Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 02:27

General

  • Target

    8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe

  • Size

    88KB

  • MD5

    4ee6e1dd5421d315522f609d181e8ff2

  • SHA1

    e6a5f48b98bb64e30bf5f64f4c8421b711f1fa0e

  • SHA256

    8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484

  • SHA512

    be37bd8c28798a0ebbbfcfd86e297cf7aab10c603dcf3d7bb571ed59103cd24a207ab5332df6055ccb751882d4e8be62bb9f6f22e1058980f5c3f2f47099b541

  • SSDEEP

    1536:EF7p8VeHwYaBlAvXhRDtxY11686va0QgE9gHgMVnvLiDXs+T:K98VNTAP3BW1k81cLAUvLiDXss

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe

    Filesize

    88KB

    MD5

    3816e472b36345ae775046ee35022e99

    SHA1

    f02836d6dd2af7ba61487620cebf7593028c6bda

    SHA256

    f82a807ba97226e95206fc49c274e0d662136bfe5d5e1be9a4ec0c7ea6f25a6b

    SHA512

    67801e4d5c972a4df752de0d0f737d74dbb0dae550a87704feb46e1bd7c49f6d578c90e192cb5242149d7d483511607729bc5b884b6f44c8ab5f9211ee229dab

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    f0b19345292cdf6045d0fe3d16377185

    SHA1

    d4dce3873b31ead3a7d4a9936dc313e1cf867018

    SHA256

    c05b66788960be8eeda29104f31846c2161a025880873dddcb4b87c7b9216b34

    SHA512

    2a0219c4ee524a4146c9a404a5d7aac35f394b5f184e45d82d5f7f1eeab07e9167cdb31fcf5c147c555a31d8558d7be3aa6e1aee0215c11036821af040d1b077

  • memory/1400-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1400-14-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/5096-16-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB