Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-09-2024 17:31
General
-
Target
20240913791aaf93b77c02e7d80b1517a534553bicedid.exe
-
Size
2.5MB
-
MD5
791aaf93b77c02e7d80b1517a534553b
-
SHA1
209ae814e06aa4cb15b4dbec2784aa205b37dd7b
-
SHA256
1dc18af52769169af8305ff33857c0f317d7c62c78fbacb76ac5fd4d9a60416d
-
SHA512
82e1bd01a95a7225285bcda8420460164e8cd7f81490f3c5e54da572822256d403314ed824fb0f74d7ad270740c018983cee9b44f09c3c64fc234b8d811baff5
-
SSDEEP
49152:YZ0v0xeSxURL9RxYMWWN5YUwT0YwWWN5YUwTBLe:6w0xeS47n
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe"C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exeC:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe --2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DxDiag.exeDxDiag.exe3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5d75a19d215223d2cbe165d70b5e0574d
SHA1300a572aa0e7123ff9c708b333b6dcfd662cd379
SHA2561bd0118c6744f06ac72f3e922fc2ebe1dd2c034155268754fd41015ddc323aff
SHA512140aa75ff75acd545e847dae2b17f50a539e643805a44ec3756476a56e9ff99c48247ae0f7a36b1fdc551d247296704ad9b495a4d895dfd73270c5b804ee6556
-
Filesize
368KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
720KB
-
Filesize
948KB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
720KB
-
Filesize
1.8MB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
2.6MB