf4c7bbdde259a9847eee39

    SHA256

    d48fb613b4336547f5925f88ffd5de78bb36974634aad096deeb5af4be1b96c6

    SHA512

    dc85c2005c84da617bf2280471db7afb4e4bb3f85aa885136b6daf14041ee6d0dd4afd043ac1d16e4b14eddc05ad93aa8e2dec55d1e8e22e05427666cfb2c4c4

    Download Submit

  • \Users\Public\Videos\study59\2.dll
    Filesize

    576KB

    MD5

    e1b3cf30274e632c35be299d4d6e3931

    SHA1

    9c52dccc089995899c566d1897d4b6e623c790b6

    SHA256

    37987d399b9d543125909768f6197783fe8ea92d2575622ae3df9e396444f6fd

    SHA512

    1b9475c430d70cd18097849d5eecd1d41493811f7162ca89cc29ce87093b7261e9c594567d9b39cf49157e6feb50f0f014ca93d5923fe124bafe9504db976443

    Download Submit