Overview

overview

10

Static

static

10

d3af3d5142...cs.exe

windows7-x64

10

d3af3d5142...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe

  • Size

    431KB

  • MD5

    d3af3d5142b11c8fb767076688c5e790

  • SHA1

    e95579fbb827aa2ee9b031fe44dccc00171f351d

  • SHA256

    199b2cb92890944469b6eb84f8893f419c48799df164604d0f4ed9b6dc41551d

  • SHA512

    fb93037aaefe8e4ae95b9640d1f409737a0ae8380fcad2c8a6c998e8a09c0ca9e9ec16c3464c81899b86162a2518487322d0bb05d1cc25afe777d04b8b1bbf1f

  • SSDEEP

    3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUM:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+r

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d3af3d5142b11c8fb767076688c5e790_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Users\Admin\AppData\Local\Temp\Systemhtgfl.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemhtgfl.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemhtgfl.exe
    Filesize

    431KB

    MD5

    c464454d458e0b5a454bde17b8f64d57

    SHA1

    8ac4eb4a5de6ff09af9c683863bc687eabf9759a

    SHA256

    6e9c2cfedf8bb27c2907ff0b7a100a3146e182a6cf9e9cd28652d3fbe121f825

    SHA512

    0fefa673fb5fdc2c4bdcac2f6d813dde8ddcef5356fe93087e4529dde28357ea0986d461f7d85d81cf0f7105c85ab08f95945be7f4d98f03c8b7608e634b7b79

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    85B

    MD5

    84f7dc59153b50b6b9b34c0560d41e90

    SHA1

    8d041093234961ac5ed02d7d66c2e0f1ca472d69

    SHA256

    cb0ee27015a0322f5be5c8ac38d60c055b139347b9692117109d00be8e645d3f

    SHA512

    57381f536d4a4a7c6097a420aad20dbecead35266e21fe58263fde5f0fc2e2d6bc950dafbf4285d5b791e23c450807b191e35528d6ecf564eed5de671721b2d2

    Download Submit