Overview

overview

10

Static

static

10

28b1d5a2a6...cs.exe

windows7-x64

10

28b1d5a2a6...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28b1d5a2a630ee3aadc78576c4c06010_NeikiAnalytics.exe

  • Size

    357KB

  • MD5

    28b1d5a2a630ee3aadc78576c4c06010

  • SHA1

    76bf2bc0e5ecbd81d9bdda78df2420701bcf039c

  • SHA256

    84f9ab5a8e810fd027e7fe0d2e4004444b316a51d6f15951c5d17f0970068748

  • SHA512

    b7a0f0fd547948e8228e99a6910c9f8b75f9b5e3913de19741ddcb5892e3fa0a6f141965c251deb8d0a6de50d1fba27154a023deafe8c361d0e795a7b10bd825

  • SSDEEP

    6144:mvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7om:mvMQ5ibjnwka3pbRC19Gw/Nsom

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28b1d5a2a630ee3aadc78576c4c06010_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\28b1d5a2a630ee3aadc78576c4c06010_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\Systemctwzw.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemctwzw.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemctwzw.exe
    Filesize

    357KB

    MD5

    34e18cd7d452a3e33e7742fd7b966476

    SHA1

    f0f5722fa2aa2c8660a758b5e492aa21ab087ede

    SHA256

    fd0dafd4109e2d7ab282982ea2cdd0d540c7c4018d1ec1d1d9d574da968fb913

    SHA512

    cbc1231292623e6052ead204e655af1cde9ef1673af4352d7ba2f46515fbadb7af8773e166005fe6cd92714cf71e7b8bb636ed98a30a3ca35d9cc1cac5d7208f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fpath.ini
    Filesize

    85B

    MD5

    9a2e15a749720907053f3140197f0fd2

    SHA1

    f5867ca663347afeeffdb0c93c7afdf6f347a53c

    SHA256

    4e430aa94269a5ff8544190ed43230edd973f4239204e4b6f8e521930926ae87

    SHA512

    c5935ff15e2434e88371cde780f12aaaa458e27fd6f4aa1df4d67979c566a841c06190ebd800ef806cd376461693c789d1ff1d06e61301dc6decf02ca82097e8

    Download Submit