Overview

overview

10

Static

static

7

d13d426640...47.exe

windows7-x64

10

d13d426640...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/06/2024, 01:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d13d426640a0f2cc07aa6837bc16d786eb17f3e1799e97a1bb18495051cf8947.exe

  • Size

    560KB

  • MD5

    6f5ec28062ca6d4425335da4d654c897

  • SHA1

    d2a72aa3a855684221e2370120436b2e97380d8e

  • SHA256

    d13d426640a0f2cc07aa6837bc16d786eb17f3e1799e97a1bb18495051cf8947

  • SHA512

    569ac07b478dacbe1e9f23dc834f14efdeefbfabaef877aa78ce34012641b6ef35c41f76ff2a81609d4d82235f5fb5492485182b2330afb66ef9e298c073a5b5

  • SSDEEP

    12288:0tk7vmrqRL4Ap9Kc/auAsCGgJI8a1qb6q2PJriPVIvwz7b3KoLJ+oSH:0tcEqRMK/auAsCGgJIRq2PxiPVscbaSu

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:332
  • C:\Users\Admin\AppData\Local\Temp\d13d426640a0f2cc07aa6837bc16d786eb17f3e1799e97a1bb18495051cf8947.exe
    "C:\Users\Admin\AppData\Local\Temp\d13d426640a0f2cc07aa6837bc16d786eb17f3e1799e97a1bb18495051cf8947.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1228
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3892,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=1444 /prefetch:8
    1⤵
      PID:4228

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Dll2.dll
            Filesize

            154KB

            MD5

            6206e7bd72ee6c7df5e2a13b19a05303

            SHA1

            88260d9da5e75ae2aa7d4a671de0e1807ebf006d

            SHA256

            0f63d0cdd05e5308a25e9414136bbc2d1898ea3cfda9388d5af1796b47d40106

            SHA512

            85d93562567eeea776f9aeb618ecd5ffcf936d04fc2303aea7c1d36cb446231fb56ff529cf7449e639fe8966d51571607875ac5ae63757e00aded368da70998b

            Download Submit

          • memory/332-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/332-11-0x000001A12CB90000-0x000001A12CCC8000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/332-14-0x000001A12CB90000-0x000001A12CCC8000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1228-0-0x0000000000400000-0x0000000000629000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1228-1-0x0000000000400000-0x0000000000629000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1228-9-0x0000000000400000-0x0000000000629000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1228-12-0x0000000000400000-0x0000000000629000-memory.dmp

            Filesize

            2.2MB

            Download