Overview

overview

10

Static

static

10

d8d447ad44...23.exe

windows7-x64

10

d8d447ad44...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8d447ad44f1544f279f7732275d3310e84720a3540dd515d46f8b3b7460ce23.exe

  • Size

    437KB

  • MD5

    cc8f938541333e0fed0acd7fe6483d1a

  • SHA1

    5881c25d8a9985d206d39272502e332201f39e38

  • SHA256

    d8d447ad44f1544f279f7732275d3310e84720a3540dd515d46f8b3b7460ce23

  • SHA512

    53f4d19f58481accb71dc34d97eab9335205346f8b04c49ae366fcbeec79faa4ffbe4ccdebe889c562d7ad63632815197bf189eaae001a79ef52fc3412f226aa

  • SSDEEP

    6144:5fweR7gpANB0sv2YYuwfDoOPV1x0GwYpk09RhyQ3ZmC:J1R7gpAwsuvDNP/xyqk09TyCcC

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8d447ad44f1544f279f7732275d3310e84720a3540dd515d46f8b3b7460ce23.exe
    "C:\Users\Admin\AppData\Local\Temp\d8d447ad44f1544f279f7732275d3310e84720a3540dd515d46f8b3b7460ce23.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\Syslemjlija.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemjlija.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemjlija.exe
    Filesize

    437KB

    MD5

    927beed875cc476db084f162cab24acf

    SHA1

    bc01cf2acfc2ca204b8c214da2264584bec38d22

    SHA256

    f1ee8abc1b96f3682f737d4ea0ac498cf9551672a5eba5bc282901243cede289

    SHA512

    982cf25a10303b2e4df0c6ff926e43a9aa6fc7f8633b12b0a4d24d76e857ee38fac2c97fcceb068c6bc946f609971eef9fbbafae6f3e6e49be8c007380791aba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    4f5aa2ade9eacb08f365b9c02972130d

    SHA1

    d6b783dc9fccf33f22fd327e146ae873d2bd3d63

    SHA256

    74507b013ce0aa379833cd719feec769fac1ba5589e1570a84f972cf7ad98d27

    SHA512

    3ac0e7344eab13405ce8e7d5d618bcc034a26a4a099dcc025a4a6862f07f74eb6c7edc4c9b03f7a4a4717195499b71c7800a072227d692d2c7b82e84c94fd84a

    Download Submit

  • memory/1556-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1556-14-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/3468-16-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download