Analysis

  • max time kernel
    153s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 19:32

General

  • Target

    dc6f92f4fb7168a6df8aeef784e0ac7b.dll

  • Size

    367KB

  • MD5

    dc6f92f4fb7168a6df8aeef784e0ac7b

  • SHA1

    d9b6cd710a72fa7aa01c7738770013919cfb4b7b

  • SHA256

    65fb54bf9cbf4867dc060cfea4f5b7955ac5a8ee24f7a849a7b76b1661f62918

  • SHA512

    6d0f5641d4b7860406c6fc6b97838b98feb24aeba2a2c6e13523c1c29812d07ec741f4b4a2cbd750e46a611d32aaf86611b400e885a87daf38a604b189cfaa3c

  • SSDEEP

    6144:gL+2S+vQmN3BFaXi51rw4t2IDuahWM3Qi9Mjt0jYWNMoS:w+2S+vzRR2+uahZ59MWsWNMoS

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc6f92f4fb7168a6df8aeef784e0ac7b.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc6f92f4fb7168a6df8aeef784e0ac7b.dll,#1
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe
            C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2124
          • C:\Users\Admin\AppData\Local\Temp\safe\ad10549.exe
            C:\Users\Admin\AppData\Local\Temp\safe\ad10549.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
              5⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:2636
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 284
            4⤵
            • Program crash
            PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\PushWare\cpush.dll

      Filesize

      228KB

      MD5

      5b016a5c9b3c3fbc1ba1adb5cc108255

      SHA1

      ae65a866f2f117dbeea2ca7cb5e59c4198224744

      SHA256

      52a0c050154ef03b871e4227eef77ea6ad45829916154f4c410dc6c0aff4cca0

      SHA512

      473d99519c2b3bfc1d3da6da2120871fc3729debf183640565e624dad04b96928f9061ac724a81f4e3723e35d04a95a3d8b6ac6efbec082da763cc20efac5cca

    • C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe

      Filesize

      149KB

      MD5

      de9cc8098b94bd145a15c5f82b71d0bc

      SHA1

      8f3040f0dade2af1a4ad5522a5f4a666b94e34b7

      SHA256

      15d959391d29169376ae7bc04c717545198f6ea72dd95e4c4c2050289a502cf9

      SHA512

      761829d9cc753d2888a2a15efe1844e93a4c55972956ccf8666cd161b948c0c6ba3ffa103bbf623d4a179046fd1ec98cfe0ff7708be3c1f63442ddef1251e6f2

    • \Users\Admin\AppData\Local\Temp\safe\ad10549.exe

      Filesize

      138KB

      MD5

      18bcc17362e3c0c971a6a3ca9a2602ff

      SHA1

      0b3ae00b4f2879085f037feccb91a5c6c63aba51

      SHA256

      3a474ff67f64afb6acf747b8b619396276fdd085d846b2f5d4d528f9c1c26a21

      SHA512

      8b57958d77a8a3f7a5c5f8c68f057c370c74d956fa3c67013207ecea5b0f84e7c1131275491e66c8cc10411f485e6ad6c5a70a5f1d0cdd269e468ecaf8934b0c

    • memory/1412-20-0x0000000002560000-0x00000000025A8000-memory.dmp

      Filesize

      288KB

    • memory/1412-22-0x0000000001C60000-0x0000000001C61000-memory.dmp

      Filesize

      4KB

    • memory/1724-0-0x0000000010000000-0x00000000100B2000-memory.dmp

      Filesize

      712KB

    • memory/1724-1-0x0000000010000000-0x00000000100B2000-memory.dmp

      Filesize

      712KB

    • memory/1724-19-0x0000000010000000-0x00000000100B2000-memory.dmp

      Filesize

      712KB

    • memory/1724-21-0x0000000000510000-0x00000000005D2000-memory.dmp

      Filesize

      776KB

    • memory/2124-26-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB