Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 13:29
General
-
Target
d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe
-
Size
4.5MB
-
MD5
538973fb715f9657d6369b95880d034f
-
SHA1
0ea309bdf440b33d3e0d718abbf7543a9760c21e
-
SHA256
d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305
-
SHA512
736c2fb40eb8b34d3f0a7735fdd06647a432d7c4650b2ad9c3e58e4da9486621a42513198fff2ce9279fb2250a9d79b96232f31d2a06605e0de23c9bd4e48822
-
SSDEEP
98304:GRsbxSZ5w64GYL/6YEA6CXRZLhsK3oUFrieBQJ4OiZrq1DfPHNADtV6v+pT:GKbgIGhG3oUF+M24O7NADtV6v+p
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe"C:\Users\Admin\AppData\Local\Temp\d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\accelerator.exe"C:\Users\Admin\AppData\Local\Temp\accelerator.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\accelerator.exeFilesize
16KB
MD58b73d9f69feb27823d3be1f2536b72f1
SHA14aa5b78649debb07d97bf9365277e00f215e3fd0
SHA25601a89adeacbfc39eb0a3e7e207cde872ad5c4f3657ddecc697b13e42dae00c2f
SHA512f78dc47a0c60afd66d74909c90c6edd6e642c4554a65ab78c158a5bfea9bf28ad92902b3710ec1b5eb4980791346fae1181a18e1bb71c21c3574aa97d4ceaf68
-
C:\Users\Admin\AppData\Roaming\clinkm2.dataFilesize
4KB
MD5db82bfbfe4899b37721b290fbdba5c1e
SHA1d2df6b3e81d862ba5467af9c58ed872b18509afc
SHA256de7349bd2c7096d54ee26f972337f549cf89d39d218dd476d94dfa282331e395
SHA5125a4cee9eefa94d30238af2bedf6e86433047cca232de0e61cf8231c7dbfd9ab5debc2e55732b0dd7659746bff7a12bbe29c60944816b0bfb277e9eb99a5225f8
-
memory/1828-14-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB