Overview

overview

10

Static

static

1

c524dc3778...89.msi

windows7-x64

10

c524dc3778...89.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi.vir

  • Size

    51.3MB

  • Sample

    241122-d93yeszlhr

  • MD5

    7efb253def4f5980c8e7a4c95a96ce09

  • SHA1

    e5f62d1b33eddca20e1b8cde7bf85205c411f058

  • SHA256

    c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289

  • SHA512

    5a3c05754d5d94a1549f7eb4a08a237e39b976c4994db0bb8e10687757d954d7a3cda5ea1ea432c85e5e9b643378b8a6ae15ec2e6ce17a292d8f4cbe70955f4d

  • SSDEEP

    1572864:33j57EzJvxJXNywl4agZ9KsNhucJaV/Z/7h:33jWtv3dbl3bcJarzh

Score
10/10
blackmoonbankerbootkitdiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi.vir

    • Size

      51.3MB

    • MD5

      7efb253def4f5980c8e7a4c95a96ce09

    • SHA1

      e5f62d1b33eddca20e1b8cde7bf85205c411f058

    • SHA256

      c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289

    • SHA512

      5a3c05754d5d94a1549f7eb4a08a237e39b976c4994db0bb8e10687757d954d7a3cda5ea1ea432c85e5e9b643378b8a6ae15ec2e6ce17a292d8f4cbe70955f4d

    • SSDEEP

      1572864:33j57EzJvxJXNywl4agZ9KsNhucJaV/Z/7h:33jWtv3dbl3bcJarzh

    Score
    10/10
    blackmoonbankerbootkitdiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Windows Firewall

      evasion

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks