Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
01-10-2023 09:07
General
-
Target
hh.chm
-
Size
201KB
-
MD5
8dd20f3f2f25bb297c9b64895530f920
-
SHA1
87c98fe066c3424ae89f18b439cede19679076b2
-
SHA256
3317b010df0c78ddd2043dfc02a824023faba86d362627e4d42b38084134e275
-
SHA512
22713705334e69564df34938194692cb534f0c8a8be4ced34fc367aa2a7e77c96e1742b9d6ce72004c3d378fba6930fb1800a0a39985b969ced0d02d14e8d459
-
SSDEEP
6144:iTnr34RHDSWdynEzIsOcr792z8Xn5UBq0:onr3yHOiIsOcr7SOn5UU0
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\hh.chm1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exe"C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab5E86.tmpFilesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\libcef.dllFilesize
132.5MB
MD54b76e6f9478e03b6d5c20612857a7f63
SHA184496777e665853730c895c08540b8b48fc708be
SHA2563407c7f02a4be2bdb2729e43cc776d61230fc1840bb89adc6b62517a8e24b3cf
SHA512a9a6c6def227c6b8931ce47a308522a4ceb2f07014c6b0b4a7468830c4d76f9d49910f6e35fe30b5ff3ba605dcbc1ca19c19c6aa6123de2cbf01907b6b842b47
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\libcef.pngFilesize
571KB
MD5f9ce53070a8a09158146344723e9cf3a
SHA1face56300c1e7e81845a8ad63f990441a45fa4f6
SHA256253ae3586d0f1953b895ef927614ed351065921916fd4d9ff6f02d566d16cb78
SHA5120560db7f15e2d1df22c6de00342dcd3225a3f54f150e54d395cb3fcb3cc6357a7e01698b91a0b05d904d6093f95dd79f73ba7595b5a4ac7260a6d4d0f02e7eea
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exeFilesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exeFilesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exeFilesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\libcef.dllFilesize
132.5MB
MD54b76e6f9478e03b6d5c20612857a7f63
SHA184496777e665853730c895c08540b8b48fc708be
SHA2563407c7f02a4be2bdb2729e43cc776d61230fc1840bb89adc6b62517a8e24b3cf
SHA512a9a6c6def227c6b8931ce47a308522a4ceb2f07014c6b0b4a7468830c4d76f9d49910f6e35fe30b5ff3ba605dcbc1ca19c19c6aa6123de2cbf01907b6b842b47
-
\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exeFilesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
memory/856-88-0x0000000000150000-0x0000000000175000-memory.dmpFilesize
148KB
-
memory/856-85-0x0000000000750000-0x00000000007E3000-memory.dmpFilesize
588KB
-
memory/1692-14-0x0000000004AA0000-0x0000000004AB9000-memory.dmpFilesize
100KB
-
memory/1692-69-0x000000001DD20000-0x000000001DDA0000-memory.dmpFilesize
512KB
-
memory/1692-82-0x000007FEF3C80000-0x000007FEF466C000-memory.dmpFilesize
9.9MB
-
memory/1692-83-0x0000000004AA0000-0x0000000004AB9000-memory.dmpFilesize
100KB
-
memory/1692-68-0x000007FEF3C80000-0x000007FEF466C000-memory.dmpFilesize
9.9MB
-
memory/1692-5-0x000007FEF3C80000-0x000007FEF466C000-memory.dmpFilesize
9.9MB
-
memory/1692-7-0x00000000049E0000-0x0000000004A10000-memory.dmpFilesize
192KB
-
memory/1692-8-0x000000001DD20000-0x000000001DDA0000-memory.dmpFilesize
512KB
-
memory/1692-6-0x000000001DBA0000-0x000000001DC96000-memory.dmpFilesize
984KB
