Overview

overview

10

Static

static

3

157.exe

windows7-x64

10

157.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    157.exe

  • Size

    1.9MB

  • MD5

    07c24fa99061341f54d447489136484f

  • SHA1

    d4f8df213dfd5defdef5e8a74b6d377b4e081da1

  • SHA256

    020ec9567c682568aeb929310399e171e71a61f05dd718e940dfbbd3739026ca

  • SHA512

    e7a9cee85e81ebc7e7a291b5252b1002a6adf157b6ebbad9b3bd73c7ecfa08d34f3ab2bf1aba43703f864083a957ecf934589da508177bfbcb8fdb0f2c8c6ac9

  • SSDEEP

    24576:PogCrOVMhbdWXkvIdPPF8pN0EtGXW3V+sLxdXJTbGTs3l:P4bnWPOb0EoXWddXJTbGk

Score
10/10
blackmoonbankerdiscoveryevasiontrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\157.exe
    "C:\Users\Admin\AppData\Local\Temp\157.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Public\Downloads\BbHufzfykft.exe
      nMBCBbXABcNJgOSP
      2⤵
      • UAC bypass
      • Deletes itself
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Public\Downloads\BbHufzfykft.exe
    Filesize

    1.9MB

    MD5

    07c24fa99061341f54d447489136484f

    SHA1

    d4f8df213dfd5defdef5e8a74b6d377b4e081da1

    SHA256

    020ec9567c682568aeb929310399e171e71a61f05dd718e940dfbbd3739026ca

    SHA512

    e7a9cee85e81ebc7e7a291b5252b1002a6adf157b6ebbad9b3bd73c7ecfa08d34f3ab2bf1aba43703f864083a957ecf934589da508177bfbcb8fdb0f2c8c6ac9

    Download Submit

  • memory/2388-17-0x0000000000320000-0x0000000000361000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2388-27-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-18-0x0000000000370000-0x000000000037B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-13-0x0000000000370000-0x000000000037B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-19-0x00000000003F0000-0x00000000003FB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-12-0x0000000000320000-0x0000000000361000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2388-11-0x0000000000370000-0x000000000037B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-20-0x00000000003F0000-0x00000000003FB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-49-0x00000000003F0000-0x00000000003FB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2388-24-0x0000000002010000-0x0000000002011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-26-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-22-0x00000000021F0000-0x00000000021F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-21-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-1-0x0000000000640000-0x0000000000681000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2576-0-0x00000000006A0000-0x00000000006AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2576-14-0x0000000000640000-0x0000000000681000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2576-2-0x00000000006A0000-0x00000000006AB000-memory.dmp

    Filesize

    44KB

    Download