Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 03:13
General
-
Target
152ce54299cea73d2dad55769b74a770_NeikiAnalytics.exe
-
Size
169KB
-
MD5
152ce54299cea73d2dad55769b74a770
-
SHA1
d1c60b3fea941a80511458832b2aad5e5411f49b
-
SHA256
4f63a80b019bab3517d8412ecfdf7a1c8489589459726c46de10309b57eeef89
-
SHA512
4f1b5237e86fde7897be60c80b68b3c673668297e55eb57e91f7b0bebdc3e2413dc636b3fb3b56169b53eadd14c8591a7793a49321592ee7baa8fa0bf299d072
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2T:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8Vk
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 39 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\152ce54299cea73d2dad55769b74a770_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\152ce54299cea73d2dad55769b74a770_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\152ce54299cea73d2dad55769b74a770_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\152ce54299cea73d2dad55769b74a770_NeikiAnalytics.exe"3⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\64002.exec:\64002.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08666.exec:\08666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhtnn.exec:\tnhtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\648422.exec:\648422.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxlll.exec:\rxfxlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lllffr.exec:\1lllffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2266824.exec:\2266824.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddj.exec:\vpddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlffl.exec:\xrrlffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdj.exec:\dvjdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42408.exec:\42408.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6082440.exec:\6082440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppd.exec:\vjppd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvv.exec:\vjpvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g6408.exec:\g6408.exe18⤵
- Executes dropped EXE
-
\??\c:\dvjpj.exec:\dvjpj.exe19⤵
- Executes dropped EXE
-
\??\c:\ppdvd.exec:\ppdvd.exe20⤵
- Executes dropped EXE
-
\??\c:\028048.exec:\028048.exe21⤵
- Executes dropped EXE
-
\??\c:\lxlflll.exec:\lxlflll.exe22⤵
- Executes dropped EXE
-
\??\c:\xrlrxrr.exec:\xrlrxrr.exe23⤵
- Executes dropped EXE
-
\??\c:\4240006.exec:\4240006.exe24⤵
- Executes dropped EXE
-
\??\c:\w80028.exec:\w80028.exe25⤵
- Executes dropped EXE
-
\??\c:\xlxxflr.exec:\xlxxflr.exe26⤵
- Executes dropped EXE
-
\??\c:\o468440.exec:\o468440.exe27⤵
- Executes dropped EXE
-
\??\c:\lflxxfl.exec:\lflxxfl.exe28⤵
- Executes dropped EXE
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe29⤵
- Executes dropped EXE
-
\??\c:\48046.exec:\48046.exe30⤵
- Executes dropped EXE
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\20624.exec:\20624.exe32⤵
- Executes dropped EXE
-
\??\c:\s2622.exec:\s2622.exe33⤵
- Executes dropped EXE
-
\??\c:\thbnht.exec:\thbnht.exe34⤵
- Executes dropped EXE
-
\??\c:\684082.exec:\684082.exe35⤵
- Executes dropped EXE
-
\??\c:\646688.exec:\646688.exe36⤵
- Executes dropped EXE
-
\??\c:\80268.exec:\80268.exe37⤵
- Executes dropped EXE
-
\??\c:\08046.exec:\08046.exe38⤵
- Executes dropped EXE
-
\??\c:\flxxrff.exec:\flxxrff.exe39⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe40⤵
- Executes dropped EXE
-
\??\c:\tnbbtb.exec:\tnbbtb.exe41⤵
- Executes dropped EXE
-
\??\c:\xlxxlrr.exec:\xlxxlrr.exe42⤵
- Executes dropped EXE
-
