Analysis

  • max time kernel
    119s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 08:06

General

  • Target

    c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe

  • Size

    80KB

  • MD5

    8cfa8e7334c202857fb9677243a91c20

  • SHA1

    2934bd7a067cce381bd1dda9e31bdcdb37f81553

  • SHA256

    c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512

  • SHA512

    af56a36b9ec45874db3435a817f5d1b6eb10396e5f0dc82cb648413d083faa925ac2c9fdbc8b4699135afe1e48150584d7ca8c8886e900da99de7fa2b2ac2886

  • SSDEEP

    1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a63H:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z3H

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe
    "C:\Users\Admin\AppData\Local\Temp\c16eb6670f29ff6665dfb026e4438c119c0c55e7b5d5d66aee9311a989615512N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemsunux.exe

    Filesize

    80KB

    MD5

    a1da8ef954dbca80687321cf8067a371

    SHA1

    9cbed8463ce02364eaf547840e2d9e85861adc69

    SHA256

    a43e9de1c7aa5bdf2a6f9ce5d373bc4e46bfecbce74b8dd80c5e66004b536eaf

    SHA512

    5f0bcf8522d27ad84d13ec6ceb001eb0178824924dcba0a183b47c42403e6e24a1a552ea86b7f694832b8a3f713eb92e479b75cbdee6315d81cd3623d144d6d1

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    103B

    MD5

    fe345ad5f8b23717307b0722b2e6be11

    SHA1

    1b898ac380f34691c357daa9d746df8060fb115d

    SHA256

    dc3a6784497c84c75af526c02a22e0de7ac29b5315ed6077a74fbce81a86e8ce

    SHA512

    fd76b0d9e282a1a42a583fe4b388fe39797c83106e01d8b68407cc21b71e24ae925e76fd66bf9a2d5320dd65630841474da0e7dfa93f31648e935a541efab317

  • memory/3356-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/3356-14-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4560-16-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB