Overview

overview

10

Static

static

3

cce6d94596...13.dll

windows7-x64

10

cce6d94596...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll

  • Size

    15.3MB

  • MD5

    11de1dd85bc2d1d737518c1050b1e5de

  • SHA1

    a6888520e043294c4735e688d2a880cbb0fae84e

  • SHA256

    cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213

  • SHA512

    28fcc63b7bf44847787f10d4d5a570a2c094bc51183a9621e8bbf5ea1a13471c8435b358d4c404a266a4b317bfb481495a8c73ceebe6a0bc08f541b32fc057df

  • SSDEEP

    196608:0bPx/++HkUuicZHM0w+riPoDLNUMtBMO7NKWPUr9V5jABSuzYvZQaf+H2iIh2IkI:0b9zkPyU+PkrZnyp+8fjimkTVzS

Score
10/10
blackmoonbankerpersistencetrojanupxvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 5 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Sets service image path in registry
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        C:\Users\Admin\AppData\Local\Temp\tmp.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\Driver_Setup.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe
          devcon install BoothMalthus.inf "{B7696810-050E-4d2c-8D8F-C99735CB6998}\HID_DEVICE"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          PID:4896
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8c6bab5a-cad2-e048-a4a1-d124b4aa7351}\boothmalthus.inf" "9" "46a102943" "0000000000000100" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\local\temp\filedef2017f206\x64"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{aca7a16c-bd91-6c4e-b1d3-bd6c65fea0f6} Global\{d02a6121-05a9-344f-b30a-d856ad88b5f0} C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\boothmalthus.inf C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\BoothMalthus.cat
        3⤵
          PID:1760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\BoothMalthus.inf
      Filesize

      3KB

      MD5

      776f3ea7afee2a21018ec6e46c8f1768

      SHA1

      761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

      SHA256

      fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

      SHA512

      671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\Driver_Setup.bat
      Filesize

      148B

      MD5

      97cf8bf0fc3f8f374d5be1252cfe14f2

      SHA1

      8be0e0eed3da8f9041319a2a9c1aa1093418fadd

      SHA256

      04b496ad848dc208ba978968540a944aa2f8979a549b8cd4d1a089f356ea16ee

      SHA512

      1a836b17e24b51ad32f7125cf6f6e4823b4dc7860b01b502b8f9a358f565e764f4ed08cdfd857e4b1b48e4db407282d42c7f2a64813bdbf2cd3f6bcd30f36f3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe
      Filesize

      87KB

      MD5

      41ba1bbdd9284e49701ee94a3f446c33

      SHA1

      6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

      SHA256

      c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

      SHA512

      dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe
      Filesize

      87KB

      MD5

      41ba1bbdd9284e49701ee94a3f446c33

      SHA1

      6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

      SHA256

      c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

      SHA512

      dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll
      Filesize

      1.8MB

      MD5

      9c842288aefe97836f56d6b20b078ff8

      SHA1

      4c28b0112195a5181891022fd999fc8a6236a842

      SHA256

      8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

      SHA512

      4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll
      Filesize

      1.8MB

      MD5

      9c842288aefe97836f56d6b20b078ff8

      SHA1

      4c28b0112195a5181891022fd999fc8a6236a842

      SHA256

      8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

      SHA512

      4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\load.dll
      Filesize

      2.2MB

      MD5

      abde7ddcc7dca86700ccf9fd3fc25b11

      SHA1

      e2fabf760f8558db2b2cfcd0fda66948e74e7839

      SHA256

      4caed7de787af5c26e5091a2733888d5af8605b5851c5f177273b452eb7b02c4

      SHA512

      a5f7e5e7315701e07b64f3e6a5b5623f9eb31de61ca0de53c0456ed202d341ca839f9e3c6eb41dbae5dd5ddba7d28cd263e3c76a48b53591ba2d5573fdca44a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\load.dll
      Filesize

      2.2MB

      MD5

      abde7ddcc7dca86700ccf9fd3fc25b11

      SHA1

      e2fabf760f8558db2b2cfcd0fda66948e74e7839

      SHA256

      4caed7de787af5c26e5091a2733888d5af8605b5851c5f177273b452eb7b02c4

      SHA512

      a5f7e5e7315701e07b64f3e6a5b5623f9eb31de61ca0de53c0456ed202d341ca839f9e3c6eb41dbae5dd5ddba7d28cd263e3c76a48b53591ba2d5573fdca44a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      1.6MB

      MD5

      8e17399c045f0e397c4611d4c9d33e02

      SHA1

      aac120429b61430ba2a3f618707cd6110604ceb8

      SHA256

      78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

      SHA512

      a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      1.6MB

      MD5

      8e17399c045f0e397c4611d4c9d33e02

      SHA1

      aac120429b61430ba2a3f618707cd6110604ceb8

      SHA256

      78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

      SHA512

      a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8C6BA~1\BoothMalthus.cat
      Filesize

      9KB

      MD5

      42ed8315f9e8f83ffaf05eff07f2c8cb

      SHA1

      f64a686f070d4fa771390af0f9588074ad74f7fb

      SHA256

      fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

      SHA512

      31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8C6BA~1\BoothMalthus.sys
      Filesize

      30KB

      MD5

      f8bfa19db73f27dbd2446260367e8ec6

      SHA1

      077cba2260fec8b5ed78a95e07e42083d4c0e8fb

      SHA256

      fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

      SHA512

      817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8c6bab5a-cad2-e048-a4a1-d124b4aa7351}\boothmalthus.inf
      Filesize

