Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 10:42
General
-
Target
ba86cc2a759cba001c922cad01b57cf5d369b8360c4d871c02b888cb1cfc1a06.exe
-
Size
5.1MB
-
MD5
72f2b49a64a3b9243478af5313774ba4
-
SHA1
6f8786f22afaa92882b08c9443c06785c062a7b4
-
SHA256
ba86cc2a759cba001c922cad01b57cf5d369b8360c4d871c02b888cb1cfc1a06
-
SHA512
04ba1e457504d7e996a21887380e0244c889aef8ba1ab2ee13d57a2fae5c76daecd64dc5a9c66229e2de13831ad36fd0834c26a66fa7f8f35ac189092ef444e7
-
SSDEEP
49152:7bCknzcErNNQJLxgjI45TMwwapIgThpYqB+Cq99LyHHI+t6O8N+ailEy6dmpzeiU:SXPLapIK6J0oAaldmdmnp
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 7 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba86cc2a759cba001c922cad01b57cf5d369b8360c4d871c02b888cb1cfc1a06.exe"C:\Users\Admin\AppData\Local\Temp\ba86cc2a759cba001c922cad01b57cf5d369b8360c4d871c02b888cb1cfc1a06.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
5.1MB
MD572f2b49a64a3b9243478af5313774ba4
SHA16f8786f22afaa92882b08c9443c06785c062a7b4
SHA256ba86cc2a759cba001c922cad01b57cf5d369b8360c4d871c02b888cb1cfc1a06
SHA51204ba1e457504d7e996a21887380e0244c889aef8ba1ab2ee13d57a2fae5c76daecd64dc5a9c66229e2de13831ad36fd0834c26a66fa7f8f35ac189092ef444e7
-
memory/3012-11-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3012-10-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3012-289-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3048-1-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3048-0-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3048-9-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3048-7-0x00000000020C0000-0x0000000002113000-memory.dmpFilesize
332KB