Analysis
-
max time kernel
104s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
25-11-2024 03:41
General
-
Target
7345cc802333d97b12d27c897ee998136e469de7412a2e93ef8dad282fac278f.dll
-
Size
163KB
-
MD5
ac39392fe4064c32edb92de807023544
-
SHA1
d53e5d8a41f40e0e15257e337a45db351afcd6d7
-
SHA256
7345cc802333d97b12d27c897ee998136e469de7412a2e93ef8dad282fac278f
-
SHA512
eedd9bd918a774a99b6eb2c0bfa327e70e5a7491aa504159f871fcc714eb2d0030a216c446738ca05a8907d6c42414d6789c44f03370bb57a599bead794933ef
-
SSDEEP
3072:x5VK0lTSG9xoC+CQpiU5MvUOGk//qmwYre9BN0N4wk:E0T9xB+CU4Gk//vwYre9BmNc
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 9 IoCs
-
Gh0st RAT payload 15 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 12 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 29 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7345cc802333d97b12d27c897ee998136e469de7412a2e93ef8dad282fac278f.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\Temp\MpMgSvc.exe"C:\WINDOWS\Temp\MpMgSvc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.1.135 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.1.135 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\Wmicc.exe"C:\Windows\Temp\Wmicc.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\GetPassword.exeC:\Windows\Temp\GetPassword.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\WINDOWS\Temp\Hooks.exe"C:\WINDOWS\Temp\Hooks.exe"3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Store new enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\Microsoft.NET\ctfmoon.exeC:\Windows\Microsoft.NET\ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD573c754af52914907ca67124432e9abf9
SHA1c8ac9ea030eb19f02487227a66cbaa870fe2de1e
SHA256cd14bd3e5f5eb432c5f43eb3816ee19e9e71ff9c8772f2e96c6d6f259fe425b2
SHA5126fc4a9ff3eea09190b711604919ca18d9e36636a3a74e3367a33919f08f5ca8a4020ca7427afb960ade2403e32f7489a16583408e2437636bc856cf0a5220777
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
494KB
MD55b6a804db0c5733d331eb126048ca73b
SHA1f18c5acae63457ad26565d663467fa5a7fbfbee4
SHA2565bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9
SHA512ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26
-
Filesize
3.2MB
MD53809c59565787ee7398fe9222d4bd669
SHA168842768c9ae9deb1d1d7ed2b27846c392b47103
SHA256c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
SHA5122f78ad26acfe15f4682b69090704fa8ebb24938c8a58b8d343ef0993e8234897aed53dfcea4119168f915384fe545d2cbb16bc12339d0600dafae06deefc9098
-
Filesize
29B
MD543b9c07824a40786d6cf4ff425ed7ea0
SHA103b8269231e4659ca7767b3c1982d32e83cd3ab3
SHA2565b62bb2ef959c34617217bea375992ca35fd987e3e583892b8c03b191ff4ce03
SHA512e7a473cf996b0d139449335ea36bf6ae9b9c59fce4797ae32b0cf9907aa5a8ba61962e91f7445ad73974b7bd765c8f2b9d9ad75e5d2677a1171b7a7f7eabb61a
-
Filesize
180KB
MD5749369989cc20f9ed44f82f1b476249d
SHA153aa829726b2af27d24899e568f3d3fe964690d6
SHA2568534923c6ebc3658b5b671b02d21cead897004f4cb8308dce4bfd526bf79eb61
SHA512b48181628dd7b17e9221d7f8f8b8ed7d7c71be29657da13af4c8f2917b85dba7ce0756599268e32a904639ef64e7776b64ea6e3b809e4807119d2608452bc9a7
-
Filesize
2KB
MD5e4509fe97319f2e16a2d644b6d55ebbe
SHA161809a08544acfe418608078ec3234fee9085d8c
SHA2561e9646a7cb5cc0bd64582259b123f3cb739fe8bd63cc4d2d8d562f3886d39c67
SHA512fcdaa40512e40e8747b42666297a6e9b2949a436ace678fa7b0a108afc49926c6cb68a6b943af12a35a2631e7835bc3e00e9d7753ea4166f9dab8bdd83eebe31
-
Filesize
16KB
MD5a1760555c7b420d9a4161e512f41c4d0
SHA18c721bb150612d9132bf816121aca25cfd2057b6
SHA2567adcee7442dc5e3ec9bf4a0a5166f19e0af901093e98aa80dd22f019babb7760
SHA5129f0deaaf99516288323d48e8e6f18fe7bce1d71046b5552b0d11a6b2969626675961a4c62da3f80a0ebe5c6ec157c5e370690e9ab9fe605f57cdd8d85383d12b
-
Filesize
23.7MB
MD5effda8dc24b5465dd1424177160a5f1a
SHA19c3267d98ec841d4debda61d7c6aa158e6750996
SHA2562bfbf9d0ed537106096a2dbfdb4bc1bbc1818c8d5befbad46fe872dfb2e5ee0b
SHA51298e4155193e06baaec900d423eee3069809dbe5d26d401ce4508b79e4874b9014c3d6a8f36416074a369e17b089cd081820c01dc6cdd6743ece01e2ac182ac79
-
Filesize
1.9MB
MD51728aad9b45c4972b5beb438041fe2db
SHA129e04abf00a4655533fe88c314769f66c9c15c3f
SHA256bd71cacb4f9a2f7215be33c8aaff98c7950792ea4d3a365fdb3ad73300a8ee19
SHA512c57bdcdfe186f59bb6f7c74ab0251bc78a225d31affb3051a837fa5335e8e24318bd21b0e43abd7b7f9bddc2c9059a3041fa38dd8ee2d5c3a3bb07bd2709ea77
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
11.7MB
MD51af2da7b95cdbbd5a18461e5d5fe910a
SHA18540958b02170962cb958da094e059be5ff43fb0
SHA2561b08b6f863be2c62eb5b00457475630fddb245361f1a35e4396eada29e2da64a
SHA512bc3ea6b76cc8079871c550af197d01c227526688881b10a5192a215d9dca8cd8401408d6a6835444cab862b20856b1ad88b1450a3f93dfa8cd2ecbdc5653459a
-
Filesize
1.4MB
MD54935b75f2a23d38527cf3821c9d9dac3
SHA1f17aa56215ab7b90da00f048fe30d39a2d671b5d
SHA256dd2d7b07e9091590ae60b42022956319bbbbd51b457ea214fb475ecc3e9156f8
SHA512348e041104de20b0850b19db1ebb88ae0b65ecd1695f1ade47e099d62da9cec983a1a73e7fc657509b4fc58496784e0c1681bf46265477b75fdfab440c41acbd
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa
-
Filesize
24.0MB
-
Filesize
36KB
-
Filesize
24.0MB
-
Filesize
36KB
-
Filesize
24.0MB
-
Filesize
36KB
-
Filesize
9.1MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
24.0MB
-
Filesize
24.0MB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB