Overview

overview

10

Static

static

3

85e67caed2...f7.exe

windows7-x64

10

85e67caed2...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe

  • Size

    7.9MB

  • MD5

    d32f78a71fd09d09c544f05e8dd3d40c

  • SHA1

    767ddca3599eab75b14e6539ccbd95b17e66cf86

  • SHA256

    85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7

  • SHA512

    23e469e09426abda7ec0587b4676f2eb375864aac77bc8cb103b5880ac2b7509a3a1c4a6be636cb4f88376d0950fab46e825e6b40f2c58c764c696fab827c599

  • SSDEEP

    196608:hh32TxDNiotZgs21BRLdoQlSOLM8gYQ9HPDPiVp:bmTF4otZoBRC0tL9gYQ9HmVp

Score
10/10
blackmoonbankerpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
    "C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe
      "C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1176
    • C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
      "C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
        C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A5E0A5E0A5B0A5B0A630A640A790A7E0A6B0A660A660A560A710A320A3B0A660A7A0A680A7A0A590A390A480A3D0A7B0A5E0A5F0A770A560A4F0A6D0A4C0A790A3E0A680A400A470A-2
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.exe
          "C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.exe"
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.exe
    Filesize

    30KB

    MD5

    9e80b662cc6335824592af506a46c20c

    SHA1

    76f447db453e28835de09f7c865f373903bb50b4

    SHA256

    18716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1

    SHA512

    ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae

    Download Submit

  • C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.txt
    Filesize

    269B

    MD5

    38296012d815bf39eb65962a77395abd

    SHA1

    f07c54d99c6a6648a086a630bdc40f2e9afcab2e

    SHA256

    1857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1

    SHA512

    e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585

    Download Submit

  • C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\ctxmui.dll
    Filesize

    390KB

    MD5

    c77f430fa7442382402d2f86d7bd49de

    SHA1

    75517e2a5a6d9d98c49bc429b96d5ec31e420a30

    SHA256

    c229f622424c9643e51930f601a979c14773eaae037fabe099bed393f8f6c507

    SHA512

    36aaece801c8642476b7fe61d7b030495b7865d7dd1555e297b9dda4c67b3ea0e3c111a3049fd267ab401cbd7eed998aa51e9610a13030f78b34c2724d7c122d

    Download Submit

  • C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
    Filesize

    10.2MB

    MD5

    b3991b3ab21beae0511ead9c1f1d9da7

    SHA1

    2eac3c6ab582431b9915cdfa16f25f0f95be22fb

    SHA256

    09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb

    SHA512

    4fe1445aba6f0a1eb0222f3c2b60d8cbd9dc70d648941fa8c6af69917181a547a4296bee57c591cb41e474b363dc9592a3da1038e33a5560153d1cb1829ad784

    Download Submit

  • C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe
    Filesize

    5.2MB

    MD5

    77ec837714fdd0dc1836dc6929f47acc

    SHA1

    c6d52a05ad944488fa88970006f164f1bc798b10

    SHA256

    7c8a167b5b33f983f05cec03df0501f173d8eda6496c520d904043934df1cb5d

    SHA512

    a92fb499bd52e59fa90b2ca2856101573903f71404c3b01fabe6d5cebf3872da79ad83b8fe4988dcc2c4405bd9e12038fba56eb668df12c8efc1575a262c731e

    Download Submit

  • memory/972-38-0x0000000003340000-0x0000000003427000-memory.dmp

    Filesize

    924KB

    Download

  • memory/972-35-0x0000000010000000-0x0000000010097000-memory.dmp

    Filesize

    604KB

    Download

  • memory/972-36-0x0000000003340000-0x0000000003427000-memory.dmp

    Filesize

    924KB

    Download

  • memory/972-40-0x0000000010000000-0x0000000010097000-memory.dmp

    Filesize

    604KB

    Download

  • memory/972-47-0x00000000047E0000-0x00000000048CB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/972-49-0x00000000050C0000-0x0000000005235000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/972-51-0x00000000045C0000-0x00000000047D1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/972-52-0x0000000005010000-0x0000000005062000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1176-27-0x0000000000400000-0x0000000000CC3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1176-25-0x0000000000400000-0x0000000000CC3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1176-24-0x0000000000400000-0x0000000000CC3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1176-19-0x0000000000400000-0x0000000000CC3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1176-20-0x0000000000D10000-0x0000000000D13000-memory.dmp

    Filesize

    12KB

    Download