Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 02:44

General

  • Target

    66bde9323a3a0cde332d44d028851b5d8e142028577b99dfb6e72bf54f59f1da.exe

  • Size

    462KB

  • MD5

    dad4ebcc69cdf2d83e9814f6638bb51c

  • SHA1

    63b7eee82aaa60e0adf700c705aae339405c6042

  • SHA256

    66bde9323a3a0cde332d44d028851b5d8e142028577b99dfb6e72bf54f59f1da

  • SHA512

    40d2457c2b4f708a25f0c7bf12cf41ac3aee0b1536ae7872197ec5995deac2b7d1f26bcd9ba530cee371398cba23e52b0aa383067370ed0614b522a90da66cc9

  • SSDEEP

    6144:wRjJhgaAis0/28moPv6nFQUfmnYYSny4SHSnHByE3QMYFZn:WjJhVxVO8dH6TfrYFZn

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 8 IoCs
  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatal Rat payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Program Files directory 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bde9323a3a0cde332d44d028851b5d8e142028577b99dfb6e72bf54f59f1da.exe
    "C:\Users\Admin\AppData\Local\Temp\66bde9323a3a0cde332d44d028851b5d8e142028577b99dfb6e72bf54f59f1da.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\spower.exe
      C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\spower.exe
      2⤵
      • Executes dropped EXE
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\upssvc.exe
      C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\upssvc.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2928
    • C:\ProgramData\NVIDIARV\svchost.exe
      C:\ProgramData\NVIDIARV\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Picturesnyntm9yr\CCCef3Render.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3312
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
    1⤵
      PID:3156
    • C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe
      "C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -Embedding
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll

      Filesize

      355KB

      MD5

      ce98c3cbd7bfcca2755b35e77a2bceb2

      SHA1

      c12c20bb69e7858682ab6bb21ca3971880efdc07

      SHA256

      1ec46488b2db690f6f769c6cfa7e3021ee6f88096303f04be43f3f2150d8c946

      SHA512

      dfc4f4b300cd2dc0d0f19b415da157b15ce666e1927266feb7a445ffb9199620bb7fc55746239f81fd3f79133c64c8d41822ccddc625288a33a6737a062faee5

    • C:\Program Files\Microvirt\MEmuHyperv\MEmuRT.dll

      Filesize

      3.8MB

      MD5

      56719cc92af72f56f46a5798b1430d9e

      SHA1

      497456e1b225a541058c8d7f96f2a3ef082d147c

      SHA256

      ca5e9919a5b3612a2faaab0f08f3e95db69e3d88d821a706c5d68d3f0d86d060

      SHA512

      5ca3fd7d6f86c5969949e55669c315287084633ccd42aae45cef170bce4fb05071637aaf6a9fce973cdb32003fdf02e184c8dc5aa3c327a17d3889084e07637a

    • C:\Program Files\Microvirt\MEmuHyperv\MSVCP100.dll

      Filesize

      612KB

      MD5

      89acd78f8c6d92947b3fcc78c7493036

      SHA1

      3317bd26eda9a7a0d49dfcfe27673d96b2873c95

      SHA256

      e7675926ff8f230e3ce88de65e47ab3fd6f8d617a93e062dd9ecc4226e9d16c0

      SHA512

      08ddb16ab60ea0f531f7853dc6a66a7a2302516e1b54258f2884528a4304cb05111b073d15387702c359f00bd96156043cadddd2b230bfa8bd288b578a11225f

    • C:\Program Files\Microvirt\MEmuHyperv\MSVCR100.dll

      Filesize

      830KB

      MD5

      34b2d5ad1c7c600f9d24660928a03382

      SHA1

      ab9621342ada12b355ea5fcd76b666193898c11b

      SHA256

      d7d6ff911503e848ffc6c0ba43382cc2e1e00b367d55ffdb883c54b688c5c28e

      SHA512

      0d86a396f81864c9ce5a57090fd45745f8c66a28f78fb469a6d62ce01c519f6a0c58d904afa99baef2f74ae4fe2308dc710c901d0394779837b82748679363fa

    • C:\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll

      Filesize

      2.6MB

      MD5

      6def652fd7e5207c374fc51534bda953

      SHA1

      ee23eab28dd67ce96e7799a31801580c824cde5f

      SHA256

      80677a75588101ca6da2a22b74c02bd5b91aba2a62d1bce20d07370a9ddf0118

      SHA512

      f3284532571bfb83a622b019040e4882866941c66a06a9c83da23a1a820b940c48ffedd1d109c799b64d6bd30775cdb9ea1067869f565116653988bd763552a8

    • C:\Program Files\Microvirt\MEmuHyperv\libcurl.dll

      Filesize

      365KB

      MD5

      75b9bbfcf9581252474a5d1daa6e6641

      SHA1

      0fb1cfa16bf68fb13ba9816c2354af358bded167

      SHA256

      c78b0aa24630b35dfd3030626f873a89a39944ffa620b6afb42ae50eb1618f4b

      SHA512

      ed527526fd6053425fcefdfa5174d7dfa3b3b3601f33f8019b1215c9f1b85d823910f5a02c9bdd296d70058a516f9d464f42e712903144315e17f4ce7ad17561

    • C:\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll

      Filesize

      639KB

      MD5

      2b242983d5fc098515105268eb22f0b7

      SHA1

      6a660eae893f16b988b44ec943a8dacf808f467e

      SHA256

      1679808a0a410e73d7807c1facfd0ce0ee1e6270b35d29dcdf0a8977c17418ac

      SHA512

      905b01240f92124f71acd61a075887d89a83699681f585a246aa44b9d514829adec5ab827d720c7c7eccd8392698ee3f18fe9b2f7fcd81000cb0f40caa28ff06

    • C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe

      Filesize

      4.6MB

      MD5

      8c1eca3e2fe8f5fd1a0ce4b4a8cf4409

      SHA1

      8d45e044cbdcf645fe359864bc700b2568032687

      SHA256

      6ef47689ea1309e43869ec59861a677fe4e40cf03eb89386fc7d32fc516e9671

      SHA512

      4bf03b1453fa1f1bed14cb133c01c7b9b348f82da775bbbeaefc7867d348928c265b6b38623ced8b711138876365d63a669955920a5b5ae119975184297fe54f

    • C:\ProgramData\NVIDIARV\svchost.exe

      Filesize

      3.4MB

      MD5

      2245645176fda20e229c972cf00329cd

      SHA1

      7c42fa190c87252db3a2d9b39932721183a0d7b5

      SHA256

      0713e9742f7920fc0f1b2c062dce06041f7a0d509e2408328da8db32bb8cafdc

      SHA512

      bdf3e6f553f4a8f7609bbe6401f847c3f43d559ba5e0f8ee7395c8e7449b6fa8c319f064d6a37bcab97a4fc3cf3379058b4d71ad17bb0d741946447a2a1c6247

    • C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\spower.exe

      Filesize

      1.1MB

      MD5

      7d36f6333547acc3b7dc83e082f90e45

      SHA1

      dd1ebd454970b5a1791ed3fcc240fe15a5906f91

      SHA256

      7b29d4f45a4353b32ca1f5e3a79ef87e7dda5f1572100cce70aaf2fa6c9d25b9

      SHA512

      93bf4fa081eb341a87c7c43d5bb6e45fedfeee71161d782a02d07072741684320379e87b4c660a3a4b716141e25a24ffce760e4b04613dbd6df27bf001abf123

    • C:\Users\Admin\AppData\Local\Temp\nyntm9yru8fftn2\upssvc.exe

      Filesize

      147KB

      MD5

      68a6e6dfdd09a7e7fb8d31b104d9c40c

      SHA1

      688e015ec4a38df2b24e2adadcce2c67cb513167

      SHA256

      f1ffc36d0a457653cb1f86a094e31d870155f2f090c9f38836a56c7893e73e4e

      SHA512

      633eb75c51a730ca37f4287ea26017523d70f8c4a34c656e2ee7aaa2a99ed697a679ee395d345cef6942ae28cae199513943250cae2f0dd33d52bf5241586aca

    • C:\Users\Public\Pictures\temp.tmp

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • memory/1104-67-0x0000000010000000-0x000000001002D000-memory.dmp

      Filesize

      180KB

    • memory/1104-65-0x0000000000400000-0x000000000091A000-memory.dmp

      Filesize

      5.1MB

    • memory/2068-50-0x00007FF7188F0000-0x00007FF718B23000-memory.dmp

      Filesize

      2.2MB

    • memory/2068-53-0x00007FF7188F0000-0x00007FF718B23000-memory.dmp

      Filesize

      2.2MB

    • memory/2928-59-0x00007FF738E20000-0x00007FF738E6A000-memory.dmp

      Filesize

      296KB

    • memory/2928-57-0x00007FF738E20000-0x00007FF738E6A000-memory.dmp

      Filesize

      296KB

    • memory/2928-55-0x00007FF738E20000-0x00007FF738E6A000-memory.dmp

      Filesize

      296KB

    • memory/4368-3-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-2-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-0-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-1-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-60-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-13-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-20-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-27-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/4368-73-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB