Overview

overview

10

Static

static

10

c93eecc13a...6N.exe

windows7-x64

10

c93eecc13a...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c93eecc13ad4709bd99c5b8a59384e052cc92c94a2998f5c72565ebeadd07b26N.exe

  • Size

    80KB

  • MD5

    deef375a390b98fde9cc492efde803e0

  • SHA1

    761eb455a29586dc06a6f76165a739ca97d7fd24

  • SHA256

    c93eecc13ad4709bd99c5b8a59384e052cc92c94a2998f5c72565ebeadd07b26

  • SHA512

    c4d5eabf6dea23b755a6d8f0bfaff7d3bb4b00c0225f9bc489aa9986c08e8e2ef3ac8addfd436583008be9bc48d6c2f4dce3acc34a8422b1fcb2bd27f8d2373c

  • SSDEEP

    1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a63m:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z3m

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c93eecc13ad4709bd99c5b8a59384e052cc92c94a2998f5c72565ebeadd07b26N.exe
    "C:\Users\Admin\AppData\Local\Temp\c93eecc13ad4709bd99c5b8a59384e052cc92c94a2998f5c72565ebeadd07b26N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\Syslemtlxlv.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemtlxlv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemtlxlv.exe
    Filesize

    80KB

    MD5

    67c9edd984f903d7736e1b5f92affd70

    SHA1

    f7e3d57c734689cedd0bc93d43910c4dcc7ab6b5

    SHA256

    cf4d94754e66e105f0d15f0230d67f4e46ddd8f3bc98430c2db56f6304a64760

    SHA512

    f593bd5c3953c79b8125213b467f6e395fe42848beab98fef79e2a149c09f7bcbdf3029820bd01dbadb6e327718ebaa25c581a1329f368970655fd430e19b15c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    103B

    MD5

    f90480a66bbe3fe94bcc6215def1c26e

    SHA1

    2c806adaeb643172f512edcdca4f74a5b2b5fbbe

    SHA256

    b2adabaf649d2e5e25b96323668ee4392842ac1425c9f98b7d84823d767ef150

    SHA512

    9d12fcb903e513deb1e6002ce30b2028c4a4a456cfebf8a97e5085344c5df3331118c4bef52332af8bcad83ba22badb062f53829907f2107329aa1cd5b46da2c

    Download Submit

  • memory/2600-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2600-14-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4348-16-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download