Analysis

  • max time kernel
    139s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2023, 05:28

General

  • Target

    f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe

  • Size

    11.5MB

  • MD5

    e0ac8681c53c9caf51042246b15d122d

  • SHA1

    90cf66858157540e6c39fb2c4b2d4562c16f935c

  • SHA256

    f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973

  • SHA512

    f970b3c3acc9aa1a026f9d3f4133e76e04fca86ea2e56db56b1de60dc15123f17caef8ff24a5b7eda8029026c73b2364695e9eebf2bad503c405f26dba98ce7c

  • SSDEEP

    196608:HPCUhW2aj2/yZL8W/q2F54b85va9QX+9bueDD0z3au7fuCalZozAR8E:KEWD2/yKWqIuF9bnDD0jaouCzs

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
    "C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\Patch.exe
      C:\Users\Admin\AppData\Local\Temp\\Patch.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Users\Admin\AppData\Local\Temp\fog.exe
        C:\Users\Admin\AppData\Local\Temp\fog.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2716

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

          Filesize

          120KB

          MD5

          c3adbb35a05b44bc877a895d273aa270

          SHA1

          8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

          SHA256

          b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

          SHA512

          614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

        • C:\Users\Admin\AppData\Local\Temp\Patch.exe

          Filesize

          6.1MB

          MD5

          757d9e9d11e35d3763c07743fcc6e7ed

          SHA1

          2037c66cac11ab802065c4dcac9866d74bab41c5

          SHA256

          0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637

          SHA512

          1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

        • C:\Users\Admin\AppData\Local\Temp\Patch.exe

          Filesize

          6.1MB

          MD5

          757d9e9d11e35d3763c07743fcc6e7ed

          SHA1

          2037c66cac11ab802065c4dcac9866d74bab41c5

          SHA256

          0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637

          SHA512

          1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

        • C:\Users\Admin\AppData\Local\Temp\Patch.exe

          Filesize

          6.1MB

          MD5

          757d9e9d11e35d3763c07743fcc6e7ed

          SHA1

          2037c66cac11ab802065c4dcac9866d74bab41c5

          SHA256

          0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637

          SHA512

          1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

        • C:\Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • C:\Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Users\Admin\AppData\Local\Temp\ESPI11.dll

          Filesize

          120KB

          MD5

          c3adbb35a05b44bc877a895d273aa270

          SHA1

          8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

          SHA256

          b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

          SHA512

          614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

        • \Users\Admin\AppData\Local\Temp\Patch.exe

          Filesize

          6.1MB

          MD5

          757d9e9d11e35d3763c07743fcc6e7ed

          SHA1

          2037c66cac11ab802065c4dcac9866d74bab41c5

          SHA256

          0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637

          SHA512

          1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

        • \Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Users\Admin\AppData\Local\Temp\fog.exe

          Filesize

          785KB

          MD5

          1dbc14b104a35c2a82f6a63429b59739

          SHA1

          a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e

          SHA256

          3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743

          SHA512

          d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

        • \Windows\SysWOW64\ESPI11.dll

          Filesize

          120KB

          MD5

          c3adbb35a05b44bc877a895d273aa270

          SHA1

          8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

          SHA256

          b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

          SHA512

          614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

        • memory/2116-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

        • memory/2116-81-0x0000000000400000-0x0000000001939000-memory.dmp

          Filesize

          21.2MB

        • memory/2116-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

        • memory/2116-4-0x0000000000400000-0x0000000001939000-memory.dmp

          Filesize

          21.2MB

        • memory/2116-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

        • memory/2204-29-0x0000000000400000-0x0000000000EF0000-memory.dmp

          Filesize

          10.9MB

        • memory/2204-50-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/2204-53-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

        • memory/2204-55-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

        • memory/2204-58-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/2204-60-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/2204-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/2204-45-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

        • memory/2204-43-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

        • memory/2204-40-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/2204-38-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/2204-36-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/2204-35-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/2204-33-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/2204-31-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/2204-30-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/2204-27-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/2204-82-0x0000000000400000-0x0000000000EF0000-memory.dmp

          Filesize

          10.9MB