Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

21186cdce2...cs.exe

windows7-x64

10

21186cdce2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 16:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21186cdce283361548dd219c73d3d010_NeikiAnalytics.exe

  • Size

    440KB

  • MD5

    21186cdce283361548dd219c73d3d010

  • SHA1

    f20ac5c333d7fb215780a733a285ce9c149a992b

  • SHA256

    496c2d0e3f938f6e8f02faa263b56fb1e7a6e487eaa33d1b7bbf8f34d3884817

  • SHA512

    8e7221732ad718909822bbe166136dc69188b241050f41dea980df29850dc1ab38512eec22f246b31732cda6c91d0cf7a73b24aac6e3f1383ab093e3ddf77953

  • SSDEEP

    6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaA6:xgXQKSLpOCtV0R8xMSaA6

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21186cdce283361548dd219c73d3d010_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\21186cdce283361548dd219c73d3d010_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\Syslemwrcto.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemwrcto.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

  • flag-us
    DNS
    i2.tietuku.com
    21186cdce283361548dd219c73d3d010_NeikiAnalytics.exe
    Remote address:
    8.8.8.8:53
    Request
    i2.tietuku.com
    IN A
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.179:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Fri, 10 May 2024 16:31:11 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.af53dd58.1715358671.25831769
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    179.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    179.83.221.88.in-addr.arpa
    IN PTR
    Response
    179.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-179deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.121.18.2.in-addr.arpa
    IN PTR
    Response
    31.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-31deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 88.221.83.179:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
     6.3kB
     16
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    i2.tietuku.com
    dns
    21186cdce283361548dd219c73d3d010_NeikiAnalytics.exe
    60 B
     132 B
     1
    1

    DNS Request

    i2.tietuku.com

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    179.83.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    179.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    31.121.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    31.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemwrcto.exe
    Filesize

    440KB

    MD5

    aa1ab4e80a5fd0df3c4b6a993c880c47

    SHA1

    ffdcfc1e540fed37b4f09346f02702665ba1f5e6

    SHA256

    a286bae502bbadb561ff546f7d3c6485e8d21ff1508e41835ecd39eb69a41d48

    SHA512

    63229dd09e816bfbe5cec3560650800f2f468296a491573a85e9c56b08c8a710069027b496c660c50aa824a011ae1d61680581d928097beb057d1a9f8a0e10e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    85B

    MD5

    aeca29d1a347f175059286e80a23bbf3

    SHA1

    79345493221db4c2d2f0a4cfd7fd28beb85fd721

    SHA256

    225b9a8b48211eeb29b82c28a1fc19e79e3b7f2a9b1d372911c8ac0a3ceb300e

    SHA512

    8a694d8276fedea4d97c9bb34acd7f7a9f142ac3cce6b52579889c62d88342c72a3b40d2fa80593474a1131dc6b91521005f8d96c3d83a35ed00c87ef12ca2f6

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.