Overview

overview

10

Static

static

7

60a57ed2be...98.exe

windows7-x64

10

60a57ed2be...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2023 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60a57ed2becb72c57c00de8ec810eef2d948fcf72c8a4e84dfa9364286ccce98.exe

  • Size

    1.9MB

  • MD5

    d0e343541a4de59af20e512b9a31deda

  • SHA1

    534c89486fdd1ef1a30d5e01b4b5e4e159462405

  • SHA256

    60a57ed2becb72c57c00de8ec810eef2d948fcf72c8a4e84dfa9364286ccce98

  • SHA512

    748e7a6e18416fe5d37c140479e26f156e43200297600cce97970d909b954e4ae4751326d67d2d1decdc144ef6242bdd34971b2b72f0597981354e856efe6ee4

  • SSDEEP

    49152:rGZ6AR0vIkbpHDZk3nMWLcHphCZ3YLq+WLLP:SZ6/wkbtS3nZaTM3YLLWL

Score
10/10
blackmoonbankerevasiontrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 6 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60a57ed2becb72c57c00de8ec810eef2d948fcf72c8a4e84dfa9364286ccce98.exe
    "C:\Users\Admin\AppData\Local\Temp\60a57ed2becb72c57c00de8ec810eef2d948fcf72c8a4e84dfa9364286ccce98.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1704-0-0x0000000001280000-0x00000000014DD000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1704-1-0x0000000001280000-0x00000000014DD000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1704-2-0x0000000001280000-0x00000000014DD000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1704-3-0x0000000001280000-0x00000000014DD000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1704-6-0x0000000010000000-0x00000000102E4000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1704-5-0x0000000010000000-0x00000000102E4000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1704-7-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1704-10-0x0000000001280000-0x00000000014DD000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1704-11-0x0000000010000000-0x00000000102E4000-memory.dmp

    Filesize

    2.9MB

    Download