Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 17:20
General
-
Target
6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb.exe
-
Size
4.5MB
-
MD5
b557479cf922838ce64b1a27bc772bf4
-
SHA1
b434f86ff476003fea3306a62d2a1075f5442f5c
-
SHA256
6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb
-
SHA512
706f01459a0e7dc214cf6bd33d84d4b3be9fb32b1ee409eb71a0974ef9a55e3eaeb11878c957cc4ce24c671d2d2e279a0d73236cdb31d770bb37a0de988b0a78
-
SSDEEP
49152:xNIldFEedDqnroHO8wOZHOlvbuambSIN+6a9AknH:xNITcnsHtvZHUbmb/+TK
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Drops file in Drivers directory 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb.exe"C:\Users\Admin\AppData\Local\Temp\6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb.exe"C:\Users\Admin\AppData\Local\Temp\6fd082aa0d4fd75f2427510d8738b55b2090b4b406534adb335cdb0453ad53cb.exe" Master2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.30my.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56d67ac0c7ab304209fc96550b9879330
SHA100d5f0a51a3ee4e2b32011e76d71cb5b4dc994a7
SHA25658090310bb8edb91094bb361b9732c8818cf276c28452f4587365dd22fe59031
SHA5122f305650e8cafb39c186df6c5813c4082909c7b04d459a7a064ff3c296381fc86018d0d1ee5b707fa796441d632d3bbbf7371af4473535b599c936e8f8170435
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58010719846319c8f37fb156894a1b089
SHA14fabda088019a9c0bcf21b280cd1d905b39a2913
SHA2561b22fcb263a6941bf39fd1c511cf8d8d7c883d9efb233441c05dfadd320ffbbe
SHA51270c6bc978238121662aac53faee08a71c7157ca3871f83a37da44cdd55d2edf3443834564bbbfc67c01e4c8c503cec91cc2988a52d72b4056549733f5dd58f81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56b363abdfef99a87c7516cc7a5136ba4
SHA1e0940db08987dbca8f42939f67a99ba111e8d2da
SHA2560a73cc2e12159dcc9cd7e0b2396f56bb3d4ef67238a1fe9962bb14067e51c1f1
SHA512824ae90a35115ff0ddef3d1a712b98919d428daa8b9a1154baf940bbf588fcf3edad5fa859d0b446d08b64564a399ec8d7df4a6bf8552fbcd25a106099e460ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ee763624cea46d22c2eb1ceae717a8cc
SHA18b18b436305c0a2678edfb9d2ca451ff9524e365
SHA256fd6d7d9dc8d2ee45fa8716840e1ebafa18ee919421f604fe8482f8232457abfa
SHA512249bad491fdc9d1e0dcf4d45a25f9bdf7e4b1a3904d7a26b9e2a662052f77ccb20e338022bde994d9f6ed636d93cec4b6ad51004ec7eafbdafbe1e3b8631536f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50ac3d7665710b03eac02e1e6f471fce7
SHA10e17cdb113aaa9f94bcf0367a888119b4ffdad39
SHA2564873a57876593777b83fe05612751562ccf03bb310d2551bf392fe9579c83ea8
SHA512bea88ef8f35e995dcbeaba74370a6dbbdcdaa83a04279f8de23f64ae589b75b025bacadcdadc540e0b5186e652e5b1ecc54a8dcb47894621d67aad336bb36451
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD564149375f84ba42ce145e9ba1960119b
SHA15fba4234226189316fff2b0bb847504ab8a11d8f
SHA256ec4aa344af41bd63ed75f769eb16ddeef344dad00aff23ca22e1b208df93179b
SHA512cb0261be4758bf7c34613b14af7fd5fbc98270da8a1d1c09a20561d31142fe17a1717563d780482f0595bae30c4b790262970ef2bd037e53754b69c89e70504c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cec3d428e1391c1d4090c42212f2a9c5
SHA1711f346a80fb723cbd45a4d80e6d7699ff1bdf61
SHA256fe15d9b18106cf0cd8a5d098c32ba8d3982fea6c25a800f4a177a1d1a23e6239
SHA5125bdf41a25ba863d9cfac46650dfe327e7cfc837e343224ef1772b5abbc48cc23ce91b8ab193c5a9e8e7f0e57fa7735c0609ba8d530398452d55f4c16acfc0913
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53813a873e5fd10bd7828f0d56d39ca00
SHA100467815c195398425f83e48e15b0f36f7d64bca
SHA2569b9b4f27286bb8e2443a3a3665f4e5e48be385e0bd841f62a2d5d3dc0ead112a
SHA512cee7b4d8cad2c11616d7afb77c777358f5da87a37d3a90f31a3aa0554dba341ef540440b816c809f78b3ed9dcd0992d9713967f91d49dec36a71855a68bfd275
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56f0c51f9fa399f03948a88b041f7637b
SHA11213fa97b27804001b335bc3c586739796469c0a
SHA2560c7422f2b8ebd08fa6f9e8a17ef2e5771cd28a9a1559e4537614cf491d1594a8
SHA512c7564c2c3101dbe087b6ea07866bf21895f148c02267e0064c6227559f280f7e31bb56c46d489550648882d7a46f4489fbe0da9f2851d1f4a718e7e5019a8e46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ff3bc1bf5ad7022af3fe20be7c7d5ee7
SHA19d9ecdb79531fb981c0aebbcbfea1221252a4189
SHA2569395747a706e84527a57ea00e9cd402990cdb99234e25af5db75c3fb6e97fc34
SHA512c65a74c2fbaeb7abf37c7d339267bc5996c24b52e40b763d447337ff8aa43e358e61ca168b36fc6626d7b68d721c6f3b6a072d3392fa8a32a45914b9d3b394e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5796d10c360f28dd54f8c7602d96b9e1c
