Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 10:56

General

  • Target

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe

  • Size

    546KB

  • MD5

    d76ee42b3f0213dff456133d3f49a828

  • SHA1

    9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45

  • SHA256

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc

  • SHA512

    fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956

  • SSDEEP

    12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
        "C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1732
        • \??\c:\windows\o87Y\DO925.exe
          "c:\windows\o87Y\DO925.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1112
        • \??\c:\windows\o87Y\lDkLn8rlk.exe
          "c:\windows\o87Y\lDkLn8rlk.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhwOhgI.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\system32\PING.EXE
              ping -n 2 127.1
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bhwOhgI.bat

      Filesize

      261B

      MD5

      6785e1fe2b60c6bb1ca6a3ff08a085d9

      SHA1

      f117a9ee25cc9f0148fd0f23c566175e9a6af679

      SHA256

      3557ebe7c16325bbacba7519818fff6796983a8461ad212f364aed6366359027

      SHA512

      a2a97180e11d11ca188607c3480e29089cef4bd3895e5f5e6a301e88f02b7af5c0cf9b7882e8ca9cfb7208f206c287b8c28c37d8356eb53e4747c01a4adcaade

    • C:\Windows\o87Y\DO925.exe

      Filesize

      534KB

      MD5

      3792cabfbc4f330d39c06b51509146d0

      SHA1

      23e792c93cd0b73431c77255e298a3737dc18e20

      SHA256

      a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833

      SHA512

      ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1

    • C:\Windows\o87Y\lDkLn8rlk.exe

      Filesize

      222KB

      MD5

      561a88261d6c906c397723d0a484f366

      SHA1

      96201e0ce8a4433b9d22ae77ecc16435d34a6216

      SHA256

      9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e

      SHA512

      31ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124

    • memory/1112-6-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1112-16-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1112-15-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1112-18-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1112-21-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/3424-9-0x00000000023E0000-0x0000000002407000-memory.dmp

      Filesize

      156KB