Overview

overview

10

Static

static

10

758c2c8078...57.exe

windows7-x64

10

758c2c8078...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe

  • Size

    560KB

  • MD5

    cbf54780cdd334b9caf10f4980172192

  • SHA1

    50a2ee1b0e15b5a39f9ec7a826ccb4f98c465995

  • SHA256

    758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57

  • SHA512

    f7b2aedb9f3130ed976da7ca583f66fe38e3d48909055c9af309d4b12325216958f406b9afc1ee3ae71c9b60e1789e748c6f4d7262e00ac5265f65e446a53941

  • SSDEEP

    6144:Ig3oBabKfY+R9VGLj10B7F8zekO+nZd2G4cLUh2q/+Km//v0o+:VogOfY+R9VGLj10B7F8ywZdX45H+Kmn

Score
10/10
blackmoonbankerdiscoveryevasiontrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 14 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe
    "C:\Users\Admin\AppData\Local\Temp\758c2c807802282b562ce8b7174709292d7cb5aee2aa13195a3080d5412b7b57.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\SysWOW64\mode.com
        mode con cols=15 lines=3
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat p
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\mode.com
          mode con cols=15 lines=3
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1133.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\mode.com
        mode con cols=15 lines=3
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4212
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +a +h +r "C:\test"
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1122.bat
    Filesize

    197B

    MD5

    b4292e00eff53ec1da95e7225285e779

    SHA1

    695289b0ffaa5ee7b4084304c976045806687ddd

    SHA256

    dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030

    SHA512

    00dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1133.bat
    Filesize

    146B

    MD5

    d61001211982ac769bbb185be1950976

    SHA1

    c856d74768d978bed799edfc07819fc28ba8f604

    SHA256

    03d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27

    SHA512

    7080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1

    Download Submit

  • memory/1352-12-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-13-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-8-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-9-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-10-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-11-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-2-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1352-0-0x0000000050000000-0x0000000050109000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1352-14-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-15-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-16-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-17-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-18-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-19-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-20-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1352-21-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download