Analysis Overview
SHA256
6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f
Threat Level: Known bad
The file 6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f was found to be: Known bad.
Malicious Activity Summary
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:08
Reported
2024-11-09 23:11
Platform
win7-20240903-en
Max time kernel
141s
Max time network
119s
Command Line
Signatures
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\rrxfflr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\rrxfflr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\friendl.dll | \??\c:\rrxfflr.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\rrxfflr.exe |
| PID 2656 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\rrxfflr.exe |
| PID 2656 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\rrxfflr.exe |
| PID 2656 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\rrxfflr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe
"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"
\??\c:\rrxfflr.exe
c:\rrxfflr.exe
Network
Files
memory/2656-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2656-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\rrxfflr.exe
| MD5 | db3ae2daaa4303b6ee96580ddfb819c7 |
| SHA1 | c4b0b1172afb86f8b1b4d7f820a89e32ba6c0d83 |
| SHA256 | 36c6b41da2b32d1acb91875960feffaf9c22d50fe5f5c6cb3a74e9eb539e0d5c |
| SHA512 | 6987e04d9a9cbc8b1dc604417e29802ffb39bf5120106b3da8a5633766ee71f46d0700ed23e6c3bcd2ca280a088c0b8adf745fe380d997eb2430bdf0c39fe60e |
memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp
\??\c:\jl
| MD5 | c72435f0134385f41d2fc24c8f4a7687 |
| SHA1 | 2d5dbc00256e7dc918570f8acc9f266c5cb0ae7e |
| SHA256 | 8cae4f978fcc9faf02a2472cd92e0b3fbccc4b54f8f660bad15fc23e2b29bcf6 |
| SHA512 | d2b72ba8e2260e4a8cee7b7235bd618c4bc759b46d2b6ab6b11462b82d2ccde8d43324a7655ba15c59970eaac96b93cd3ab330226b2b89c46c888093ed31d87c |
memory/2676-13-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:08
Reported
2024-11-09 23:11
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ttnhhh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ttnhhh.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\friendl.dll | \??\c:\ttnhhh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\ttnhhh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5080 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\ttnhhh.exe |
| PID 5080 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\ttnhhh.exe |
| PID 5080 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe | \??\c:\ttnhhh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe
"C:\Users\Admin\AppData\Local\Temp\6bf26697c7c6aa6106d731848b79efe0a91b1bc39ce2543925ac372b18cd926f.exe"
\??\c:\ttnhhh.exe
c:\ttnhhh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5080-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ttnhhh.exe
| MD5 | 7405cc2fa74288f60071b79ca8a3bd05 |
| SHA1 | f155ede9c87d0f6c550c72651a62cf8ae625b064 |
| SHA256 | 66a9d399557093243b0fe97545d4cd87059f20fcef2eabe6acae38cc142d9631 |
| SHA512 | cc50efef0e434a1b8deb63377d3fc16f17adc8bd23c7e8aa5b06827d6a06c82177eeb57b86e308c8ad25edd90e2e606de5fbee086de7a87c4bd9379e5f7dd83e |
memory/5080-7-0x0000000000400000-0x000000000042A000-memory.dmp
\??\c:\jl
| MD5 | c72435f0134385f41d2fc24c8f4a7687 |
| SHA1 | 2d5dbc00256e7dc918570f8acc9f266c5cb0ae7e |
| SHA256 | 8cae4f978fcc9faf02a2472cd92e0b3fbccc4b54f8f660bad15fc23e2b29bcf6 |
| SHA512 | d2b72ba8e2260e4a8cee7b7235bd618c4bc759b46d2b6ab6b11462b82d2ccde8d43324a7655ba15c59970eaac96b93cd3ab330226b2b89c46c888093ed31d87c |
memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmp