Overview

overview

10

Static

static

10

2024091379...id.exe

windows7-x64

10

2024091379...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240913791aaf93b77c02e7d80b1517a534553bicedid.exe

  • Size

    2.5MB

  • MD5

    791aaf93b77c02e7d80b1517a534553b

  • SHA1

    209ae814e06aa4cb15b4dbec2784aa205b37dd7b

  • SHA256

    1dc18af52769169af8305ff33857c0f317d7c62c78fbacb76ac5fd4d9a60416d

  • SHA512

    82e1bd01a95a7225285bcda8420460164e8cd7f81490f3c5e54da572822256d403314ed824fb0f74d7ad270740c018983cee9b44f09c3c64fc234b8d811baff5

  • SSDEEP

    49152:YZ0v0xeSxURL9RxYMWWN5YUwT0YwWWN5YUwTBLe:6w0xeS47n

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe
    "C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe
      C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe --
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\DxDiag.exe
        DxDiag.exe
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\20240913791aaf93b77c02e7d80b1517a534553bicedid.exe
    Filesize

    2.5MB

    MD5

    24185e7e4823c71950f404cdb8c23682

    SHA1

    92ad241a0e45b74f610e65b4efb71b7ae756835f

    SHA256

    51580eb14f659431f7b2d6b49a6b84792604ab180be07ec1687543fae90f251f

    SHA512

    4467d75bbdac5831680142692e21925685e6b43e330858c4bc88d32a7c25e1351140bf780ec15ad8b0b7b8a7b5a73f3fc7bfa141538263250ee4db4967be4aca

    Download Submit

  • memory/1876-26-0x0000000000400000-0x0000000000697000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3264-28-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-30-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-9-0x0000000004840000-0x000000000492D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/3264-20-0x0000000004C00000-0x0000000004CB4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3264-5-0x0000000010000000-0x00000000101D3000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3264-34-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-4-0x0000000004770000-0x0000000004771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-13-0x0000000004930000-0x00000000049E4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3264-29-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-40-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-39-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-38-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-37-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-36-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-35-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-27-0x0000000000400000-0x0000000000697000-memory.dmp

    Filesize

    2.6MB

    Download