Analysis
-
max time kernel
131s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 02:35
General
-
Target
88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exe
-
Size
10.2MB
-
MD5
4da32f1f0b1dac90157f53b293a95f08
-
SHA1
acbeb60776e715cea2e06d79d2608446919789de
-
SHA256
88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba
-
SHA512
1b93e41cc5c8c8a4d02c4cea18f46f48a7c74511b69c1b2677e1e320cf6fe8ac803d3dd0654c3349ca5009b06ea0bc9fb5cd300e10981e77057ba73cb4e22c13
-
SSDEEP
196608:A8FHCu5uL1zRjyrQpcs+TYm3El87p8oF6eQoIK5CsC0H1F/oeVOX:VHn5uerQp1iEO7R6PK5CsC0z
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exe"C:\Users\Admin\AppData\Local\Temp\88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exe"F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\²Ôñ·µÀ¶ÜºÏ»÷.exe"F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\²Ôñ·µÀ¶ÜºÏ»÷.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\88f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba.exeFilesize
10.2MB
MD54da32f1f0b1dac90157f53b293a95f08
SHA1acbeb60776e715cea2e06d79d2608446919789de
SHA25688f2c932b70a532e7ac7173a7ff9de11c27caaa514dc8019cb6319d0b0b88aba
SHA5121b93e41cc5c8c8a4d02c4cea18f46f48a7c74511b69c1b2677e1e320cf6fe8ac803d3dd0654c3349ca5009b06ea0bc9fb5cd300e10981e77057ba73cb4e22c13
-
F:\²Ôñ·µÀ¶ÜºÏ»÷(΢¶Ë)\²Ôñ·µÀ¶ÜºÏ»÷.exeFilesize
4.7MB
MD5f96754818d770694ce2ee5116f2540e1
SHA1831a7ae3a870b1e26b175975f7107dd2d753b79b
SHA256b2a709c49dd9221e4d78d54e369de7a8510a32cb2193c2a52e95e33cc1810c05
SHA51275f0b043835fa7f2d16113e5b5a45b113a85750197720c85768196467175c0a29d570ff884b3fd868428446743e481d8d5e01b592070435b5db548a5a6635d8a
-
memory/792-37-0x0000000003F10000-0x0000000003F1B000-memory.dmpFilesize
44KB
-
memory/792-42-0x0000000003FF0000-0x0000000003FF8000-memory.dmpFilesize
32KB
-
memory/792-63-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-26-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/792-27-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/792-44-0x0000000004000000-0x0000000004007000-memory.dmpFilesize
28KB
-
memory/792-41-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-40-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-36-0x0000000003F00000-0x0000000003F0B000-memory.dmpFilesize
44KB
-
memory/792-38-0x0000000003FF0000-0x0000000003FF8000-memory.dmpFilesize
32KB
-
memory/792-28-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/792-34-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-35-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-32-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/792-29-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/792-30-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/792-24-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/792-31-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/2584-12-0x0000000004210000-0x000000000421B000-memory.dmpFilesize
44KB
-
memory/2584-14-0x0000000010000000-0x0000000010024000-memory.dmpFilesize
144KB
-
memory/2584-17-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/2584-25-0x000000000138E000-0x00000000016A8000-memory.dmpFilesize
3.1MB
-
memory/2584-23-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/2584-2-0x0000000002690000-0x0000000002691000-memory.dmpFilesize
4KB
-
memory/2584-16-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/2584-11-0x0000000004200000-0x000000000420B000-memory.dmpFilesize
44KB
-
memory/2584-1-0x000000000138E000-0x00000000016A8000-memory.dmpFilesize
3.1MB
-
memory/2584-13-0x0000000004220000-0x0000000004228000-memory.dmpFilesize
32KB
-
memory/2584-0-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/2584-7-0x0000000003FD0000-0x0000000003FD1000-memory.dmpFilesize
4KB
-
memory/2584-9-0x0000000000400000-0x00000000020D5000-memory.dmpFilesize
28.8MB
-
memory/2584-8-0x0000000003FE0000-0x0000000003FE1000-memory.dmpFilesize
4KB
-
memory/2584-4-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/2584-5-0x0000000003FB0000-0x0000000003FB1000-memory.dmpFilesize
4KB
-
memory/2584-3-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/2584-6-0x0000000003FC0000-0x0000000003FC1000-memory.dmpFilesize
4KB
-
memory/2592-55-0x0000000000400000-0x0000000001027000-memory.dmpFilesize
12.2MB
-
memory/2592-54-0x0000000000400000-0x0000000001027000-memory.dmpFilesize
12.2MB
-
memory/2592-57-0x0000000000400000-0x0000000001027000-memory.dmpFilesize
12.2MB