Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 01:52

General

  • Target

    a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe

  • Size

    92KB

  • MD5

    813874e8444595219cfae82f3a61de65

  • SHA1

    385d5b25ca8a0cde312df93d2cf61cb369f5341e

  • SHA256

    a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9

  • SHA512

    b15bf917049352e8eafe33295e3bf257206205f2342d0c050d8481a23eb2c94baa43e3c693d2c17263672dbc64c5cb255925940c128c1435ed3644534768ef76

  • SSDEEP

    1536:Q/vTGudTe5k4Lo8KI2Z4yNcR5Mpk7WO9f2zXGYxTIx9JL8IoQ6CqZphk4:Q/bhOrBKIq4XR5Mpp+fw2CIx9JLYpk4

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe
    "C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\Syslemwejhn.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemwejhn.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    4ef3e771343e96efe159584d3443e44d

    SHA1

    c35cdf799d3050a312d82463240562af56e1efdd

    SHA256

    d90999f33e57288fcb6d7a7de2374cc540597af60ae31f264cfaa1443ec31559

    SHA512

    0a95b2bed81717095bd6ee0e3a428ce9a9d128cabcddb8c872ef49c713e4ee3f0b193cee8dc7be0e8a5310166ad81311abcc82154e4788a83234ef5137ba2beb

  • \Users\Admin\AppData\Local\Temp\Syslemwejhn.exe

    Filesize

    92KB

    MD5

    df66c8e462b2d31b8ae0d0ab9bd34aca

    SHA1

    7dc5017d1c32b6138e35f64615118c29ec5b8c78

    SHA256

    0510eb507aca57f527f59e81909f3cef4e763a1157e35b4bd9dcae9d71bfb3a7

    SHA512

    0f28c554a40d8bbc39a2972e03ce0a07819d01c4254a453d07422aa8163e7ce5d1734f81dfb00afa9153c7aca0855f3165207f1cbcd534f1a1a073d8345e4bbe

  • memory/1576-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1576-9-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1576-15-0x0000000002B80000-0x0000000002BFF000-memory.dmp

    Filesize

    508KB

  • memory/2744-17-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2744-21-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB