Overview

overview

10

Static

static

3

4cc104acec...ac.exe

windows7-x64

10

4cc104acec...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe

  • Size

    10.9MB

  • MD5

    8f008ebc1ce9bfdd918b4455c717f5e4

  • SHA1

    252f16cba0c69717ba78d2628dcb8ac9fa234261

  • SHA256

    4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac

  • SHA512

    15c16da7df80433b55c06de895f37423f966701f7e8e0d6aba119f00d82ba077ce8aa4c9b09d134bfe1b59295563e81bbe9db866b1e93ed688583031fd4be72e

  • SSDEEP

    196608:elRs+agtY9r6ZQDI61GkNriIV4Sxx+B5Koqcmo8ob13VOXxVOX:aRs+FXv6knIV4S6A+

Score
10/10
blackmoonbankerbootkitpersistencetrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe
    "C:\Users\Admin\AppData\Local\Temp\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2964
    • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe
      "F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1876
      • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â.exe
        "F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2228
      • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe
        F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:556
        • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â.exe
          "F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â.exe"
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac.exe
    Filesize

    10.9MB

    MD5

    8f008ebc1ce9bfdd918b4455c717f5e4

    SHA1

    252f16cba0c69717ba78d2628dcb8ac9fa234261

    SHA256

    4cc104acecede94686c15cfd1abf325133da18c638871e5531130eb6d3f066ac

    SHA512

    15c16da7df80433b55c06de895f37423f966701f7e8e0d6aba119f00d82ba077ce8aa4c9b09d134bfe1b59295563e81bbe9db866b1e93ed688583031fd4be72e

    Download Submit
  • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\Hero.ini
    Filesize

    71B

    MD5

    b637c310abd39f09756bd78242425d5b

    SHA1

    f199aa8eac0c9dd37f0eaf72e12aa01d48542b27

    SHA256

    401ceb0b75ef9d8cf5b30b2e868ae6abfd5f037eb8d385ab57707f84efdf724c

    SHA512

    5f03d42da8a71f3fbe271d290507c987cdddf1d645c4daca74283c3ff5446f9d509a1a2c4a486033b6b891c9bd72de3d38ef8b108e71401b26f588d676407307

    Download Submit
  • F:\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â(΢¶Ë)\ÐÀÞȺϻ÷-¿ª¹Ò±Ø·â.exe
    Filesize

    5.2MB

    MD5

    eee6e5c7eea19561205b0f5616da069b

    SHA1

    61a8e3b2cab89dbc3d0e1db29c1b14217606393b

    SHA256

    6efa3171fda18e31df5f3f96e7132d869508556860cddc6cd52cb42e74b8cac5

    SHA512

    f3de22760f2ceee28e6e495e34df7a589b894a0e9e57aa170aae18029d42985c8522cbd36439f604c51e99f91b1c608d5ebc4b799b5bf966fc02ec23473554d0

    Download Submit
  • memory/1876-164-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/1876-103-0x0000000006BC0000-0x0000000006BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1876-78-0x00000000002D0000-0x00000000002D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-54-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-31-0x000000000138E000-0x00000000016A8000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2964-3-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-0-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-30-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-28-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-25-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-23-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-20-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-18-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-15-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-13-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-10-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-8-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-6-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-5-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-32-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-1-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-43-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-44-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-50-0x0000000004580000-0x0000000006313000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-34-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-36-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-53-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-55-0x000000000138E000-0x00000000016A8000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2964-37-0x0000000000400000-0x0000000002193000-memory.dmp
    Filesize

    29.6MB

    Download
  • memory/2964-39-0x0000000000350000-0x000000000035B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2964-40-0x0000000000370000-0x000000000037B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2964-41-0x0000000000380000-0x0000000000388000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2964-42-0x0000000010000000-0x0000000010024000-memory.dmp
    Filesize

    144KB

    Download