SHA19718d05596daa01e27b8938cf88b80b3c52d45ed
SHA2565f8834ecc5c044ab49aa7190be662f3956361e3a16d438d0fb49798abe035005
SHA512fce3d1a055d48d27abf3a3faed8962471abd8e5a603804837c1f6f5428409c3b116c47bc976679edcd7892eac9aac706770d25dda3fe91782ffbf952d09bb97a
-
C:\Users\Admin\AppData\Local\Temp\Cab3BDA.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar3C2B.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\Desktop\ħÓò·¢²¼Íø.urlFilesize
120B
MD55c8c7c3ce78aa0a9d56f96ab77676682
SHA11a591e2d34152149274f46d754174aa7a7bb2694
SHA25640a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806
SHA5128ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77
-
C:\Windows\SysWOW64\msvcp30.iniFilesize
18B
MD52cd7883782c594d2e2654f8fe988fcbe
SHA1042bcb87c29e901d70c0ad0f8fa53e0338c569fc
SHA256aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037
SHA51288413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360
-
C:\Windows\msvcp30.icoFilesize
264KB
MD5bdccf3c42497089ae7001328305906ed
SHA1cf6f28e09d98ebe516b408e6b15f03f5891fdc79
SHA2565f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2
SHA512d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d
-
\Windows\SysWOW64\msvcp30.dllFilesize
93KB
MD5a6c4f055c797a43def0a92e5a85923a7
SHA1efaa9c3a065aff6a64066f76e7c77ffcaaf779b2
SHA25673bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9
SHA512d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957
-
memory/2248-102-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2248-88-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB
-
memory/2248-108-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB
-
memory/2248-56-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB
-
memory/2248-85-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB
-
memory/2248-107-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-84-0x00000000003B0000-0x00000000003C1000-memory.dmpFilesize
68KB
-
memory/2248-101-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-92-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-70-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-69-0x00000000003B0000-0x00000000003C1000-memory.dmpFilesize
68KB
-
memory/2248-68-0x00000000003B0000-0x00000000003C1000-memory.dmpFilesize
68KB
-
memory/2248-81-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-65-0x00000000003B0000-0x00000000003C1000-memory.dmpFilesize
68KB
-
memory/2248-61-0x0000000000280000-0x000000000028F000-memory.dmpFilesize
60KB
-
memory/2248-60-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-91-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-50-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2248-55-0x00000000021E0000-0x000000000240F000-memory.dmpFilesize
2.2MB
-
memory/2424-30-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB
-
memory/2424-39-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-12-0x0000000000A70000-0x0000000000A7F000-memory.dmpFilesize
60KB
-
memory/2424-34-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB
-
memory/2424-36-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-82-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB
-
memory/2424-0-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-86-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB
-
memory/2424-16-0x0000000000CE0000-0x0000000000CF1000-memory.dmpFilesize
68KB
-
memory/2424-33-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-2-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-49-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-48-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/2424-19-0x0000000000CE0000-0x0000000000CF1000-memory.dmpFilesize
68KB
-
memory/2424-20-0x0000000000CE0000-0x0000000000CF1000-memory.dmpFilesize
68KB
-
memory/2424-22-0x0000000000CE0000-0x0000000000CF1000-memory.dmpFilesize
68KB
-
memory/2424-21-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-6-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB
-
memory/2424-10-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-5-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-1-0x0000000002200000-0x000000000242F000-memory.dmpFilesize
2.2MB
-
memory/2424-35-0x0000000075140000-0x000000007517C000-memory.dmpFilesize
240KB