Analysis Overview
SHA256
2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5
Threat Level: Known bad
The file 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5 was found to be: Known bad.
Malicious Activity Summary
Blackmoon, KrBanker
Detect Blackmoon payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 09:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 09:13
Reported
2024-05-26 09:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe
"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 42.193.184.104:7701 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| FR | 138.113.100.16:80 | www.ip138.com | tcp |
| HK | 103.235.47.103:80 | www.baidu.com | tcp |
| FR | 138.113.100.16:443 | www.ip138.com | tcp |
| US | 8.8.8.8:53 | 2024.ip138.com | udp |
| GB | 138.113.101.11:80 | 2024.ip138.com | tcp |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp |
Files
memory/2240-0-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-1-0x0000000077AF0000-0x0000000077AF2000-memory.dmp
memory/2240-17-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/2240-18-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/2240-23-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/2240-22-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/2240-21-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/2240-20-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/2240-19-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/2240-16-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/2240-15-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/2240-14-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2240-13-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/2240-12-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/2240-11-0x0000000004B20000-0x0000000004B21000-memory.dmp
\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la
| MD5 | e60421fdd78fd5c62f7188055202e055 |
| SHA1 | 30874f0a03f409231e8b64be2d76ba9a92c82f31 |
| SHA256 | aa8bc94c32576e87db8fc327c1103441966380e3e1da30303ce05df40687dd41 |
| SHA512 | c348fe342c5299b90da1f325a8a3a1defd6bf0da555af0d5bdfd5f1dde7ac871316932fd9fba67feebf2f31ee6978fc63547d3c3317b9c39f9777cf66608460b |
memory/2240-10-0x0000000004B00000-0x0000000004B02000-memory.dmp
memory/2240-9-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
memory/2240-7-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/2240-6-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/2240-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/2240-36-0x0000000000401000-0x0000000000666000-memory.dmp
memory/2240-4-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/2240-3-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/2240-2-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
memory/2240-37-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-40-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-41-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-42-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-43-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-44-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-45-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-46-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-47-0x0000000005CE0000-0x0000000005EE0000-memory.dmp
memory/2240-49-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-50-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-51-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-54-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-55-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-56-0x00000000014F0000-0x00000000015F0000-memory.dmp
memory/2240-58-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-59-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-60-0x00000000014F0000-0x00000000015F0000-memory.dmp
memory/2240-62-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-63-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-66-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-67-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-68-0x00000000014F0000-0x00000000015F0000-memory.dmp
memory/2240-69-0x00000000014F0000-0x00000000015F0000-memory.dmp
memory/2240-70-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2240-71-0x0000000000400000-0x00000000010A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 09:13
Reported
2024-05-26 09:15
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe
"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 42.193.184.104:7701 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| FR | 138.113.100.16:80 | www.ip138.com | tcp |
| HK | 103.235.47.103:80 | www.baidu.com | tcp |
| FR | 138.113.100.16:443 | www.ip138.com | tcp |
| US | 8.8.8.8:53 | 2024.ip138.com | udp |
| GB | 174.35.118.62:80 | 2024.ip138.com | tcp |
| US | 8.8.8.8:53 | 16.100.113.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.47.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.118.35.174.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| CN | 42.193.184.104:7701 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| CN | 42.193.184.104:7701 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp | |
| CN | 42.193.184.104:7701 | tcp |
Files
memory/2828-0-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-1-0x0000000077674000-0x0000000077676000-memory.dmp
memory/2828-4-0x0000000005260000-0x0000000005261000-memory.dmp
memory/2828-21-0x0000000005200000-0x0000000005201000-memory.dmp
memory/2828-20-0x0000000005290000-0x0000000005291000-memory.dmp
memory/2828-19-0x0000000005340000-0x0000000005341000-memory.dmp
memory/2828-15-0x0000000005300000-0x0000000005301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la
| MD5 | e60421fdd78fd5c62f7188055202e055 |
| SHA1 | 30874f0a03f409231e8b64be2d76ba9a92c82f31 |
| SHA256 | aa8bc94c32576e87db8fc327c1103441966380e3e1da30303ce05df40687dd41 |
| SHA512 | c348fe342c5299b90da1f325a8a3a1defd6bf0da555af0d5bdfd5f1dde7ac871316932fd9fba67feebf2f31ee6978fc63547d3c3317b9c39f9777cf66608460b |
memory/2828-18-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/2828-17-0x0000000005350000-0x0000000005351000-memory.dmp
memory/2828-16-0x0000000005240000-0x0000000005241000-memory.dmp
memory/2828-14-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/2828-5-0x0000000005230000-0x0000000005231000-memory.dmp
memory/2828-13-0x0000000005390000-0x0000000005391000-memory.dmp
memory/2828-12-0x0000000005270000-0x0000000005271000-memory.dmp
memory/2828-11-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/2828-10-0x0000000005280000-0x0000000005281000-memory.dmp
memory/2828-9-0x00000000051D0000-0x00000000051D2000-memory.dmp
memory/2828-27-0x0000000005210000-0x0000000005211000-memory.dmp
memory/2828-8-0x0000000005220000-0x0000000005221000-memory.dmp
memory/2828-7-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/2828-6-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/2828-34-0x0000000000401000-0x0000000000666000-memory.dmp
memory/2828-2-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/2828-3-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/2828-38-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-39-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-40-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-41-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-42-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-43-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-44-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-45-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-46-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-47-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-48-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-49-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-50-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-51-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-52-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-53-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-54-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-55-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-56-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-57-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-58-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-59-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-60-0x0000000000400000-0x00000000010A6000-memory.dmp
memory/2828-61-0x0000000000400000-0x00000000010A6000-memory.dmp