\??\c:\e24204.exec:\e24204.exe43⤵
- Executes dropped EXE
-
\??\c:\c824228.exec:\c824228.exe44⤵
- Executes dropped EXE
-
\??\c:\4628066.exec:\4628066.exe45⤵
- Executes dropped EXE
-
\??\c:\3flrrrx.exec:\3flrrrx.exe46⤵
- Executes dropped EXE
-
\??\c:\hbtbnn.exec:\hbtbnn.exe47⤵
- Executes dropped EXE
-
\??\c:\44880.exec:\44880.exe48⤵
- Executes dropped EXE
-
\??\c:\dpdjv.exec:\dpdjv.exe49⤵
- Executes dropped EXE
-
\??\c:\268800.exec:\268800.exe50⤵
- Executes dropped EXE
-
\??\c:\5pppd.exec:\5pppd.exe51⤵
- Executes dropped EXE
-
\??\c:\6426228.exec:\6426228.exe52⤵
- Executes dropped EXE
-
\??\c:\8684628.exec:\8684628.exe53⤵
- Executes dropped EXE
-
\??\c:\86802.exec:\86802.exe54⤵
- Executes dropped EXE
-
\??\c:\lfxfrlx.exec:\lfxfrlx.exe55⤵
- Executes dropped EXE
-
\??\c:\60224.exec:\60224.exe56⤵
- Executes dropped EXE
-
\??\c:\bnhbhb.exec:\bnhbhb.exe57⤵
- Executes dropped EXE
-
\??\c:\268466.exec:\268466.exe58⤵
- Executes dropped EXE
-
\??\c:\660022.exec:\660022.exe59⤵
- Executes dropped EXE
-
\??\c:\9pdjj.exec:\9pdjj.exe60⤵
- Executes dropped EXE
-
\??\c:\pvjjv.exec:\pvjjv.exe61⤵
- Executes dropped EXE
-
\??\c:\48446.exec:\48446.exe62⤵
- Executes dropped EXE
-
\??\c:\4240228.exec:\4240228.exe63⤵
- Executes dropped EXE
-
\??\c:\3flrxff.exec:\3flrxff.exe64⤵
- Executes dropped EXE
-
\??\c:\thhhtn.exec:\thhhtn.exe65⤵
- Executes dropped EXE
-
\??\c:\nhtntn.exec:\nhtntn.exe66⤵
- Executes dropped EXE
-
\??\c:\202804.exec:\202804.exe67⤵
- Executes dropped EXE
-
\??\c:\vpvjv.exec:\vpvjv.exe68⤵
-
\??\c:\9dpdj.exec:\9dpdj.exe69⤵
-
\??\c:\9frxffr.exec:\9frxffr.exe70⤵
-
\??\c:\0084064.exec:\0084064.exe71⤵
-
\??\c:\nnhhhh.exec:\nnhhhh.exe72⤵
-
\??\c:\1vppv.exec:\1vppv.exe73⤵
-
\??\c:\5nttnn.exec:\5nttnn.exe74⤵
-
\??\c:\a4624.exec:\a4624.exe75⤵
-
\??\c:\264860.exec:\264860.exe76⤵
-
\??\c:\ffxflrl.exec:\ffxflrl.exe77⤵
-
\??\c:\8848062.exec:\8848062.exe78⤵
-
\??\c:\i468484.exec:\i468484.exe79⤵
-
\??\c:\rfffxxx.exec:\rfffxxx.exe80⤵
-
\??\c:\86846.exec:\86846.exe81⤵
-
\??\c:\8828828.exec:\8828828.exe82⤵
-
\??\c:\7hhbhh.exec:\7hhbhh.exe83⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe84⤵
-
\??\c:\42640.exec:\42640.exe85⤵
-
\??\c:\08280.exec:\08280.exe86⤵
-
\??\c:\7pvdj.exec:\7pvdj.exe87⤵
-
\??\c:\686826.exec:\686826.exe88⤵
-
\??\c:\xrrlllx.exec:\xrrlllx.exe89⤵
-
\??\c:\xrxxfff.exec:\xrxxfff.exe90⤵
-
\??\c:\20622.exec:\20622.exe91⤵
-
\??\c:\68440.exec:\68440.exe92⤵
-
\??\c:\hbttnh.exec:\hbttnh.exe93⤵
-
\??\c:\tnttht.exec:\tnttht.exe94⤵
-
\??\c:\5xlfllr.exec:\5xlfllr.exe95⤵
-
\??\c:\c606062.exec:\c606062.exe96⤵
-
\??\c:\nbhhtb.exec:\nbhhtb.exe97⤵
-
\??\c:\nhtbhn.exec:\nhtbhn.exe98⤵
-
\??\c:\rlrllrf.exec:\rlrllrf.exe99⤵
-
\??\c:\8688028.exec:\8688028.exe100⤵
-
\??\c:\thtntt.exec:\thtntt.exe101⤵
-
\??\c:\6028646.exec:\6028646.exe102⤵
-
\??\c:\2680228.exec:\2680228.exe103⤵
-
\??\c:\2024868.exec:\2024868.exe104⤵
-
\??\c:\424000.exec:\424000.exe105⤵
-
\??\c:\264028.exec:\264028.exe106⤵
-
\??\c:\864066.exec:\864066.exe107⤵
-
\??\c:\60248.exec:\60248.exe108⤵
-
\??\c:\e08684.exec:\e08684.exe109⤵
-
\??\c:\82228.exec:\82228.exe110⤵
-
\??\c:\08000.exec:\08000.exe111⤵
-
\??\c:\64668.exec:\64668.exe112⤵
-
\??\c:\1lrlrlr.exec:\1lrlrlr.exe113⤵
-
\??\c:\64068.exec:\64068.exe114⤵
-
\??\c:\684444.exec:\684444.exe115⤵
-
\??\c:\420806.exec:\420806.exe116⤵
-
\??\c:\2466606.exec:\2466606.exe117⤵
-
\??\c:\820624.exec:\820624.exe118⤵
-
\??\c:\fxlfffl.exec:\fxlfffl.exe119⤵
-
\??\c:\3httbb.exec:\3httbb.exe120⤵
-
\??\c:\608288.exec:\608288.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-