Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 23:24 UTC

General

  • Target

    造梦西游5魂殇修改器.exe

  • Size

    468KB

  • MD5

    59d71e81bca65c7f790d33d317dbe4cc

  • SHA1

    01fa3b6561274da9d1c5550679e092033a3bb2af

  • SHA256

    fe5fa6f567d0d5b03e1e38d922fbbfab5f687e2192ffc0585c87dea14f00146c

  • SHA512

    d7a6990b6298e812ca014521a2a4a0976654eb8fb9d0a4911a1576f37b393d70a7f245e9b52aa074e1c3d9fe917093319f32c70017eb7e911f3937be67d4ff21

  • SSDEEP

    6144:6a4f07to4inSxvRUNzasgXO88SqER3GsAp5/pv:N4f0a4iSxgzasgP75RNA

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\造梦西游5魂殇修改器.exe
    "C:\Users\Admin\AppData\Local\Temp\造梦西游5魂殇修改器.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\Explorer.exe
      Explorer /n,C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
      "C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4399hs.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2532

Network

  • flag-us
    DNS
    1212.ip138.com
    造梦西游5魂殇修改器.exe
    Remote address:
    8.8.8.8:53
    Request
    1212.ip138.com
    IN A
    Response
    1212.ip138.com
    IN CNAME
    waf.ip138.com
    waf.ip138.com
    IN A
    110.81.155.137
    waf.ip138.com
    IN A
    59.57.13.133
    waf.ip138.com
    IN A
    59.57.13.182
    waf.ip138.com
    IN A
    59.57.14.11
    waf.ip138.com
    IN A
    110.81.155.138
  • flag-us
    DNS
    hunshang.oss-cn-hangzhou.aliyuncs.com
    ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
    Remote address:
    8.8.8.8:53
    Request
    hunshang.oss-cn-hangzhou.aliyuncs.com
    IN A
    Response
    hunshang.oss-cn-hangzhou.aliyuncs.com
    IN A
    118.31.219.202
  • flag-us
    DNS
    www.4399hs.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.4399hs.com
    IN A
    Response
  • flag-us
    DNS
    ip.qq.com
    造梦西游5魂殇修改器.exe
    Remote address:
    8.8.8.8:53
    Request
    ip.qq.com
    IN A
    Response
    ip.qq.com
    IN A
    0.0.0.1
  • flag-us
    DNS
    hao.ug118.com
    造梦西游5魂殇修改器.exe
    Remote address:
    8.8.8.8:53
    Request
    hao.ug118.com
    IN A
    Response
  • 110.81.155.137:80
    1212.ip138.com
    造梦西游5魂殇修改器.exe
    152 B
    3
  • 118.31.219.202:80
    hunshang.oss-cn-hangzhou.aliyuncs.com
    ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
    152 B
    3
  • 110.81.155.137:80
    1212.ip138.com
    造梦西游5魂殇修改器.exe
    152 B
    3
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    799 B
    7.8kB
    10
    12
  • 204.79.197.200:443
    ieonline.microsoft.com
    iexplore.exe
    152 B
    3
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    779 B
    7.7kB
    9
    11
  • 8.8.8.8:53
    1212.ip138.com
    dns
    造梦西游5魂殇修改器.exe
    60 B
    158 B
    1
    1

    DNS Request

    1212.ip138.com

    DNS Response

    110.81.155.137
    59.57.13.133
    59.57.13.182
    59.57.14.11
    110.81.155.138

  • 8.8.8.8:53
    hunshang.oss-cn-hangzhou.aliyuncs.com
    dns
    ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
    83 B
    99 B
    1
    1

    DNS Request

    hunshang.oss-cn-hangzhou.aliyuncs.com

    DNS Response

    118.31.219.202

  • 8.8.8.8:53
    www.4399hs.com
    dns
    IEXPLORE.EXE
    60 B
    133 B
    1
    1

    DNS Request

    www.4399hs.com

  • 8.8.8.8:53
    ip.qq.com
    dns
    造梦西游5魂殇修改器.exe
    55 B
    71 B
    1
    1

    DNS Request

    ip.qq.com

    DNS Response

    0.0.0.1

  • 8.8.8.8:53
    hao.ug118.com
    dns
    造梦西游5魂殇修改器.exe
    59 B
    139 B
    1
    1

    DNS Request

    hao.ug118.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    494dc467f86039707e33a9a2e63cb65e

    SHA1

    d50633dc815b2690f22f25cbd75abc679bed86f8

    SHA256

    0b56d097ed3cac5823c423232ff558ee14445d26cd62dfd1932706ad6e206ed2

    SHA512

    9f9d2a3bb49668a48ab63a6f9dd408e4ec237ae7a30ec7d6f1f7377d5e6d1508661b1f6c64c956e47d9cfca5dc41502c1b3a4101d1814030363003381334a247

  • C:\Users\Admin\AppData\Local\Temp\CabA372.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA3D4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe

    Filesize

    268KB

    MD5

    d4345448976df15d4338d411583217d8

    SHA1

    83f405499bd649c5744fe4f6eb1abea8828487dc

    SHA256

    6cc67524aacded7fdd197048881a68fb21278dd9e20a73b57d7a11550fc736e9

    SHA512

    b6ff0b28aff3663b49156d1f6e3c75dd994e3ff70a92ff7914128473ab886aedec8cd2dd6018fd99e62ad7294bb808c5c4c5ad5a6713ba41df09b0b16d960385

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.