Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 00:02

General

  • Target

    83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe

  • Size

    87KB

  • MD5

    be1caf87a76ca70f2118decc075b100a

  • SHA1

    11581129f15b36c03a3d372be2e3b9c37f6f7d27

  • SHA256

    83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c

  • SHA512

    b8e2959e79d3e27943d785532c855f0bcb281f743e0cbddfebb9bf1620b065c16e9d756e3ca6da4a6276ea72a1b8056b445863afdb3437abf40337edc818f530

  • SSDEEP

    1536:z4hkM3Yz8wMZhUD2XsjEQWOSkE+Ct6WKBex3GWU5FkWp+AmQwKGSMdH+002I3/ia:Mq6OLM3QasY5Ft71fqWWp+efGftm2I31

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
    "C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe

    Filesize

    87KB

    MD5

    097b4977bfe6714bf0712dcb65c14b03

    SHA1

    c01bb385d15a7b050ad969479a0220b0e95fda9a

    SHA256

    3e6afb658c6a236dfdf53b45e4c4d93b089c928c7f4c2bc3b1de9fb9b4b357af

    SHA512

    c0f4d46e722a7d3152efaa343aea9f808c1b6e0f9403f56d581d0e787638b5b3d1f6ebf70d712e01edd7d8f26f15f18fe0ae737b855f133fec4d4ee88916649f

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    f89bb0954242fa3816f9e8d05b3cec36

    SHA1

    e09be2a100c80b49e5600eb29cd3a2bc06a827d2

    SHA256

    cd1ac67cb37d864d9444c5d8f0ad6c37a14c25b3eb438af50d67b31fd0af4921

    SHA512

    a225f6403900c9737f72691a5b800a4db5810d8cf254d4f0888ae4f7d5b0ab1aed02a02f4a34c3ed60d9cc84a48a9a057fdcb5f0c1f684890188bb03be902c55

  • memory/1796-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1796-7-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1796-15-0x00000000037D0000-0x000000000384F000-memory.dmp

    Filesize

    508KB

  • memory/2784-17-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2784-21-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB