Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 00:50

General

  • Target

    a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe

  • Size

    1.8MB

  • MD5

    10a99d00159dcd34d509a3f1014d20d0

  • SHA1

    af060b8c9712beb1f9be5d326ea80751a0ff52d7

  • SHA256

    a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934cc

  • SHA512

    975e4814453c9f616618e41a424c27f378b9ebb94cc34afd2c27655c061eb2d6032f39796777da28655f7fd7fb560cedc862d4065a79488b754c2556c7a483e4

  • SSDEEP

    12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 7 IoCs
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 30 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 24 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
    "C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\eaiwmfd\fazsuyr.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2320
      • \??\c:\windows\fonts\eaiwmfd\fazsuyr.exe
        c:\windows\fonts\eaiwmfd\fazsuyr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2508
  • \??\c:\windows\fonts\eaiwmfd\fazsuyr.exe
    c:\windows\fonts\eaiwmfd\fazsuyr.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\TEMP\8248635648034056.exe
      C:\Windows\TEMP\8248635648034056.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN jlfyc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN jlfyc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\TEMP\ebe697a1.exe
          "C:\Windows\TEMP\ebe697a1.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\TEMP\e591202a.exe
          "C:\Windows\TEMP\e591202a.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1248
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\TEMP\ef5cbaa2.exe
          "C:\Windows\TEMP\ef5cbaa2.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN jlfyc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:2468
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN jlfyc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1956
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1160
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2668
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1788
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1784
        • C:\Windows\TEMP\ef92a63a.exe
          "C:\Windows\TEMP\ef92a63a.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1932
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2192
        • C:\Windows\TEMP\eed981c1.exe
          "C:\Windows\TEMP\eed981c1.exe"
          4⤵
          • Executes dropped EXE
          PID:2984
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:888
        • C:\Windows\TEMP\e9931b3a.exe
          "C:\Windows\TEMP\e9931b3a.exe"
          4⤵
          • Executes dropped EXE
          PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN jlfyc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:1940
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN jlfyc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1388
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1688
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1584
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1356
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2932
        • C:\Windows\TEMP\e8daf6d2.exe
          "C:\Windows\TEMP\e8daf6d2.exe"
          4⤵
          • Executes dropped EXE
          PID:1368
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2524
        • C:\Windows\TEMP\f295804a.exe
          "C:\Windows\TEMP\f295804a.exe"
          4⤵
          • Executes dropped EXE
          PID:2124
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1752
        • C:\Windows\TEMP\fd5f29c3.exe
          "C:\Windows\TEMP\fd5f29c3.exe"
          4⤵
          • Executes dropped EXE
          PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN ugbeq /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:1692
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN ugbeq /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ifeqhu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ypdc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ifeqhu'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1596
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ifeqhu" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2208
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ypdc" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ifeqhu'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2812
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2072
        • C:\Windows\TEMP\fc96055b.exe
          "C:\Windows\TEMP\fc96055b.exe"
          4⤵
          • Executes dropped EXE
          PID:2848
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2688
        • C:\Windows\TEMP\f6519ec4.exe
          "C:\Windows\TEMP\f6519ec4.exe"
          4⤵
          • Executes dropped EXE
          PID:1488
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2588
        • C:\Windows\TEMP\f10b284c.exe
          "C:\Windows\TEMP\f10b284c.exe"
          4⤵
          • Executes dropped EXE
          PID:1508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 820
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\uin77.exe

    Filesize

    173KB

    MD5

    4be968d673f8ceabd4258456c9e23bc7

    SHA1

    71c02fa92ec3dc94b9ef3889b677449570c56673

    SHA256

    3b2dd6fdf9107a6b022f29424fcbe814deab9c5b745e9f4a619557e00a5caa9c

    SHA512

    b8ebecb5a1f76d82352f0836a71c351ae489b474dd4aee8e0132ef3787d0dc1914e36a5639cd6c8f7b4382ada6a9c2d4b46591322043069f1a504e4d7110c334

  • \Windows\Fonts\eaiwmfd\fazsuyr.exe

    Filesize

    1.9MB

    MD5

    76a0ecb70b7ca335fc5c906cac34ccc3

    SHA1

    dcec0d5b6989eaa6e943d05e3dd7a30dd3f71d75

    SHA256

    81285b8aecfbd931e794342d80efc5f2792ce953eff2d00318736e7a077ae1a6

    SHA512

    56df42ec2d354bb027f23c846c4651d7403745353558074b4e7feb6b421a666beeb8d9e7c7e2abf478aebd966008c0aa7ec764b6d2fc4ceb8ceba506f1ed650c

  • \Windows\Temp\8248635648034056.exe

    Filesize

    244KB

    MD5

    de3b294b4edf797dfa8f45b33a0317b4

    SHA1

    d46f49e223655eca9a21249a60de3719fe3795e0

    SHA256

    d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

    SHA512

    1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

  • \Windows\Temp\e8daf6d2.exe

    Filesize

    95KB

    MD5

    35cd4c255b0e277c6b2e8db84b387a82

    SHA1

    d200ae287bfca34dc19294b5c64885f25743feed

    SHA256

    147826b10636a9dc6a576618e95483848e930e000a47cb5aae91c379efd7e4de

    SHA512

    0c2ef38f0cb9a57a825d87931285ccd24622747ee1c77146d694d4fc11b5c50c92d2c4f3c1f29e86350f037b9416e3fbdcb205b9a5bf2c2172f115e92f740d5f

  • \Windows\Temp\ebe697a1.exe

    Filesize

    95KB

    MD5

    e39ab07c259dbad8f2af02d2c17176d8

    SHA1

    d99ad6cecaa43ed0b4c74922cfb58da104995ddc

    SHA256

    c50faa0b8521fe4d0c32a0fc48bd9e90104cdfe10bf33a7fad3ec04602cf6564

    SHA512

    2267bab51bc6bdced5717f3377c16af5cdc02d3c9ed841d335820d1788bbd45237980fcc3d51f63982853edabc75f22a0e14a0ada7a10b7063da9e1b529bffcc

  • \Windows\Temp\uin77.exe

    Filesize

    173KB

    MD5

    629217733c9035c8c845924626125b85

    SHA1

    711f63124dca4001c01741847f0d8f7f19c22b46

    SHA256

    bc2c72241289bb1cfa8b36adce7696e9e79554a7d532d8c3c0a2a37fee269d83

    SHA512

    22e0567e1c4e39c17306e8e509e0bf898970178247fc5b66f24cd59f895b151169019ed837cd05c6fee8178190966b1a0cb528ea64d248c427c6e470060ab6dc

  • memory/580-8-0x0000000002420000-0x0000000002506000-memory.dmp

    Filesize

    920KB

  • memory/1708-4-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/1708-0-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/2508-10-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/2508-13-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/2684-21-0x0000000000E90000-0x0000000000F1C000-memory.dmp

    Filesize

    560KB

  • memory/2684-43-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/2684-20-0x0000000000E90000-0x0000000000F1C000-memory.dmp

    Filesize

    560KB

  • memory/2684-159-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/2732-45-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2732-67-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2732-23-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2732-153-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB