Analysis

  • max time kernel
    59s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 19:26

General

  • Target

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe

  • Size

    80KB

  • MD5

    2bfc41fc744cef02880c43394e17751e

  • SHA1

    35c296e0fbd6ed77b9dab7ece016e8306c26512a

  • SHA256

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca

  • SHA512

    d3387fafbd4e9ea76e9d32b24f2e7ea61e3f95263e3e52904f008b74357cebd6c75d9521389406337d9dda8ef2687f02d63e99ed95c1657aec763122d0f9eed7

  • SSDEEP

    1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a631:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z31

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
    "C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Admin\AppData\Local\Temp\Syslemaexwd.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemaexwd.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Syslemaexwd.exe

          Filesize

          80KB

          MD5

          ba1f82f91f1ae28cf5888ac1d0880916

          SHA1

          8d0762bbca8f61ff8f70849ef25dc0465837e224

          SHA256

          43f3d8ccef6096a9f6b74b507ac0d4ead58dc8754a0628da48fd3d9a92320756

          SHA512

          d137f073ad1761e5f9e2aca2ad919e5db145ef31e884ee3f3504bb8960a2ca4944cbbc33869f7b6960ed4d448cc406039d715d78923e8cc823e265a0b41abb8e

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini

          Filesize

          102B

          MD5

          fb8abda925a7cb9a18da9e549724471d

          SHA1

          0c21ff317ab37de37e6b1a395e2a84700cf57ba0

          SHA256

          cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0

          SHA512

          b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec

        • memory/904-0-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/904-14-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/1436-16-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB