Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 10:59

General

  • Target

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe

  • Size

    546KB

  • MD5

    d76ee42b3f0213dff456133d3f49a828

  • SHA1

    9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45

  • SHA256

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc

  • SHA512

    fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956

  • SSDEEP

    12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
        "C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1600
        • \??\c:\windows\FxvN\61xRb6B.exe
          "c:\windows\FxvN\61xRb6B.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
        • \??\c:\windows\FxvN\649eu6Ec3.exe
          "c:\windows\FxvN\649eu6Ec3.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\RNKecHYV.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Windows\system32\PING.EXE
              ping -n 2 127.1
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RNKecHYV.bat

      Filesize

      262B

      MD5

      c2c9141f6ef34ea75db8e6d325fa59d1

      SHA1

      0a9dfdc655e59cbcf1f77a57aad1d608507aadd9

      SHA256

      fb364d7aa015ce38356e20fd4d807c378a170410275e8b5a508a1bc476d4c441

      SHA512

      5c49fbbd4eaceb1bd7f75d265b093199c95e3a86e883d41440e1b725b6a8dcb5a8f6052c10d17ab72350f3654ebae89da6a0da71ff03eca3f4235c94b6b08394

    • C:\Windows\FxvN\649eu6Ec3.exe

      Filesize

      222KB

      MD5

      561a88261d6c906c397723d0a484f366

      SHA1

      96201e0ce8a4433b9d22ae77ecc16435d34a6216

      SHA256

      9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e

      SHA512

      31ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124

    • \Windows\FxvN\61xRb6B.exe

      Filesize

      534KB

      MD5

      3792cabfbc4f330d39c06b51509146d0

      SHA1

      23e792c93cd0b73431c77255e298a3737dc18e20

      SHA256

      a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833

      SHA512

      ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1

    • memory/1212-18-0x0000000002E70000-0x0000000002E97000-memory.dmp

      Filesize

      156KB

    • memory/1212-17-0x0000000002E70000-0x0000000002E97000-memory.dmp

      Filesize

      156KB

    • memory/1600-14-0x0000000003140000-0x0000000003400000-memory.dmp

      Filesize

      2.8MB

    • memory/1600-13-0x0000000003140000-0x0000000003400000-memory.dmp

      Filesize

      2.8MB

    • memory/2884-31-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/2884-29-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/2884-21-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/2884-34-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/2884-39-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB