Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 01:36

General

  • Target

    a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe

  • Size

    436KB

  • MD5

    be39ea6aa5c3e1cb82262cc29207bec0

  • SHA1

    ec1e745bf0e8f1fc8fda84590070bf535336be94

  • SHA256

    a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6

  • SHA512

    86df5546c71e0ba5bb2ff67b5e22ea426fb880bf6821608203a95805551c24e66a116bb92ffee9590fa25179247b42ed0cdd3229bbbc7cf9ff93850e89d9f5d2

  • SSDEEP

    3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kQ:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWM

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe
    "C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Local\Temp\Syslemzquhv.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemzquhv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Syslemzquhv.exe

          Filesize

          436KB

          MD5

          e57839c2086a13706def624da824cfb5

          SHA1

          e54cd9b80c2129ac33a8a40fbb2caa9cab5d92f3

          SHA256

          d8595c70f76cc286e6713b0f635ebd276026bc082788c302f18de72f3b5e5540

          SHA512

          437111b2bd27eefff6313775da2fe8fcb0db1753dad0f96e74cbb7338469d6ba4be166fec421af09402213a7b27493c7f79a0b6f3f144ce4eedc25f969230e93

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini

          Filesize

          102B

          MD5

          006bf0320e353a01bfe26f4c485efc10

          SHA1

          450d23111c59bae7d462e6b6ad9594fe2be532f3

          SHA256

          37b04c5798505268aac74ae4ed31bde8fba5c9bd2c7e64c5f5717c07bac7a038

          SHA512

          692e9911379b993c1d14f1ba6a81d3c97052ac8969ac942af1b4064030d1eb28482f0ec88d0008968852ed686bf49c18960771ea2421dc8135977ca874ef55d6