Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 10:56

General

  • Target

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe

  • Size

    546KB

  • MD5

    d76ee42b3f0213dff456133d3f49a828

  • SHA1

    9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45

  • SHA256

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc

  • SHA512

    fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956

  • SSDEEP

    12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
        "C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2308
        • \??\c:\windows\h0u8A142F\D8jHt4.exe
          "c:\windows\h0u8A142F\D8jHt4.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • \??\c:\windows\h0u8A142F\S25J11r4uz.exe
          "c:\windows\h0u8A142F\S25J11r4uz.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y4X2Wq.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\system32\PING.EXE
              ping -n 2 127.1
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Y4X2Wq.bat

      Filesize

      272B

      MD5

      e197d2e929343eb763d3daa32c531daf

      SHA1

      021343314e90d99c2225f1d443fc3c2271662b19

      SHA256

      fea0bb505192c06963ef0aaadc29e24b6ae7c83cca8c053899520ca918097fd6

      SHA512

      a735c0eb1b2a1a943670d3d31449b07369b4dbdd0d421ca0094bb5c8829db55a76ab9d18a1c8a98497b287e03d82f0748e07ac0656c63c70e2429c233fe196ac

    • \Windows\h0u8A142F\D8jHt4.exe

      Filesize

      534KB

      MD5

      3792cabfbc4f330d39c06b51509146d0

      SHA1

      23e792c93cd0b73431c77255e298a3737dc18e20

      SHA256

      a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833

      SHA512

      ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1

    • \Windows\h0u8A142F\S25J11r4uz.exe

      Filesize

      222KB

      MD5

      561a88261d6c906c397723d0a484f366

      SHA1

      96201e0ce8a4433b9d22ae77ecc16435d34a6216

      SHA256

      9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e

      SHA512

      31ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124

    • memory/1224-18-0x0000000002D60000-0x0000000002D87000-memory.dmp

      Filesize

      156KB

    • memory/1224-17-0x0000000002D60000-0x0000000002D87000-memory.dmp

      Filesize

      156KB

    • memory/1940-31-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1940-29-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1940-28-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1940-34-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1940-39-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/2308-8-0x0000000003070000-0x0000000003330000-memory.dmp

      Filesize

      2.8MB

    • memory/2308-9-0x0000000003070000-0x0000000003330000-memory.dmp

      Filesize

      2.8MB