Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 00:02

General

  • Target

    83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe

  • Size

    87KB

  • MD5

    be1caf87a76ca70f2118decc075b100a

  • SHA1

    11581129f15b36c03a3d372be2e3b9c37f6f7d27

  • SHA256

    83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c

  • SHA512

    b8e2959e79d3e27943d785532c855f0bcb281f743e0cbddfebb9bf1620b065c16e9d756e3ca6da4a6276ea72a1b8056b445863afdb3437abf40337edc818f530

  • SSDEEP

    1536:z4hkM3Yz8wMZhUD2XsjEQWOSkE+Ct6WKBex3GWU5FkWp+AmQwKGSMdH+002I3/ia:Mq6OLM3QasY5Ft71fqWWp+efGftm2I31

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
    "C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe

    Filesize

    87KB

    MD5

    670401416ac7359cdd2118d19b92424d

    SHA1

    61a3245e3d26b07a8fe8470ee17d1c145da65758

    SHA256

    d543ff9be454e50ab10d8ed6e7454db087c16fd6ce464b4f71a6366173fc1a79

    SHA512

    728f9f304f97147632d337e20e793c96d03abd41c1ddeae327a80c4c07fec150615eca634280a0d302eac17d55b32125ccfa71e77afc4f7a1f18c353b60b1f94

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    f89bb0954242fa3816f9e8d05b3cec36

    SHA1

    e09be2a100c80b49e5600eb29cd3a2bc06a827d2

    SHA256

    cd1ac67cb37d864d9444c5d8f0ad6c37a14c25b3eb438af50d67b31fd0af4921

    SHA512

    a225f6403900c9737f72691a5b800a4db5810d8cf254d4f0888ae4f7d5b0ab1aed02a02f4a34c3ed60d9cc84a48a9a057fdcb5f0c1f684890188bb03be902c55

  • memory/1492-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1492-14-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/4496-16-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB