Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 13:35

General

  • Target

    0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe

  • Size

    676KB

  • MD5

    bd8f6a68e9bab31cab60ac88fd307310

  • SHA1

    4c6ca10b196448fd85d7979b15dda32ba23e2417

  • SHA256

    0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81

  • SHA512

    199ac6702c5f6bb8460ff5ba3484aa1cf3455393aa9ab9ccc863571ed3a6e7b6ef335f8a7bf925f020e501f664c4561fdaa4f49a5962d712d496ad114e9af8a3

  • SSDEEP

    12288:bg8fK/r8bYZYCtOhzodMDPStM8ePO2S4McLs:c8Gr8bYeCtOhzo6D2MG2Js

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe
    "C:\Users\Admin\AppData\Local\Temp\0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\ZyOerf.exe
      C:\Users\Admin\AppData\Local\Temp\ZyOerf.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\174c3765.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1104
    • C:\Users\Admin\AppData\Local\Temp\WinDos.exe
      C:\Users\Admin\AppData\Local\Temp\WinDos.exe C:\Users\Admin\AppData\Local\Temp\isr.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\079C0849.exe

    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\1.bat

    Filesize

    126B

    MD5

    a35389ee8a311570bf047f784a1680b6

    SHA1

    f3c0aac747bbef4d349da9b843d6811fa5e6816b

    SHA256

    c73137478dcf5132e851006476da2d90add1817cb24421027c9d6b7b3cffdafe

    SHA512

    aa8c34ed2560139d409a96e540a825947acf95bb93606098ec24e714eb03d50d5bd3cd974de08546e5d98a859fc41864da946281ef036e06a879230d4354e207

  • C:\Users\Admin\AppData\Local\Temp\174c3765.bat

    Filesize

    187B

    MD5

    1f09d3d6b839727b89a2d0e76d58dfd4

    SHA1

    60a09d4a0f983dfa0e076146e78fdb996865bc91

    SHA256

    5aec79e46bea4b8536bd7a1a7dbc5c1bd35372f35415b9e257586e437817c339

    SHA512

    779766d22e1a141e836035fac7ac1a606705d0209f75ee811422670b3e4bfbaeed6e6619fbfa79071bc0660d89d13b6c379561b822b7e50473c58b5709ec9f28

  • C:\Users\Admin\AppData\Local\Temp\WinDos.exe

    Filesize

    134KB

    MD5

    3f69bcd2ab365cbd2ac3328b99123b83

    SHA1

    deb65ebfe716db9eb95ce4630c4b124e9f68618f

    SHA256

    49e79e780bdffbb236c7ec8fd08069330cf80ca37b5846f9d909631e10ebbce5

    SHA512

    ea6c7faa6bb2e13df24e0b195e300b9cce0b8a7b67a131352dedf97d8f5166d0523a646c676d6b5e1a1a4160752a10ca8490f09f1817b916df8b175c6e71c793

  • C:\Users\Admin\AppData\Local\Temp\ZyOerf.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/1872-11-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/1872-10-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/1872-9-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1872-35-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

  • memory/1884-12-0x0000000000090000-0x0000000000099000-memory.dmp

    Filesize

    36KB

  • memory/1884-56-0x0000000000090000-0x0000000000099000-memory.dmp

    Filesize

    36KB