Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2023, 08:17 UTC

General

  • Target

    09b5debc4bd0e7760ba7bf6faa93268285cafa004608fe2735cba1b6eb0836a2.exe

  • Size

    823KB

  • MD5

    b255c4c0c3379db4b2afe207c90aad92

  • SHA1

    1b746283ad6e2a538048526d6bfe2ca044cc7963

  • SHA256

    09b5debc4bd0e7760ba7bf6faa93268285cafa004608fe2735cba1b6eb0836a2

  • SHA512

    067c05f1ba932e4658856afe4013eb4b30a0a3e7559cb52c481bc975e69903c06ebabd44cc89ce6e821cb4bf746216e23177ca98c975f1a0bd18328f217e3ec3

  • SSDEEP

    24576:iGiZm/gubF8j51far6VJ+xcVW9zh7afqxs1OVTcsBvwnmkvqPo0lTs:i8/LLZrlTs

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 5 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09b5debc4bd0e7760ba7bf6faa93268285cafa004608fe2735cba1b6eb0836a2.exe
    "C:\Users\Admin\AppData\Local\Temp\09b5debc4bd0e7760ba7bf6faa93268285cafa004608fe2735cba1b6eb0836a2.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\CMD.exe
      CMD /C SC STOP zixuxs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\sc.exe
        SC STOP zixuxs
        3⤵
        • Launches sc.exe
        PID:2664
    • C:\Windows\SysWOW64\CMD.exe
      CMD /C SC DELETE zixuxs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\sc.exe
        SC DELETE zixuxs
        3⤵
        • Launches sc.exe
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2520-3-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

    Filesize

    4KB

  • memory/2520-4-0x0000000077CDF000-0x0000000077CE0000-memory.dmp

    Filesize

    4KB

  • memory/2520-2-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

  • memory/2520-1-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

  • memory/2520-5-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

  • memory/2520-10-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

  • memory/2520-11-0x0000000000400000-0x00000000004E5000-memory.dmp

    Filesize

    916KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.