Overview

overview

10

Static

static

10

1c30148370...cs.exe

windows7-x64

10

1c30148370...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c3014837078c7a8a806efb1144f2c90_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    1c3014837078c7a8a806efb1144f2c90

  • SHA1

    209aa4ac443acc3d289964c9c2bf94f5fe7e9330

  • SHA256

    678c9aeeecb6c2ceaae3295ec1041c24bea801345ed5836d2dc88646f04bb7ac

  • SHA512

    302c23d6754f191886b811a780e6a901ae51152bc6f9171e72a1f86a83927c3f25e92f161e0d738d62f5a3016086e47e31d788b0df9932763819893b20e3d7dd

  • SSDEEP

    1536:EF7p8VeHwYaBlAvXhRDtxY11686va0QgE9gHgMVnvLiDXs+u:K98VNTAP3BW1k81cLAUvLiDXsl

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c3014837078c7a8a806efb1144f2c90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1c3014837078c7a8a806efb1144f2c90_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\Syslemreigj.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemreigj.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemreigj.exe
    Filesize

    88KB

    MD5

    2b1c2f08d9476fd6cd7bdf1bad5bdec2

    SHA1

    e905494600b733efcbd3fee183aa2d51e280ebc6

    SHA256

    1c215acfaab5ed269b93cb168556c1d348371cdecc0183f63bfc4f441bbd91fd

    SHA512

    6fd3039de61c369ce02785118c861635925256941b8df0def3c2c9a17f5d4019c2b425087c2bc4f1784e4b18921cf7835ea8c6c3db5cd433a844ac0bf03c53c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    85B

    MD5

    e53ef5f419599d8772c9b4e8c4c6b2d4

    SHA1

    5bb5081462c2b67cd101ce614a507a01a4f48d65

    SHA256

    427934a58da35f5a686592756f33979dfc3e87bdc219a4ef9ba3586f7650afbe

    SHA512

    1903af19fdeb042c6bbd7d051e9899002074ef93c430b5e7f1db28ed22d97eeaaaa30bd93e0b6b529660bed66717d948562aae6f520f5b3b6e6cba499478f8e9

    Download Submit

  • memory/452-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/452-15-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3608-14-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3608-17-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download