Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 18:59

General

  • Target

    190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe

  • Size

    80KB

  • MD5

    44ab132e64b8cda5ab2fdbc612e749c2

  • SHA1

    27340bc4a07b75d4b126e5cb7a10a65e8cf27621

  • SHA256

    190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773

  • SHA512

    e8c7d3a620adb7ba2aa1b65b8bf5e8d31affc20373e6f794c0cc8943cbba0c129942c533b4c023a0a3550db5186076521b72f456aa689f3187a02e63bf0345d5

  • SSDEEP

    1536:+VtjAKqURk0Ex/tIWLSYGc5cmFF+TTdGka2dQe5GrpXLaN:CN1qURFY/RLSO5cmFY9GMdKGN

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe
    "C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Users\Admin\AppData\Local\Temp\Systemgjwhk.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemgjwhk.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4960

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Systemgjwhk.exe

          Filesize

          80KB

          MD5

          e8fcd611ba50db3a2cf059de450754ae

          SHA1

          16c08b58b4a604da58815e0be21e6272e8afbf4e

          SHA256

          6185aefa12a2a66f7af14d5363c93cd587b58cf17dfe900a9bda052152647a93

          SHA512

          dce25f680d80fa498ad2b1583a7da7a39292b8677d326201b2fc1c675ac23bebb8230cc0497c8d67d0c3466b62e947505f530604df8b78516e10b82bd4b4bd7d

        • C:\Users\Admin\AppData\Local\Temp\fpath.ini

          Filesize

          102B

          MD5

          2b4159504c411ecc93fca80c5076184d

          SHA1

          ba1d6781ec9f229ee87228149a3e3d87f07752f0

          SHA256

          1a9fa5f0f9cd70cf19afea69f04cc367a26384d71409b67169b8f1f7ea025f5c

          SHA512

          93b99d6928b69b9378e164c869f8a095f47d921ef4d1f869ca89c550eacb6778eec22a184b7ede3d22c04ad326b3307d6e45b7b8c39538d1073c0ddd3549060d

        • memory/264-0-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

        • memory/264-14-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

        • memory/4960-17-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB