Overview

overview

10

Static

static

10

bf924b598e...84.exe

windows7-x64

10

bf924b598e...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe

  • Size

    87KB

  • MD5

    63173cc80d964d6d908e0899bf489086

  • SHA1

    5a8b7d20531ed7925177604720ffd190b61edd98

  • SHA256

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84

  • SHA512

    3e9f60e85d9f68389225c21b5e70260c6b123f05c35fc7a8500e52634b3d9535bcb71a996e0f59ac09b360e24bb01bf9a538242cb53c21a436be603c64dfb42c

  • SSDEEP

    1536:Lxos1lS77S/87BJM2pThWf9DcqZmR8/bMxnONDjYseXPmo06/i/XdVw/iA:jjfbcRkbMVu7EqQ/j

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe
    "C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Local\Temp\Systemmcoic.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemmcoic.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemmcoic.exe
    Filesize

    87KB

    MD5

    12b9e1bd6f538594bef78c33c8d5a6c6

    SHA1

    d7bfaa7fb29cdbc798eac75295e8f3e1b936a707

    SHA256

    84f4669b63b9bdee3ad133a5532b576a083510fdd7b9d8916671c18d6b460172

    SHA512

    c1abb4a32b6288eec346d34e093332a2a48c595b4185f26efe30219b3f61c16792164e7498ba0b3fcc768094918d9c8c18e5c57b44fe7a11b7c1af43bc3c064d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    102B

    MD5

    d574e68bb731e343e68ddf05598d9e44

    SHA1

    33e898fc366b554bee461f683fc242f77bd78742

    SHA256

    f643b9be83543526b2bb390330fd84b70ee8e100a4be868c5508ee17385bf622

    SHA512

    14fff900f54f3d2ce419979e7d9a048f53bba9e9a83279c71398cb35f366c08e3a059aa87a7f4a3cef76fa5753728e6c5a8aaee23be6b85c2e7b84e32b29931b

    Download Submit

  • memory/5080-0-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/5080-14-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/5116-16-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download