Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 19:32

General

  • Target

    dc6f92f4fb7168a6df8aeef784e0ac7b.dll

  • Size

    367KB

  • MD5

    dc6f92f4fb7168a6df8aeef784e0ac7b

  • SHA1

    d9b6cd710a72fa7aa01c7738770013919cfb4b7b

  • SHA256

    65fb54bf9cbf4867dc060cfea4f5b7955ac5a8ee24f7a849a7b76b1661f62918

  • SHA512

    6d0f5641d4b7860406c6fc6b97838b98feb24aeba2a2c6e13523c1c29812d07ec741f4b4a2cbd750e46a611d32aaf86611b400e885a87daf38a604b189cfaa3c

  • SSDEEP

    6144:gL+2S+vQmN3BFaXi51rw4t2IDuahWM3Qi9Mjt0jYWNMoS:w+2S+vzRR2+uahZ59MWsWNMoS

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc6f92f4fb7168a6df8aeef784e0ac7b.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc6f92f4fb7168a6df8aeef784e0ac7b.dll,#1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4776
          • C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe
            C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4476
          • C:\Users\Admin\AppData\Local\Temp\safe\ad10549.exe
            C:\Users\Admin\AppData\Local\Temp\safe\ad10549.exe
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
              5⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:3732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 748
            4⤵
            • Program crash
            PID:1104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776
      1⤵
        PID:1420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Common Files\PushWare\cpush.dll

        Filesize

        228KB

        MD5

        5b016a5c9b3c3fbc1ba1adb5cc108255

        SHA1

        ae65a866f2f117dbeea2ca7cb5e59c4198224744

        SHA256

        52a0c050154ef03b871e4227eef77ea6ad45829916154f4c410dc6c0aff4cca0

        SHA512

        473d99519c2b3bfc1d3da6da2120871fc3729debf183640565e624dad04b96928f9061ac724a81f4e3723e35d04a95a3d8b6ac6efbec082da763cc20efac5cca

      • C:\Users\Admin\AppData\Local\Temp\safe\0031-Y.exe

        Filesize

        149KB

        MD5

        de9cc8098b94bd145a15c5f82b71d0bc

        SHA1

        8f3040f0dade2af1a4ad5522a5f4a666b94e34b7

        SHA256

        15d959391d29169376ae7bc04c717545198f6ea72dd95e4c4c2050289a502cf9

        SHA512

        761829d9cc753d2888a2a15efe1844e93a4c55972956ccf8666cd161b948c0c6ba3ffa103bbf623d4a179046fd1ec98cfe0ff7708be3c1f63442ddef1251e6f2

      • C:\Users\Admin\AppData\Local\Temp\safe\ad10549.exe

        Filesize

        138KB

        MD5

        18bcc17362e3c0c971a6a3ca9a2602ff

        SHA1

        0b3ae00b4f2879085f037feccb91a5c6c63aba51

        SHA256

        3a474ff67f64afb6acf747b8b619396276fdd085d846b2f5d4d528f9c1c26a21

        SHA512

        8b57958d77a8a3f7a5c5f8c68f057c370c74d956fa3c67013207ecea5b0f84e7c1131275491e66c8cc10411f485e6ad6c5a70a5f1d0cdd269e468ecaf8934b0c

      • memory/4476-6-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/4476-11-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/4776-0-0x0000000010000000-0x00000000100B2000-memory.dmp

        Filesize

        712KB

      • memory/4776-17-0x0000000010000000-0x00000000100B2000-memory.dmp

        Filesize

        712KB