Overview

overview

10

Static

static

3

f5ed77a77e...86.exe

windows7-x64

10

f5ed77a77e...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe

  • Size

    4.7MB

  • MD5

    ce5a02dbbbecfdf9897726db6ba09a0b

  • SHA1

    05a203727a334153388184a030d3eff8534d611a

  • SHA256

    f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586

  • SHA512

    d7e5a09cd93d4ccb1acac82eecd4b6c055b02792b8846644be028b0b9c11bb24771e2a94c4238267af108329cf86ec937751a876bd3299e4993e5abf7e840454

  • SSDEEP

    98304:fFBWQlG4wlD4GfkehReReO2pAiNoXfsQi2GxhDxjM1gh9noS9oMPQq9EsZXQo:e3uD/exAWoP3Imgbo8oMJEsBQo

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\1025.exe
      "C:\Users\Admin\AppData\Local\Temp\1025.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe
      "C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c cmd /c netsh interface ip set dns Local Area Connection static 114.114.114.114
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh interface ip set dns Local Area Connection static 114.114.114.114
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\netsh.exe
            netsh interface ip set dns Local Area Connection static 114.114.114.114
            5⤵
              PID:1788
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          3⤵
          • Gathers network information
          PID:788
    • C:\windows\Ahyteq.bat
      C:\windows\Ahyteq.bat -auto
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\windows\Ahyteq.bat
        C:\windows\Ahyteq.bat -acsi
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\client
      Filesize

      2.1MB

      MD5

      00527359b17835fe4fc01a4f1879afa2

      SHA1

      445f327fa1a67efe30e4d4b5f3eda6c154f0764b

      SHA256

      2a96314fe40b19791df90e6dd95ff91f7de53414d4ba1ecfb18c329ae6f18723

      SHA512

      bdab38fbac29a95008da4ad850adbf4594b00dfa8d8518c49db55868932bcaf8e4b0ade907de743092211499570397b12103a8ad4d6013f72fdfd462ed467bfc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\krnln.fnr
      Filesize

      1.2MB

      MD5

      1eece63319e7c5f6718562129b1572f1

      SHA1

      089ea3a605639eb1292f6a2a9720f0b2801b0b6e

      SHA256

      4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310

      SHA512

      13537d1dd80fa87b6b908361957e8c434ca547a575c8c8aab43423063e60cb5523fb1843a467ae73db4a64d278c06b831551e78ae6d895201f7ef0c5b162c1ab

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\libcurl.dll
      Filesize

      1.3MB

      MD5

      4f46e64aa3daa556ecca1da1f6c8e8e5

      SHA1

      b949c14ef228d5253f243fee44312681b340e2db

      SHA256

      7376d07ec6b98cbff685d6e97cbdfed97f0f55701245fafd5d2a71fc686822e5

      SHA512

      66cb5582a0fd05b70d9d2dc3daac93f87677488373b0f07f729d9f579e56f4beb014eea88fabdab6a0887bb77fb0b6ec3316069568fa4a799dabbd3c438dcc47

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      6728aea2631b86a76c237508d8ba9b55

      SHA1

      7a670f95cac088313f7558869162fe01c6dc0ec9

      SHA256

      e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b

      SHA512

      533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      724B

      MD5

      8202a1cd02e7d69597995cabbe881a12

      SHA1

      8858d9d934b7aa9330ee73de6c476acf19929ff6

      SHA256

      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

      SHA512

      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      452b7f82815ca608f0b7c3107ae30301

      SHA1

      8b3491b3a239fc4757e3a9e95a46fad8646e9822

      SHA256

      69d288878c233a01724af9c280aee515842f0c3e207366d3356e8d4af72eb7da

      SHA512

      e6bf86b2b479f995392b7fe9c13e355bbb3fe1abec38750c0f37fbddea700b5d3e6a7a7244d6583372871fa5db20850b4d46a269c4e62a3a91de971fa8c65a40

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      392B

      MD5

      5c9ce292a7c9a3e80ce2d556fc29504d

      SHA1

      acba956101cc0d1576b576304a268b8a71467dad

      SHA256

      0d423024cf4979fc57f52745632cff590cb6243edc3670931dfa01c6b3dcc96b

      SHA512

      63060741348ee0b41d13eee9241abf9af4eb2614ab541d185389825cc1d29979926dcf0959fb5b2fcbdf2bc912fd592bda727d54a0862f3cd4af275cba7f251c

      Download Submit
    • C:\Windows\SysWOW64\ini.ini
      Filesize

      19B

      MD5

      fe9af7587d65300338177538aa72f924

      SHA1

      c8ae231d3ae13f9db8b9f16e188e951e7cb76377

      SHA256

      556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

      SHA512

      3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

      Download Submit
    • C:\input.txt
      Filesize

      4B

      MD5

      b91b1facf3b3a7890177f02ac188f14c

      SHA1

      e1e0b4868c21dad9a79bc0b107ce283815815bbd

      SHA256

      3765c3e23aeefaf31c3e27e95895ef627fa688f9652d7efc6746af9fc45dbfb0

      SHA512

      b0bbeab2d6a2efddac5fe522dc006014e646e6e53ae9706954819a69b1f889c14d9313ac98ea3b88e7b52e087649c3f6545b1d6faa699097b3f51441fc93df0a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\1025.exe
      Filesize

      508KB

      MD5

      2baad2e607969a62f8ccde3bdf866223

      SHA1

      4d3c245aaa1b6844752f07ed08bd8bfb533250d9

      SHA256

      9e86dffa2a0b7ad89db81c1ba844cfd0e492d8bdcb8b11cbe023316fe547ab18

      SHA512

      9dff1df480a8e4460f4c7aea905b8064f749982bfc30e01acb7f2fefa37f8f422e40eb6ac95663d9aea5f5061b0196cfda6f6a5f587ef0a3af09a4379af41a8e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe
      Filesize

      49KB

      MD5

      83df8134d9c077739379ac0e00182af7

      SHA1

      5053b87b1f8047fffc1578de0dd4e6b1a0c9678b

      SHA256

      ba7d88038d1475db4253ed6537475df8529c5de373efb3f837d96fe499577a38

      SHA512

      26873f86eade6f15d56f895b92f40f948fbd5382d14f65a49fe7ff6f89cf31b6d0e229eab102ca8c966bc0c087304c601f81ac7d6c5990b0f8e00e3afc80fde0

      Download Submit
    • memory/616-118-0x0000000000400000-0x0000000000595000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/616-132-0x0000000001EA0000-0x0000000001EC0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2040-109-0x0000000000B80000-0x0000000000BA0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2100-59-0x0000000003D10000-0x0000000003D3A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2100-56-0x0000000003D10000-0x0000000003D3A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2100-46-0x0000000005350000-0x00000000054E5000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2508-58-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2508-141-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2812-64-0x0000000010000000-0x00000000100BE000-memory.dmp
      Filesize

      760KB

      Download
    • memory/2812-115-0x0000000000400000-0x0000000000595000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2812-85-0x00000000027A0000-0x00000000027C0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2812-61-0x0000000010000000-0x00000000100BE000-memory.dmp
      Filesize

      760KB

      Download
    • memory/2812-63-0x0000000010000000-0x00000000100BE000-memory.dmp
      Filesize

      760KB

      Download
    • memory/2812-50-0x0000000000400000-0x0000000000595000-memory.dmp
      Filesize

      1.6MB

      Download