Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 04:30

General

  • Target

    3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe

  • Size

    431KB

  • MD5

    958d1b88d6e33021458a2f1b47d383b0

  • SHA1

    bd9ff9b24f1955c73bb2dd3d3bbdf47a5eb13b1d

  • SHA256

    3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7

  • SHA512

    2beb4ee9f743c566e02c3074c5a8b8cd04da8b3a0c980893f84415dcb105e25db09080419d53a57e45dbca867310b19b5e8e554afe42ecc6ae96a1a8aae6ea78

  • SSDEEP

    6144:cT5J63Fm3b7yOE7Hvpu5CaGi4mUf95TtC4uP2scqAO:c4Fm3b7yOAHNar4mUf9lJ82scqAO

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\Systemrehms.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemrehms.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\path.ini

    Filesize

    117B

    MD5

    39a6ad471d41bfb9cb334d5abfcb759b

    SHA1

    f11f37039c94dc6b041c150d2fa0b9bb562a2954

    SHA256

    1ab620a9bc3645fc6c400712a8437c264a53956599089e1d30b155ecfa853f21

    SHA512

    5d28ec0c46c8b547c896ba443d9ed201bbb00456226671feba95b841cd56b272eb01ec8a4c3849235283e777d8d5c5d68dc407178446269bbf58f0f600a85af7

  • \Users\Admin\AppData\Local\Temp\Systemrehms.exe

    Filesize

    431KB

    MD5

    db69d1ca36fdd76247fe27eedb33e63e

    SHA1

    d60482cea9338e8638fbd865d20b211d50dcb28e

    SHA256

    6dac6c28ad287ad4fd7e31ced3ae5e7216f6b9030fab2e6867fcf38831aba796

    SHA512

    e56d65a8ebc9ac45f2963fd93e362043e2752c09c7c959f051b0faecdc00cb182293cdd8f5fe46a1348e0f4b5eccb4fdb544fda25b656062ff49e772c9d50473