Overview

overview

10

Static

static

3

f5ed77a77e...86.exe

windows7-x64

10

f5ed77a77e...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe

  • Size

    4.7MB

  • MD5

    ce5a02dbbbecfdf9897726db6ba09a0b

  • SHA1

    05a203727a334153388184a030d3eff8534d611a

  • SHA256

    f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586

  • SHA512

    d7e5a09cd93d4ccb1acac82eecd4b6c055b02792b8846644be028b0b9c11bb24771e2a94c4238267af108329cf86ec937751a876bd3299e4993e5abf7e840454

  • SSDEEP

    98304:fFBWQlG4wlD4GfkehReReO2pAiNoXfsQi2GxhDxjM1gh9noS9oMPQq9EsZXQo:e3uD/exAWoP3Imgbo8oMJEsBQo

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 23 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 26 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ed77a77ea3fdf415e3379b8c3aa9480dd07a401da54dc4a2fcf2fcce807586.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Users\Admin\AppData\Local\Temp\1025.exe
      "C:\Users\Admin\AppData\Local\Temp\1025.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:5088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1632
        3⤵
        • Program crash
        PID:884
    • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe
      "C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c cmd /c netsh interface ip set dns Ethernet static 114.114.114.114
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh interface ip set dns Ethernet static 114.114.114.114
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\SysWOW64\netsh.exe
            netsh interface ip set dns Ethernet static 114.114.114.114
            5⤵
              PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c cmd /c netsh interface ip add dns name="Ethernet" addr=223.5.5.5 index=2
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c netsh interface ip add dns name="Ethernet" addr=223.5.5.5 index=2
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4824
            • C:\Windows\SysWOW64\netsh.exe
              netsh interface ip add dns name="Ethernet" addr=223.5.5.5 index=2
              5⤵
                PID:3780
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /flushdns
            3⤵
            • Gathers network information
            PID:640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5088 -ip 5088
        1⤵
          PID:2140
        • C:\windows\Ahyteq.bat
          C:\windows\Ahyteq.bat -auto
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\windows\Ahyteq.bat
            C:\windows\Ahyteq.bat -acsi
            2⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4128

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1025.exe
          Filesize

          508KB

          MD5

          2baad2e607969a62f8ccde3bdf866223

          SHA1

          4d3c245aaa1b6844752f07ed08bd8bfb533250d9

          SHA256

          9e86dffa2a0b7ad89db81c1ba844cfd0e492d8bdcb8b11cbe023316fe547ab18

          SHA512

          9dff1df480a8e4460f4c7aea905b8064f749982bfc30e01acb7f2fefa37f8f422e40eb6ac95663d9aea5f5061b0196cfda6f6a5f587ef0a3af09a4379af41a8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\client
          Filesize

          2.1MB

          MD5

          00527359b17835fe4fc01a4f1879afa2

          SHA1

          445f327fa1a67efe30e4d4b5f3eda6c154f0764b

          SHA256

          2a96314fe40b19791df90e6dd95ff91f7de53414d4ba1ecfb18c329ae6f18723

          SHA512

          bdab38fbac29a95008da4ad850adbf4594b00dfa8d8518c49db55868932bcaf8e4b0ade907de743092211499570397b12103a8ad4d6013f72fdfd462ed467bfc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\krnln.fnr
          Filesize

          1.2MB

          MD5

          1eece63319e7c5f6718562129b1572f1

          SHA1

          089ea3a605639eb1292f6a2a9720f0b2801b0b6e

          SHA256

          4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310

          SHA512

          13537d1dd80fa87b6b908361957e8c434ca547a575c8c8aab43423063e60cb5523fb1843a467ae73db4a64d278c06b831551e78ae6d895201f7ef0c5b162c1ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\lib\libcurl.dll
          Filesize

          1.3MB

          MD5

          4f46e64aa3daa556ecca1da1f6c8e8e5

          SHA1

          b949c14ef228d5253f243fee44312681b340e2db

          SHA256

          7376d07ec6b98cbff685d6e97cbdfed97f0f55701245fafd5d2a71fc686822e5

          SHA512

          66cb5582a0fd05b70d9d2dc3daac93f87677488373b0f07f729d9f579e56f4beb014eea88fabdab6a0887bb77fb0b6ec3316069568fa4a799dabbd3c438dcc47

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\µçÄÔÒ»Ìå¶Ë\Ò¬×ÓµçÄÔÒ»Ìå¶Ë.exe
          Filesize

          49KB

          MD5

          83df8134d9c077739379ac0e00182af7

          SHA1

          5053b87b1f8047fffc1578de0dd4e6b1a0c9678b

          SHA256

          ba7d88038d1475db4253ed6537475df8529c5de373efb3f837d96fe499577a38

          SHA512

          26873f86eade6f15d56f895b92f40f948fbd5382d14f65a49fe7ff6f89cf31b6d0e229eab102ca8c966bc0c087304c601f81ac7d6c5990b0f8e00e3afc80fde0

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
          Filesize

          1KB

          MD5

          6728aea2631b86a76c237508d8ba9b55

          SHA1

          7a670f95cac088313f7558869162fe01c6dc0ec9

          SHA256

          e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b

          SHA512

          533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
          Filesize

          410B

          MD5

          f90ddd89f3e3ccb1b50d446295bbddad

          SHA1

          3f56f3c6283c11882fa7231cc963c14a611990c5

          SHA256

          b73f1e5147bea129d873d5e83f8c6d0343736493843ef864eb2e4d12650d53ec

          SHA512

          dd726606da5afe6f5f84d6a4f3ad85b580c4691c06e0849ca47af2a5747f1c4a8d85ccf38477e2dafe7463d50351962b682e6ac5b3f07185cd32d8ccf76a1991

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
          Filesize

          392B

          MD5

          5e5ba0feb62a80feea9044522e601982

          SHA1

          7dafa0f38d0aec374f6e42f9a87889332f4f9a06

          SHA256

          2af6212ddca67904c2c82b65177e9477405d8b893e47d549a27c0612f26df51e

          SHA512

          c29cef6b8994bd1d243f79b83cce5455a9dbd532083fbddc085e59a92ec782d44717c4069903902c66706e60f4b6ea5aaa398a4d02468a8f277b6a5f2e402169

          Download Submit

        • C:\Windows\SysWOW64\ini.ini
          Filesize

          19B

          MD5

          fe9af7587d65300338177538aa72f924

          SHA1

          c8ae231d3ae13f9db8b9f16e188e951e7cb76377

          SHA256

          556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

          SHA512

          3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

          Download Submit

        • C:\input.txt
          Filesize

          4B

          MD5

          b91b1facf3b3a7890177f02ac188f14c

          SHA1

          e1e0b4868c21dad9a79bc0b107ce283815815bbd

          SHA256

          3765c3e23aeefaf31c3e27e95895ef627fa688f9652d7efc6746af9fc45dbfb0

          SHA512

          b0bbeab2d6a2efddac5fe522dc006014e646e6e53ae9706954819a69b1f889c14d9313ac98ea3b88e7b52e087649c3f6545b1d6faa699097b3f51441fc93df0a

          Download Submit

        • memory/760-108-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/760-182-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1732-154-0x0000000001D80000-0x0000000001DA0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1732-138-0x0000000000400000-0x0000000000595000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4128-176-0x0000000003310000-0x0000000003330000-memory.dmp

          Filesize

          128KB

          Download

        • memory/5088-159-0x0000000000400000-0x0000000000595000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/5088-160-0x0000000002260000-0x000000000230E000-memory.dmp

          Filesize

          696KB

          Download

        • memory/5088-129-0x0000000003270000-0x0000000003290000-memory.dmp

          Filesize

          128KB

          Download

        • memory/5088-110-0x0000000010000000-0x00000000100BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/5088-112-0x0000000010000000-0x00000000100BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/5088-115-0x0000000010000000-0x00000000100BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/5088-113-0x0000000010000000-0x00000000100BE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/5088-114-0x0000000002260000-0x000000000230E000-memory.dmp

          Filesize

          696KB

          Download

        • memory/5088-103-0x0000000000400000-0x0000000000595000-memory.dmp

          Filesize

          1.6MB

          Download