Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 01:52

General

  • Target

    a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe

  • Size

    92KB

  • MD5

    813874e8444595219cfae82f3a61de65

  • SHA1

    385d5b25ca8a0cde312df93d2cf61cb369f5341e

  • SHA256

    a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9

  • SHA512

    b15bf917049352e8eafe33295e3bf257206205f2342d0c050d8481a23eb2c94baa43e3c693d2c17263672dbc64c5cb255925940c128c1435ed3644534768ef76

  • SSDEEP

    1536:Q/vTGudTe5k4Lo8KI2Z4yNcR5Mpk7WO9f2zXGYxTIx9JL8IoQ6CqZphk4:Q/bhOrBKIq4XR5Mpp+fw2CIx9JLYpk4

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe
    "C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe

    Filesize

    92KB

    MD5

    ca4212d2b370fbd82141e254bc51bf72

    SHA1

    f917535ad47c49aaed46d1418f79a339fb242133

    SHA256

    4ae11d7632687b9beb3128dda5a54e95ca020ac62a26d6ae8be2a0560df1ef7d

    SHA512

    7bcb85d712cd166d50b874c5d6108b1e258ab31f0910a12dfd8b4b9241489cf27077cb134d2b2a089c66ec6bf86f077fdadded1fe75bd5542ce6ce5d9d48d127

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    4ef3e771343e96efe159584d3443e44d

    SHA1

    c35cdf799d3050a312d82463240562af56e1efdd

    SHA256

    d90999f33e57288fcb6d7a7de2374cc540597af60ae31f264cfaa1443ec31559

    SHA512

    0a95b2bed81717095bd6ee0e3a428ce9a9d128cabcddb8c872ef49c713e4ee3f0b193cee8dc7be0e8a5310166ad81311abcc82154e4788a83234ef5137ba2beb

  • memory/2232-18-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/4176-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/4176-2-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/4176-4-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/4176-16-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB