Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 04:39
General
-
Target
ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe
-
Size
15.4MB
-
MD5
23f87f4db9da43225c083271aefbc337
-
SHA1
95e0246ad205e61045dea39617bfca2d27f317b6
-
SHA256
ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2
-
SHA512
e4813623352478ba195590a7e9c296ead59f193523dffca8197ba77fabe676500ad85e1bd9f849a2081a8776e35733f1264628545666b877bc677d14a708aa65
-
SSDEEP
393216:UnaetWreNcKL2Drs9LiA+S3jHRNUO0GoU/WhonaC:YcreqKik9+i3jxQhU/6onB
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 8 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe"C:\Users\Admin\AppData\Local\Temp\ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ÖîÉñ´«Ëµ\25420ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exeC:\ÖîÉñ´«Ëµ\25420ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1c0dafa2764931e74179a9ab0028cc5a.txtFilesize
12B
MD52018fad0d562984421a6daedc428d0ec
SHA1f5ef2e251a75b272770ea623cdc99742a5a04a92
SHA256ae8a77c9bca81f3d2883066984a87213b97601be540cd1a7c8fcb8f9996367ad
SHA5124270f94bfa1c0a9e59395a7433614db127d2fcf110c218e8b73b95413b3df358f3a53f5115089e2135935ad3b0eeddc7dd92b649082d8408c867f0ba16c3a5be
-
C:\ÖîÉñ´«Ëµ\25420ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2.exeFilesize
15.4MB
MD523f87f4db9da43225c083271aefbc337
SHA195e0246ad205e61045dea39617bfca2d27f317b6
SHA256ac7cdfc98a9d2ba7fa4b851727156d0aee97336867fcab4a4a00a57e398fafd2
SHA512e4813623352478ba195590a7e9c296ead59f193523dffca8197ba77fabe676500ad85e1bd9f849a2081a8776e35733f1264628545666b877bc677d14a708aa65
-
memory/1844-50-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/1844-16-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/1844-20-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/1844-21-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/1844-19-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/3044-3-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/3044-18-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/3044-7-0x0000000003FD0000-0x0000000003FD1000-memory.dmpFilesize
4KB
-
memory/3044-8-0x0000000003A60000-0x0000000003A61000-memory.dmpFilesize
4KB
-
memory/3044-9-0x0000000003FE0000-0x0000000003FE1000-memory.dmpFilesize
4KB
-
memory/3044-0-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/3044-1-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB
-
memory/3044-2-0x0000000000400000-0x0000000000927000-memory.dmpFilesize
5.2MB