Analysis

  • max time kernel
    59s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 19:26

General

  • Target

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe

  • Size

    80KB

  • MD5

    2bfc41fc744cef02880c43394e17751e

  • SHA1

    35c296e0fbd6ed77b9dab7ece016e8306c26512a

  • SHA256

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca

  • SHA512

    d3387fafbd4e9ea76e9d32b24f2e7ea61e3f95263e3e52904f008b74357cebd6c75d9521389406337d9dda8ef2687f02d63e99ed95c1657aec763122d0f9eed7

  • SSDEEP

    1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a631:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z31

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
    "C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\Syslemkchgb.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemkchgb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2596

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini

          Filesize

          102B

          MD5

          fb8abda925a7cb9a18da9e549724471d

          SHA1

          0c21ff317ab37de37e6b1a395e2a84700cf57ba0

          SHA256

          cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0

          SHA512

          b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec

        • \Users\Admin\AppData\Local\Temp\Syslemkchgb.exe

          Filesize

          80KB

          MD5

          3dae46c6c17dcf650b7c5353a81ef31e

          SHA1

          1f93b5c83fa49e6bd08b49dff28e2c841499c932

          SHA256

          2440ad23231ac4720700db07cb98f13b34d8a67b863348adc3d27ec9862b29b5

          SHA512

          333f90ae2fdbd8b30120747540ca8d82368f95a9b4e74eb6016d74851d040b8942e2f4fca10f405be888a7bd0038c65a75ce842b95e93c0092a5d09534c0d7fe

        • memory/2596-18-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2596-22-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2848-0-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2848-7-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2848-17-0x0000000003160000-0x00000000031CE000-memory.dmp

          Filesize

          440KB

        • memory/2848-11-0x0000000003160000-0x00000000031CE000-memory.dmp

          Filesize

          440KB