Analysis

  • max time kernel
    4s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 06:43

General

  • Target

    d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe

  • Size

    452KB

  • MD5

    ea792852c9779df6b985f30006d2874b

  • SHA1

    acc1403b0049670216ff392d9b0d75af8f989773

  • SHA256

    d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f

  • SHA512

    b437d7e06e973f29cdc63ea3adc4615de431631a7ff70ef4a7f13fc26ed5fab7cc539f67f623acd19dd4ef5d97191ded3a72129eb52bf68e27dba5667e9a7cbd

  • SSDEEP

    6144:/vPBvEQR6H3Udg2FuHRfepwqHpA7b2+yO2COKCZj:/vpv/R6H3U25fehHpAW+yOBOKCZj

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe
    "C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"
    1⤵
      PID:4540
      • C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe
        "C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe"
        2⤵
          PID:3484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe

        Filesize

        128KB

        MD5

        9eb1b8eead61ed69f041c8919254e8d6

        SHA1

        5cd208d80844c755c8fef1b66acba9add36d43ea

        SHA256

        eb52477d9c09e110da435b114de9a5b1893a6d2b8c528e942f27a2f419204801

        SHA512

        27d58ff6f6fbdd9348d091393e1961d53fe8dc69b58e5e0d75ac84e4840cf3c65e4ecb0bccb5bb2673113c654f73147c40c70f6b09dff8899c96149628112858

      • C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe

        Filesize

        448KB

        MD5

        2d8b2f1e79fbd9bb922649afe2fd91e4

        SHA1

        ed2593c5497a844787525d20aeb08206fac7cf71

        SHA256

        173cad168d1e4064098a002c523030f3cc4bb997c8e5a743fce87d9a0cb60dd0

        SHA512

        dd40e9e79e0e1eccf4265c47bc06dcfc812199fcc333d046aed67a716df1dc779b4638a31f61001a275f944da58d43eee84e82b99fd6518f5e5d2387e53dd24e

      • C:\Users\Admin\AppData\Local\Temp\lpath.ini

        Filesize

        102B

        MD5

        6fa22cbe209fe66f58fae365dc1394a1

        SHA1

        64782510384216673e2ab2f4261bca5ca2aaa3e7

        SHA256

        ea4c428dd784b4e57a40cbe966153fde96f577ca17ee6ad36e608a5c387287af

        SHA512

        8a2858cf6c06a7d1a5834a20337f4fbe3297e1db57b6fcbbc0a04bc4321742d344253bb55102df64a8b291e0eede67c4114d5da2feb9eba470f3e6c2a7adfff2

      • memory/3484-43-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/3484-56-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/4540-0-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/4540-50-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB