Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 19:33

General

  • Target

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe

  • Size

    80KB

  • MD5

    2bfc41fc744cef02880c43394e17751e

  • SHA1

    35c296e0fbd6ed77b9dab7ece016e8306c26512a

  • SHA256

    749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca

  • SHA512

    d3387fafbd4e9ea76e9d32b24f2e7ea61e3f95263e3e52904f008b74357cebd6c75d9521389406337d9dda8ef2687f02d63e99ed95c1657aec763122d0f9eed7

  • SSDEEP

    1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a631:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z31

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
    "C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2828

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini

          Filesize

          102B

          MD5

          fb8abda925a7cb9a18da9e549724471d

          SHA1

          0c21ff317ab37de37e6b1a395e2a84700cf57ba0

          SHA256

          cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0

          SHA512

          b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec

        • \Users\Admin\AppData\Local\Temp\Syslemnridt.exe

          Filesize

          80KB

          MD5

          e73fa9495849bbffaeb0a8a20a225745

          SHA1

          dd564527ddbc7cc8cb3cf586670ab4a4b9d68a43

          SHA256

          b3c0b757a7aa4e15090905167b2cd595aa0e8c02ae81486fd85c7ea874926a5f

          SHA512

          a8ce3b19f61ce0ca377cd69806b1ae4048b2902932f4c014ddb466de5edafa0c1d334ebfccf39011140ed071a9ad85e068551bc91b0a9556f28f99df70cfd375

        • memory/2216-0-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2216-7-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2216-11-0x0000000003290000-0x00000000032FE000-memory.dmp

          Filesize

          440KB

        • memory/2828-17-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2828-21-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB