Overview

overview

10

Static

static

3

92cccc47a5...63.exe

windows7-x64

10

92cccc47a5...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe

  • Size

    5.0MB

  • MD5

    d97ff1102e8ba106596d50a100021b9f

  • SHA1

    a9484405b91d2b0e19f845b85516d88e271b5184

  • SHA256

    92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63

  • SHA512

    05d055943264b1bab63127ff90edaa6a0cf7ef69282739d0466df4bd015abcc5531910896a0f93e67aa24689e1af4010dbd5e6b3793039bf0da08a6b77887fff

  • SSDEEP

    98304:D+HVb4W8Qh49un3vR3riSm+NJSBGwd43W9FRq:D+HJ8C49O/RHNJSEDiFw

Score
10/10
blackmoonbankerevasionthemidatrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
    "C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      2⤵
        PID:4272
      • C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
        PECMD**pecmd-cmd* PUTF -dd -skipb=1726464 -len=3470184 "C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmp",,C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
      • C:\Users\Admin\AppData\Local\Temp\~5646964404686827150~\sg.tmp
        7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6554066059501221788.."
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe
        "C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:6012
        • C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe
          "C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~5646964404686827150~\sg.tmp
      Filesize

      715KB

      MD5

      7c4718943bd3f66ebdb47ccca72c7b1e

      SHA1

      f9edfaa7adb8fa528b2e61b2b251f18da10a6969

      SHA256

      4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

      SHA512

      e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe
      Filesize

      3.6MB

      MD5

      eeddf37e807097fc5aad876724c92f85

      SHA1

      38aebdfd0bfd7acf866156b1fbf43f4f2fa00f05

      SHA256

      c8f82ba8e56e5c1d24745a637e6d76bd6d593ccf539c6a101a7bfb9eca3624f7

      SHA512

      c1965ce51533be4617362223bc4b5850d4367e87bf243f0ee9ab2bea8de2478b7298c0347a31f03592fc8de052d6e0f799208e80590b920051b7012bb3357c87

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe
      Filesize

      453KB

      MD5

      5dfe0fb8655ed70a0c8bda2167b156af

      SHA1

      8613f0213e2be06212fe1f8cf47855e8e37efb57

      SHA256

      18f7352254e97c5a655b8bd202615905f77b686ed587a501f895533a2016f58c

      SHA512

      941a12790ea9200c7b944d98e48884fe36625960ad51c774b472ea49ea8b2efe3270d189a939a3218d6b7d1471185250cefe3599d4c12634da2d187d8040ae6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmp
      Filesize

      3.3MB

      MD5

      d3694c868bf680ae3524ee5aa6a642ef

      SHA1

      05e34034f05e5be7839450fc3da409976e1fc6b8

      SHA256

      a93a2fe8d6b6942fffb58b3e9dd073ba3d671f02c423a5da4b9333b67131e0a7

      SHA512

      824a551b3a188c0445b7fee742980f6588a9f8a4075a8dbcf8b55cd38916eec7923dd18b0788c34ee94ce506a9a92fd863eef9ac4de02229445861a5afba43a2

      Download Submit
    • memory/5376-35-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-36-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-27-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-26-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-29-0x0000000004AA0000-0x0000000004ACB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/5376-32-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-33-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-34-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-25-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-28-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-37-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-39-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-40-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-41-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-42-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-43-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-44-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-45-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-46-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/5376-47-0x0000000000400000-0x0000000000D98000-memory.dmp
      Filesize

      9.6MB

      Download