Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2024, 01:36

General

  • Target

    a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe

  • Size

    436KB

  • MD5

    be39ea6aa5c3e1cb82262cc29207bec0

  • SHA1

    ec1e745bf0e8f1fc8fda84590070bf535336be94

  • SHA256

    a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6

  • SHA512

    86df5546c71e0ba5bb2ff67b5e22ea426fb880bf6821608203a95805551c24e66a116bb92ffee9590fa25179247b42ed0cdd3229bbbc7cf9ff93850e89d9f5d2

  • SSDEEP

    3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kQ:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWM

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe
    "C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\Syslemyzmki.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemyzmki.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini

          Filesize

          102B

          MD5

          006bf0320e353a01bfe26f4c485efc10

          SHA1

          450d23111c59bae7d462e6b6ad9594fe2be532f3

          SHA256

          37b04c5798505268aac74ae4ed31bde8fba5c9bd2c7e64c5f5717c07bac7a038

          SHA512

          692e9911379b993c1d14f1ba6a81d3c97052ac8969ac942af1b4064030d1eb28482f0ec88d0008968852ed686bf49c18960771ea2421dc8135977ca874ef55d6

        • \Users\Admin\AppData\Local\Temp\Syslemyzmki.exe

          Filesize

          436KB

          MD5

          8a01a9b4f6c118ff7fb6dad6b52a5449

          SHA1

          265014515a667487085a29aea8f44808f8510c63

          SHA256

          3cc7fd9fc46d28d6e81e901400c3f4ca0be70b06b2331fc5c54173797988bfb8

          SHA512

          54b0165c81730e9f26b10eac40b8ad6ae5ca97969e7bb9c743fe51c6f54af785cba67ad09ef30c291f7c5c7af96f09d30db0d7fc090c5ad36ab8d66bf9bedfe4