Analysis Overview
SHA256
d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f
Threat Level: Known bad
The file d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f was found to be: Known bad.
Malicious Activity Summary
Blackmoon family
Detect Blackmoon payload
UPX dump on OEP (original entry point)
Blackmoon, KrBanker
UPX dump on OEP (original entry point)
UPX packed file
Unsigned PE
Enumerates physical storage devices
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 06:43
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 06:43
Reported
2024-06-06 07:00
Platform
win7-20240220-en
Max time kernel
11s
Max time network
137s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe
"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"
C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe
"C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
| US | 8.8.8.8:53 | aq.qq.com | udp |
| HK | 203.205.234.112:80 | aq.qq.com | tcp |
| HK | 203.205.234.112:443 | aq.qq.com | tcp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| US | 163.181.154.232:80 | ocsp.digicert.cn | tcp |
Files
memory/2080-0-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe
| MD5 | d536441acbd266db6c8a893b52084b26 |
| SHA1 | 990fbbec0ca4b25f18da8cc313ac96485668e02a |
| SHA256 | 269b1ab0b598d2ae5bbefd8a86a2ebd0bb83abe17d36edc08ffd621afdf98f14 |
| SHA512 | 8864770837a3004ab44123e6637057ef64b6fbeb926d3064ef5b1a9c29796c4bce64ffa07304e0dec152adc54c194260edc51f3c475a84c94bae5f84d83ca0ef |
memory/2684-21-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2080-20-0x0000000003BB0000-0x0000000003C23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elxploreriothu.exe
| MD5 | 2d8b2f1e79fbd9bb922649afe2fd91e4 |
| SHA1 | ed2593c5497a844787525d20aeb08206fac7cf71 |
| SHA256 | 173cad168d1e4064098a002c523030f3cc4bb997c8e5a743fce87d9a0cb60dd0 |
| SHA512 | dd40e9e79e0e1eccf4265c47bc06dcfc812199fcc333d046aed67a716df1dc779b4638a31f61001a275f944da58d43eee84e82b99fd6518f5e5d2387e53dd24e |
memory/2080-25-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | 6fa22cbe209fe66f58fae365dc1394a1 |
| SHA1 | 64782510384216673e2ab2f4261bca5ca2aaa3e7 |
| SHA256 | ea4c428dd784b4e57a40cbe966153fde96f577ca17ee6ad36e608a5c387287af |
| SHA512 | 8a2858cf6c06a7d1a5834a20337f4fbe3297e1db57b6fcbbc0a04bc4321742d344253bb55102df64a8b291e0eede67c4114d5da2feb9eba470f3e6c2a7adfff2 |
memory/2684-44-0x0000000000400000-0x0000000000473000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 06:43
Reported
2024-06-06 07:01
Platform
win10v2004-20240426-en
Max time kernel
4s
Max time network
151s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe
"C:\Users\Admin\AppData\Local\Temp\d42b007dfd55dc0a583f47e0f10a6543204b3f5ad735d907ba7205b128fd2c3f.exe"
C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe
"C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aq.qq.com | udp |
| HK | 203.205.234.112:80 | aq.qq.com | tcp |
| HK | 203.205.234.112:443 | aq.qq.com | tcp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| US | 163.181.154.236:80 | ocsp.digicert.cn | tcp |
| US | 8.8.8.8:53 | 236.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.234.205.203.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/4540-0-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe
| MD5 | 9eb1b8eead61ed69f041c8919254e8d6 |
| SHA1 | 5cd208d80844c755c8fef1b66acba9add36d43ea |
| SHA256 | eb52477d9c09e110da435b114de9a5b1893a6d2b8c528e942f27a2f419204801 |
| SHA512 | 27d58ff6f6fbdd9348d091393e1961d53fe8dc69b58e5e0d75ac84e4840cf3c65e4ecb0bccb5bb2673113c654f73147c40c70f6b09dff8899c96149628112858 |
memory/3484-43-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elxplorerttidx.exe
| MD5 | 2d8b2f1e79fbd9bb922649afe2fd91e4 |
| SHA1 | ed2593c5497a844787525d20aeb08206fac7cf71 |
| SHA256 | 173cad168d1e4064098a002c523030f3cc4bb997c8e5a743fce87d9a0cb60dd0 |
| SHA512 | dd40e9e79e0e1eccf4265c47bc06dcfc812199fcc333d046aed67a716df1dc779b4638a31f61001a275f944da58d43eee84e82b99fd6518f5e5d2387e53dd24e |
memory/4540-50-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | 6fa22cbe209fe66f58fae365dc1394a1 |
| SHA1 | 64782510384216673e2ab2f4261bca5ca2aaa3e7 |
| SHA256 | ea4c428dd784b4e57a40cbe966153fde96f577ca17ee6ad36e608a5c387287af |
| SHA512 | 8a2858cf6c06a7d1a5834a20337f4fbe3297e1db57b6fcbbc0a04bc4321742d344253bb55102df64a8b291e0eede67c4114d5da2feb9eba470f3e6c2a7adfff2 |
memory/3484-56-0x0000000000400000-0x0000000000473000-memory.dmp