Overview

overview

10

Static

static

10

904e45514b...ec.exe

windows7-x64

10

904e45514b...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    904e45514b79e3c4857730d2a346b0ec.exe

  • Size

    426KB

  • MD5

    904e45514b79e3c4857730d2a346b0ec

  • SHA1

    719ed039c2aa312ae6bace4ff858201faeff0a12

  • SHA256

    f5069e7dd6ca814dd6f31c17a50611ec8629ec5f70b000def405d3e497c1a178

  • SHA512

    7c3626b5151803a8c4fcc09f60fa85e5593ea679f05fc12b589f4bc005c1adc33e60543ef5b70f19140190f8c20b88dbd82a93e7b3e90f25286220e3aec757fe

  • SSDEEP

    6144:kvk3Q5ibjnNuuXckaL7pbRBkce97awj7L7orT/b:kvMQ5ibjnwka3pbRC19Gwj7orT/b

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\904e45514b79e3c4857730d2a346b0ec.exe
    "C:\Users\Admin\AppData\Local\Temp\904e45514b79e3c4857730d2a346b0ec.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\Systemvoacy.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemvoacy.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemvoacy.exe
    Filesize

    426KB

    MD5

    757b7d9ed0dfd747a7b8406bd96084b8

    SHA1

    dfac266608dda4c88dc4cbd2348992ecce1d8e71

    SHA256

    a195ed88df99bc6c782d8c8ac26ec1ffa3779cb0d9a2368afa8fd8149944010a

    SHA512

    aded98d91139bcf007b9687680c56ac713ce192a71ae910d47c40b333fa84a42a5a13b6026ff84105c4b7ec567ea7f22b082682fc918f6832a0e66e196a8bb2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fpath.ini
    Filesize

    70B

    MD5

    4315730a2b380d1f163f86f455af61c4

    SHA1

    88ce32a6bada9fdcffb9b91ff307c9b351555c74

    SHA256

    17fde2662b38ca5f002de108e83829499c9398979be34a9dce5bbf9faa3232a4

    SHA512

    fc697e3a247d6af663f6554875adeb410ad069d591d04372daf9dea9e38b1c77fce439b7ffe144eaa27d19c2675126c02cdf85d884a2c656c6ae0be402752f5b

    Download Submit

  • memory/2924-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2924-13-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4648-15-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4648-17-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download