Overview

overview

10

Static

static

10

3068c17ad5...20.exe

windows7-x64

10

3068c17ad5...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe

  • Size

    2.6MB

  • MD5

    ee93f85ebd4faadb04fc34a3d7321a4e

  • SHA1

    0ef87a6904b5f0668a66a12521f1737971c6bcee

  • SHA256

    3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20

  • SHA512

    8479b6b67727e3fe76cb6b9dc99d9c8cfee57ec24a14e5fce5fb477bcdc60b51db72055843e1f6c7a7c717e04241b5fe257b85ca0dba681e60ea1a6f2216b5d1

  • SSDEEP

    49152:Mp6qkpHtyyj+KmfFYEMGjHOcI0zVGrlHOFhVcpP4Ru040vSwK:YQt1Lmf/HlFVGrlH2s4Ru040a

Score
10/10
blackmoonbankerdiscoveryspywarestealertrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 24 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
    "C:\Users\Admin\AppData\Local\Temp\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
      "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe
        "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe
          "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe" Master
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://www.30my.com/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    b149cb0cd6e29f1c53ebfff42fe38cb8

    SHA1

    a86cbec9aa0d31417b2b37c9a4b2244ceebbb46b

    SHA256

    a27d4af938aeae756000b3d02e8bad510678a1dc68d264abe56b92f04763682d

    SHA512

    184472301db4b51dfbd78fff77d2ba44433294bbaf6f3a83a442808c4c713a11ace43ae367732cd8e1d3c6fb2ee627d2213f6fed80279f4c60c73e1d42b0e620

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1311c85cda610b59c784946a4a71cc9e

    SHA1

    531dcfcc22d84bb50b5e018b30fc9a56a316fdbc

    SHA256

    644649cbad5b1c2fed37582dc8e468189cc95aec0e9d2ac313a860209be3169e

    SHA512

    de0601791170bf3ee13b8e5be7025a865209b8f3cd62348aadfbac3f5484998930a94e0a23aeca2fb7b665217395eed5f9d8c2394e65def2bc2866e544027ba0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    49a34cb53a8902839c23d0c5a2ef8b2a

    SHA1

    231c4a12eab846033d9ce9105662d8af5cd4a0ff

    SHA256

    8e7b8427c452da2acbca4082c16c15033ccba4f5490bcd99c9a987a9f0efdcae

    SHA512

    231ce472602bc4531659b74ad8cfe41f7685098c47773d358ee39edc9dc84594a56608cc965e4b7fdd7ac669158da36f78cfc4be251dfe7797d00e4c6a9f1804

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5ba5795df318e165ae8e5444562d4092

    SHA1

    cf6bc7f538559823baa2fe2cadd344091417f2bf

    SHA256

    8b8431a926da73f00f4982ba4d86993fde95dbda8ab594f66fe7895aef1045e3

    SHA512

    9f81622be6f70dc1f478b26c1342357349897aa3e843d0781898ef0777af309c61256e2a76f67345e4d64debe609a7c3f8dce6e8e0fada22983799e3b9c79873

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a5c10644135317d29c6a975bac273807

    SHA1

    8511aa102611660be2b611bfc2b299776b23b7e1

    SHA256

    aa3adfab991b24b876c39c777061396f3f39fe0017ebce0d3c26feace7db1b72

    SHA512

    d2825d3955c71904b365923cb79a56be385ddf11dbef45c6a4fd696fb68e903a78de80e7d6f3cd3fb18d750f8a5d7c8c66873c8feb2b1727e15caa462a5f819c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fe7d9f400c210531581ca20c8c635c0e

    SHA1

    1963c9f472bfdbe58a34f42046953f11efb23e1b

    SHA256

    28738f48359a6c79552b5bf5abc5dfd6fb35649bd80134a3c252f096b0f2c0eb

    SHA512

    b7ef398a8c7078c024589b364b66ffe1ea5410bf222e9fb74614208d0c3e7c61643d8d352e2cd7c613b5bc9cbf46316a8e9524fd425a5ffb3bf5d0b65b6ef1db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c4b322ecbd00a3c451c0789c5f363b84

    SHA1

    f32c8c9b0b136d054e3cdfe0117060e539fddb34

    SHA256

    da14ecf3659f5835a74416290f9ba1e86fbb99c2eca757d788e13d68604937db

    SHA512

    a3cc12358c90feffcd180700be0c850b835b5812718d484608293396ae2be292fa165fc98902a672a5ac031a1828a6c2f00b097939f5039f49d319559e2d36ae

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    dddc8d2160b95edee45adf9b566ae033

    SHA1

    099094e85c5e1ef1bdf0d3cb48e8b5f018ef4a0d

    SHA256

    976c6b296837cb48be67ea478c33dea5ef8aa0a3f5de24cce5d3f997ce946636

    SHA512

    cb92a9731e9e83dfa97f298b42133417cfa858ca2ac931b22a6eb8148697b8ad61df7d108fc3b3f380a0e233dca1c1c9503885df4d79d61d202a6da5ac76833e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\favicon[1].htm
    Filesize

    520B

    MD5

    3704f92207749f1f9b308fc856e7b7eb

    SHA1

    b12e7554f139b239e0cb11f2138fa328e414a761

    SHA256

    7407aa48b72bcf4fbc483d468f668297de0850af456c1a57c8fe569c932c789e

    SHA512

    c0812fb9a6cc887ce08a773103b08a719a65700c052ff79e35f3471321abc091aa18f73fe6af4600e8409732cc7524ef1760e0a3a242475d41f90fa4182a0297

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6D95.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6D96.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\¾ýÁÙÌìÏÂ.lnk
    Filesize

    1KB

    MD5

    fcf3d48700bcd65075892584dc945859

    SHA1

    53c0cfcf2b0aad450fa319c565765699dba12769

    SHA256

    0a250ecf261fc1e642a81e85741a39a94bd5c0691f297cee63d7be99ac31abb1

    SHA512

    e53976504cd6661f6d0c6e42c83b90ea5d53d23a428d4347ea9dcf92d9c56cc9ab0a725b5df538785bb8d6387e6c35b874dfa1c4ae1c84abe5f4ccb91e714dcf

    Download Submit

  • C:\Users\Admin\Desktop\ħÓò·¢²¼Íø.url
    Filesize

    120B

    MD5

    5c8c7c3ce78aa0a9d56f96ab77676682

    SHA1

    1a591e2d34152149274f46d754174aa7a7bb2694

    SHA256

    40a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806

    SHA512

    8ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77

    Download Submit

  • C:\Windows\SysWOW64\msvcp30.ini
    Filesize

    18B

    MD5

    2cd7883782c594d2e2654f8fe988fcbe

    SHA1

    042bcb87c29e901d70c0ad0f8fa53e0338c569fc

    SHA256

    aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037

    SHA512

    88413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360

    Download Submit

  • C:\Windows\msvcp30.ico
    Filesize

    264KB

    MD5

    bdccf3c42497089ae7001328305906ed

    SHA1

    cf6f28e09d98ebe516b408e6b15f03f5891fdc79

    SHA256

    5f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2

    SHA512

    d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d

    Download Submit

  • \Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
    Filesize

    2.6MB

    MD5

    ee93f85ebd4faadb04fc34a3d7321a4e

    SHA1

    0ef87a6904b5f0668a66a12521f1737971c6bcee

    SHA256

    3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20

    SHA512

    8479b6b67727e3fe76cb6b9dc99d9c8cfee57ec24a14e5fce5fb477bcdc60b51db72055843e1f6c7a7c717e04241b5fe257b85ca0dba681e60ea1a6f2216b5d1

    Download Submit

  • \Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe
    Filesize

    4.5MB

    MD5

    08cfce375a93146a24759f7bbbeb7823

    SHA1

    6e7c44ced4eaf20201ada64118ee1b26c5d02678

    SHA256

    baeba054f69683238e8a87b27097254a0ce27d736967fc998eae9f80e4e0d42e

    SHA512

    ab049d59a998cf81f9e1718366fb72901482af8291c0e62fc85abdfa4b682625911be77d39c3b1aca5fcf3bd72971b6c6b26257b46fef0499f1e8a36076b01e3

    Download Submit

  • \Windows\SysWOW64\msvcp30.dll
    Filesize

    93KB

    MD5

    a6c4f055c797a43def0a92e5a85923a7

    SHA1

    efaa9c3a065aff6a64066f76e7c77ffcaaf779b2

    SHA256

    73bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9

    SHA512

    d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957

    Download Submit

  • memory/1988-98-0x0000000000400000-0x0000000000891000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1988-73-0x00000000749F0000-0x0000000074A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1988-86-0x0000000000960000-0x0000000000971000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1988-85-0x0000000000960000-0x0000000000971000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1988-82-0x0000000000960000-0x0000000000971000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1988-78-0x0000000000930000-0x000000000093F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1988-57-0x0000000002100000-0x000000000232F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1988-96-0x0000000002100000-0x000000000232F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1988-87-0x0000000002100000-0x000000000232F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1988-91-0x0000000002100000-0x000000000232F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1988-92-0x0000000000400000-0x0000000000891000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1988-94-0x00000000749F0000-0x0000000074A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1988-93-0x00000000749F0000-0x0000000074A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1988-95-0x0000000002100000-0x000000000232F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1988-100-0x00000000749F0000-0x0000000074A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2940-54-0x0000000000400000-0x0000000000891000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2940-33-0x0000000000A30000-0x0000000000A41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2940-56-0x0000000074840000-0x000000007487C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2940-50-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-49-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-28-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-29-0x0000000000280000-0x000000000028F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2940-53-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-36-0x0000000000A30000-0x0000000000A41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2940-37-0x0000000000A30000-0x0000000000A41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2940-38-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-46-0x0000000074840000-0x000000007487C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2940-20-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-19-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2940-18-0x0000000002170000-0x000000000239F000-memory.dmp

    Filesize

    2.2MB

    Download