Overview

overview

10

Static

static

10

c9141b8f59...dN.exe

windows7-x64

10

c9141b8f59...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0dN.exe

  • Size

    2.0MB

  • MD5

    ddcd2d88b84a4da72dd0cb3d41d73980

  • SHA1

    3bb4de809de9d08e317d117aca7b9d6b7583c6e2

  • SHA256

    c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0d

  • SHA512

    7a3b13fc34fab1a0edb467c18018cedaa16b553b8e1e97b523107ae50ac5ed9952ec07c3488ed96ccfd449307a3c61c29347b7482425b8c5c7988abdd794e301

  • SSDEEP

    24576:nSH25PwcN2jx23LdZNtWFKVSIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECb:nlDoOTNtGK8IvfuRVy/Pur2Mgb

Score
10/10
blackmoonbankerbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 13 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0dN.exe
    "C:\Users\Admin\AppData\Local\Temp\c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0dN.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ippatch.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ipsee.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
        PID:2676
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im ipsee.exe /f
          3⤵
          • Kills process with taskkill
          PID:1508
        • C:\Users\Admin\AppData\Roaming\ipsee.exe
          "C:\Users\Admin\AppData\Roaming\ipsee.exe"
          3⤵
            PID:1660
        • C:\Users\Admin\AppData\Roaming\ippatch.exe
          "C:\Users\Admin\AppData\Roaming\ippatch.exe"
          2⤵
            PID:2760
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ.EXE /f
            2⤵
            • Kills process with taskkill
            PID:448
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ .EXE /f
            2⤵
            • Kills process with taskkill
            PID:1084
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ.EXE /f
            2⤵
            • Kills process with taskkill
            PID:676
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ .EXE /f
            2⤵
            • Kills process with taskkill
            PID:1276
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ.EXE /f
            2⤵
            • Kills process with taskkill
            PID:1696
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ .EXE /f
            2⤵
            • Kills process with taskkill
            PID:1472
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ.EXE /f
            2⤵
            • Kills process with taskkill
            PID:688
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ .EXE /f
            2⤵
            • Kills process with taskkill
            PID:940
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ.EXE /f
            2⤵
            • Kills process with taskkill
            PID:1628
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im QQ .EXE /f
            2⤵
            • Kills process with taskkill
            PID:2424
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0dN.exe_And DeleteMe.bat""
            2⤵
              PID:1640
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • System Location Discovery: System Language Discovery
            PID:2576

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\c9141b8f5919f46e6be64ddabf35d336be8cba90a1aec9615e927fca88342e0dN.exe_And DeleteMe.bat
            Filesize

            248B

            MD5

            4d32c5f7880345bc73b6f4fa0d2de482

            SHA1

            48e3565dfc86efc09018a8117bc5ad54316aaa97

            SHA256

            24170292744f88bf99a9f4413082ee389ae91aa615f3dfc79660746e95287d23

            SHA512

            5971fae30a3b659b4ffee9d28bc97255610d9ba623ed51dbcd5911bee05766646172c70435b8d991f543b0493a12bd93aa8cfe36be67eb7a64808a5ffca0d4df

            Download Submit

          • C:\Users\Admin\AppData\Roaming\1.jpg
            Filesize

            53KB

            MD5

            3e6a6eef02a43bab4e580c30fa8ddf05

            SHA1

            6893ca9f204ccac1b625229e2f270856077ae755

            SHA256

            33264a92e66ea4bc57ddcf38bf8807f4e98656091d47f2cafafc67459411babb

            SHA512

            5033b65b07d91669d7f7cbeb17f1659ba9947d16b73468ea83c7e091875c42f898f7e24ed1a3732857adb9a372452b709c4021e224d6f56a4b1aa7125dc0c5b9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk
            Filesize

            680B

            MD5

            7fd7d91041ae28596071f17723e2cea5

            SHA1

            e34366402b957168572ac62a4a709268cecc50d7

            SHA256

            fb15c4bfb5e1f9323ea825acee52a6b1953007917d6dfac5f1409babb340c594

            SHA512

            26132b4dd9e2b8ef85d0a3075b4e7fc29ea68aa8bddc8fb91235cc72fc34b6780db08cc07b8cc5e81a581c12558005eddd495ca03a9f5cca6dc5132532757e37

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll
            Filesize

            154B

            MD5

            40b80bda339faae4739d77caa3ebd0eb

            SHA1

            54e11813769d714dbf3153ec6f2620b919a00fca

            SHA256

            c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

            SHA512

            ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ippatch.exe
            Filesize

            2.0MB

            MD5

            340cc72fa1df27dba12c14b6ab288794

            SHA1

            adcaa49f94af38ead4b6d9b17c7b2510f2cbf17b

            SHA256

            0d712a6e0c832575b5e626924b50625c2d9eaaaf2d0c585dad7859088af010ff

            SHA512

            d5974daabfede6eef473d68d0caf90ae3f2b94738234c574ebde686bba48fcd311f652d899c59d6f5c7ed85444450caddab6f95b7b52b4a4c0517c448c6143cb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ipsee.exe
            Filesize

            868KB

            MD5

            894a90983f1d3e146128afa5a28e80fd

            SHA1

            6ef85c06b50cc66d70390358616af41290bf9242

            SHA256

            1caaff68f63e985f1ecfeb09a61578fedef04e476f346da031b10d6052f958ac

            SHA512

            31e2c75d9f08234e67642844e61b3366a621e97783976d1932c789c6b0b713040c257c5504b335c126b30e7b7e49c7bfe7320c8f4604c4f273573782fa7de36f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mydll.dll
            Filesize

            256KB

            MD5

            45e50df6e4a57b51aede789a0356c4e1

            SHA1

            779ed60379a394ceb57692406c440b21ae885d26

            SHA256

            020d5efadaac936d0f916bff5d2bf8c0325fe5f12ebf69fab6d5d5853906cebe

            SHA512

            f1090a01e3152d798515643e3b890a5c13e9c324a085bdee2b8e51ae7da1b3718ef3a773be05c126c64ef12dd6ea4949f32d98b17d5b6849ae10e0106bb41660

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mydll.dll
            Filesize

            256KB

            MD5

            8668f45a8c85c277abf0da98f638def8

            SHA1

            643e4ada6e39570de79a0b6bcf4b9d1b967a13da

            SHA256

            077c4bb8526f50b2994c212253bc6ddda29c38bf450551f601397565d87366e2

            SHA512

            0335f0bed437d9d2641e2090ee5f553edb3993b149f29132123ffdafbb30bd5a17269b017884c4c0805e260eb83e0e183e5d75b88f4a17bb0e796f855b58b745

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mydll.dll
            Filesize

            256KB

            MD5

            2f199fe5d70f34a9a4ebb1746339262c

            SHA1

            7bf5187ebb62c44aadc3759998498647584fc23e

            SHA256

            9f36c0fa41703b1c2ac2dc4f3de6b39f40c58d9d94bb2a463da2e9dbcfc46342

            SHA512

            86d827dea37791dc3b43dc692e24d4b0937dcf71bb1c4648520f31f9e7b6df84234608b4964a9e2e2c7d87d1af121f6be073b9c45d386da5ab8ecf5c74bf1725

            Download Submit

          • memory/268-15-0x0000000002420000-0x0000000002422000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-17-0x0000000000270000-0x0000000000271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2576-16-0x0000000000160000-0x0000000000162000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-190-0x0000000000270000-0x0000000000271000-memory.dmp

            Filesize

            4KB

            Download