      3KB

      MD5

      776f3ea7afee2a21018ec6e46c8f1768

      SHA1

      761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

      SHA256

      fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

      SHA512

      671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8c6bab5a-cad2-e048-a4a1-d124b4aa7351}\boothmalthus.inf
      Filesize

      3KB

      MD5

      776f3ea7afee2a21018ec6e46c8f1768

      SHA1

      761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

      SHA256

      fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

      SHA512

      671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

      Download Submit

    • C:\Windows\SysWOW64\DrvInDll.dll
      Filesize

      808KB

      MD5

      49570c3624fb6d1d1244bdd9115fcd52

      SHA1

      90702b103418c5de54af0cbcd7f1bdd83605b56a

      SHA256

      ce1860f54f32aa03004d96e72c969f6ca8f76450bf0cb39b62af5bdd554bf92c

      SHA512

      a7a0ac5fe5f362b171c08112955ed4afa27300926ad7da3fc3be1e0a4175dfea6da07bd9b8f4285b2f58477f26add838c332f81481eca894e25fa3f74111abef

      Download Submit

    • C:\Windows\SysWOW64\DrvInDll.dll
      Filesize

      808KB

      MD5

      49570c3624fb6d1d1244bdd9115fcd52

      SHA1

      90702b103418c5de54af0cbcd7f1bdd83605b56a

      SHA256

      ce1860f54f32aa03004d96e72c969f6ca8f76450bf0cb39b62af5bdd554bf92c

      SHA512

      a7a0ac5fe5f362b171c08112955ed4afa27300926ad7da3fc3be1e0a4175dfea6da07bd9b8f4285b2f58477f26add838c332f81481eca894e25fa3f74111abef

      Download Submit

    • C:\Windows\SysWOW64\SkinH_EL.dll
      Filesize

      86KB

      MD5

      114054313070472cd1a6d7d28f7c5002

      SHA1

      9a044986e6101df1a126035da7326a50c3fe9a23

      SHA256

      e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

      SHA512

      a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

      Download Submit

    • C:\Windows\SysWOW64\SkinH_EL.dll
      Filesize

      86KB

      MD5

      114054313070472cd1a6d7d28f7c5002

      SHA1

      9a044986e6101df1a126035da7326a50c3fe9a23

      SHA256

      e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

      SHA512

      a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

      Download Submit

    • C:\Windows\SysWOW64\SkinH_EL.dll
      Filesize

      86KB

      MD5

      114054313070472cd1a6d7d28f7c5002

      SHA1

      9a044986e6101df1a126035da7326a50c3fe9a23

      SHA256

      e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

      SHA512

      a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

      Download Submit

    • C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\BoothMalthus.cat
      Filesize

      9KB

      MD5

      42ed8315f9e8f83ffaf05eff07f2c8cb

      SHA1

      f64a686f070d4fa771390af0f9588074ad74f7fb

      SHA256

      fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

      SHA512

      31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

      Download Submit

    • C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\SET55DB.tmp
      Filesize

      9KB

      MD5

      42ed8315f9e8f83ffaf05eff07f2c8cb

      SHA1

      f64a686f070d4fa771390af0f9588074ad74f7fb

      SHA256

      fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

      SHA512

      31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

      Download Submit

    • C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\SET55ED.tmp
      Filesize

      30KB

      MD5

      f8bfa19db73f27dbd2446260367e8ec6

      SHA1

      077cba2260fec8b5ed78a95e07e42083d4c0e8fb

      SHA256

      fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

      SHA512

      817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

      Download Submit

    • C:\Windows\System32\DriverStore\Temp\{302fa0a5-4064-3045-9f19-13eb4cb1fc17}\boothmalthus.inf
      Filesize

      3KB

      MD5

      776f3ea7afee2a21018ec6e46c8f1768

      SHA1

      761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

      SHA256

      fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

      SHA512

      671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\FILEDE~1\x64\BOOTHM~1.SYS
      Filesize

      30KB

      MD5

      f8bfa19db73f27dbd2446260367e8ec6

      SHA1

      077cba2260fec8b5ed78a95e07e42083d4c0e8fb

      SHA256

      fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

      SHA512

      817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\filedef2017f206\x64\BoothMalthus.cat
      Filesize

      9KB

      MD5

      42ed8315f9e8f83ffaf05eff07f2c8cb

      SHA1

      f64a686f070d4fa771390af0f9588074ad74f7fb

      SHA256

      fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

      SHA512

      31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

      Download Submit

    • memory/4584-43-0x0000000004090000-0x000000000415B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4584-30-0x00000000043E0000-0x0000000005245000-memory.dmp

      Filesize

      14.4MB

      Download

    • memory/4584-28-0x0000000003020000-0x000000000338C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4584-18-0x00000000043E0000-0x0000000005245000-memory.dmp

      Filesize

      14.4MB

      Download

    • memory/4584-16-0x00000000043E0000-0x0000000005245000-memory.dmp

      Filesize

      14.4MB

      Download

    • memory/4584-65-0x0000000010000000-0x0000000010FA2000-memory.dmp

      Filesize

      15.6MB

      Download

    • memory/4584-6-0x0000000003020000-0x000000000338C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4584-64-0x00000000040A0000-0x00000000040A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4584-58-0x0000000003F00000-0x0000000003F3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4584-47-0x0000000003F00000-0x0000000003F01000-memory.dmp

      Filesize

      4KB

      Download