Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 02:47

General

  • Target

    b9ca606658b39a99c38615c721f77ca56cd80b8836d353030ab8a61cadd4a8f8.exe

  • Size

    436KB

  • MD5

    ac9daffa76a3b5e63e636ed8414b558d

  • SHA1

    b708c0bcd1722c4d10dfeacb87d865ee45d94540

  • SHA256

    b9ca606658b39a99c38615c721f77ca56cd80b8836d353030ab8a61cadd4a8f8

  • SHA512

    9fd132a031ce744820877590f171e4334ccd3217965c86f5b8e7426c0db37297c5d4d60893743d6c5d59f97cce50fdf5381977e71e7023992a7f413adc2f2b4a

  • SSDEEP

    6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7F:doR+Y4NSG6oUnRsdOJZOg7F

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9ca606658b39a99c38615c721f77ca56cd80b8836d353030ab8a61cadd4a8f8.exe
    "C:\Users\Admin\AppData\Local\Temp\b9ca606658b39a99c38615c721f77ca56cd80b8836d353030ab8a61cadd4a8f8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\Syslemcdafe.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemcdafe.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemcdafe.exe

    Filesize

    436KB

    MD5

    c6d62bba94976240ca25ede498cf52b5

    SHA1

    33b1f35bc9dbf7bb0ff6d80cc8a131eeb41e07ca

    SHA256

    dff5bb3f76f07f26848443175106814c869f0df40b0f615a4a03d4cfbc39ec36

    SHA512

    f8c3b682d2e1b1c5bd385e35ddad0de1ac5e62eca2029b6a54acc0b9b4fb7ed2d816046be624b621d822d13f526156d8628eec95159ce1636a451da6ad18d419

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    17c35829704a5656831d2ebf0f1cc0a5

    SHA1

    965ab52fecd3001de22bd540f2d7307a9cf7ddc0

    SHA256

    d5d8dc4bb2488121215f8e9f186bb9a7eb06ba932ed99d8a3ca2cd08f2e742ff

    SHA512

    fc1101cfe2182d00376dc9bf9d7160ceb73e8f6437c9b57167208b0d2c6371235b8145b0b360541fd8119f9f15150209554eaa3b77a46837991f12dff57e3d01