Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 10:59

General

  • Target

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe

  • Size

    546KB

  • MD5

    d76ee42b3f0213dff456133d3f49a828

  • SHA1

    9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45

  • SHA256

    c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc

  • SHA512

    fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956

  • SSDEEP

    12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
        "C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2972
        • \??\c:\windows\L8z7645e\k7KwG1J.exe
          "c:\windows\L8z7645e\k7KwG1J.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • \??\c:\windows\L8z7645e\1nae9DF.exe
          "c:\windows\L8z7645e\1nae9DF.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4244
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCVEcr.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3312
            • C:\Windows\system32\PING.EXE
              ping -n 2 127.1
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TCVEcr.bat

      Filesize

      264B

      MD5

      7fcb2dda49824d3337cf07c967832b85

      SHA1

      6f6d8e27da3fb0109bdf72235077d9395330b4f8

      SHA256

      9c51b7aae92b228d2a591e4d07ee04fbc6c93c8bdcc90fe8603f8fff1f2f154f

      SHA512

      32b803a9dd99d3edf90e2d4965f9c23d5fa65b30c7c6d96c6b4ba7314a4d8882a754864abbb4a27fdb992360001369f92d60b45251554294374976a9996760d6

    • C:\Windows\L8z7645e\1nae9DF.exe

      Filesize

      222KB

      MD5

      561a88261d6c906c397723d0a484f366

      SHA1

      96201e0ce8a4433b9d22ae77ecc16435d34a6216

      SHA256

      9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e

      SHA512

      31ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124

    • C:\Windows\L8z7645e\k7KwG1J.exe

      Filesize

      534KB

      MD5

      3792cabfbc4f330d39c06b51509146d0

      SHA1

      23e792c93cd0b73431c77255e298a3737dc18e20

      SHA256

      a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833

      SHA512

      ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1

    • memory/1520-6-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1520-17-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1520-15-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1520-18-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/1520-21-0x0000000000400000-0x00000000006C0000-memory.dmp

      Filesize

      2.8MB

    • memory/3520-9-0x0000000002B90000-0x0000000002BB7000-memory.dmp

      Filesize

      156KB