Overview

overview

10

Static

static

10

cb2290bb41...33.exe

windows7-x64

5

cb2290bb41...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb2290bb41e2edabf9238983e703e448cfac9549db64aabbee732c6e72ca0733.exe

  • Size

    3.0MB

  • MD5

    c819195bc0cc7131549993c41538a730

  • SHA1

    4695f496ac10e5fa03e4a7e265bd6697c4493ff0

  • SHA256

    cb2290bb41e2edabf9238983e703e448cfac9549db64aabbee732c6e72ca0733

  • SHA512

    bc898f1715836d9195d5035552e91954f451a4a06513408dae85e6ff32166ba51c03f5b8706ae90874dcba187aa09d084d604349c06256e045ca902191fa7d84

  • SSDEEP

    49152:dl+sHIraGZJIDPOo+QSIuUV4DMn5UON1:ysorMWo+QS/eL5U61

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb2290bb41e2edabf9238983e703e448cfac9549db64aabbee732c6e72ca0733.exe
    "C:\Users\Admin\AppData\Local\Temp\cb2290bb41e2edabf9238983e703e448cfac9549db64aabbee732c6e72ca0733.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
          PID:3424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1992
        2⤵
        • Program crash
        PID:3360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1976
        2⤵
        • Program crash
        PID:2572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4208 -ip 4208
      1⤵
        PID:3136
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4208 -ip 4208
        1⤵
          PID:4388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ExuiKrnln.dll
          Filesize

          328KB

          MD5

          6b0c10b774ee6dbcf0e4bd1557e7160b

          SHA1

          98e5502f0cb27e355062e8fa0b9aad80e5c0bbad

          SHA256

          335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f

          SHA512

          a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf

          Download Submit

        • C:\Windows\SysWOW64\ExuiKrnln.dll
          Filesize

          328KB

          MD5

          6b0c10b774ee6dbcf0e4bd1557e7160b

          SHA1

          98e5502f0cb27e355062e8fa0b9aad80e5c0bbad

          SHA256

          335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f

          SHA512

          a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf

          Download Submit

        • memory/4068-1-0x0000000000400000-0x0000000000756000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4068-2-0x0000000000400000-0x0000000000756000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4068-3-0x0000000000400000-0x0000000000756000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4068-4-0x0000000000400000-0x0000000000756000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4068-7-0x0000000000400000-0x0000000000756000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4068-10-0x0000000074E40000-0x0000000074F4B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4068-11-0x0000000074E40000-0x0000000074F4B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4068-14-0x0000000074E40000-0x0000000074F4B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4068-24-0x0000000074E40000-0x0000000074F4B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4068-25-0x0000000074E40000-0x0000000074F4B000-memory.dmp

          Filesize

          1.0MB

          Download