Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 18:59

General

  • Target

    190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe

  • Size

    80KB

  • MD5

    44ab132e64b8cda5ab2fdbc612e749c2

  • SHA1

    27340bc4a07b75d4b126e5cb7a10a65e8cf27621

  • SHA256

    190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773

  • SHA512

    e8c7d3a620adb7ba2aa1b65b8bf5e8d31affc20373e6f794c0cc8943cbba0c129942c533b4c023a0a3550db5186076521b72f456aa689f3187a02e63bf0345d5

  • SSDEEP

    1536:+VtjAKqURk0Ex/tIWLSYGc5cmFF+TTdGka2dQe5GrpXLaN:CN1qURFY/RLSO5cmFY9GMdKGN

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe
    "C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\Systemjgaly.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemjgaly.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2716

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\fpath.ini

          Filesize

          102B

          MD5

          2b4159504c411ecc93fca80c5076184d

          SHA1

          ba1d6781ec9f229ee87228149a3e3d87f07752f0

          SHA256

          1a9fa5f0f9cd70cf19afea69f04cc367a26384d71409b67169b8f1f7ea025f5c

          SHA512

          93b99d6928b69b9378e164c869f8a095f47d921ef4d1f869ca89c550eacb6778eec22a184b7ede3d22c04ad326b3307d6e45b7b8c39538d1073c0ddd3549060d

        • \Users\Admin\AppData\Local\Temp\Systemjgaly.exe

          Filesize

          80KB

          MD5

          0abb8433b57987ef8b02ce2c28590303

          SHA1

          477b014cdd86a9b8c7eb0ed0b8a87a035acb8ab0

          SHA256

          9681cf15c0baf6e1f237cd62c88e34ecc99f3236e7566df21d6a097eee40f0db

          SHA512

          7aec78b45c846d02be9a6a5b9af6cd87f6a8083c996c025e20c1b9daf573654dc9977eb4b65125a393b0207deb22bb782fe000a9f8cae0a2bf037cc6c02ad205

        • memory/2716-20-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

        • memory/2808-0-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

        • memory/2808-7-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

        • memory/2808-15-0x00000000031D0000-0x000000000323B000-memory.dmp

          Filesize

          428KB