Overview

overview

10

Static

static

10

2a86de51dd...8c.exe

windows7-x64

10

2a86de51dd...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe

  • Size

    1.9MB

  • MD5

    ec875cd387239311582c3e0ddcdedddc

  • SHA1

    ab905bdb6ba1543860e5bdad4359f44b469d3c6d

  • SHA256

    2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c

  • SHA512

    ebfcdff666c891fe6ae8b82b00ac58c3809643cde057896536c9c62b97e42a2833220e6c9dbf60e54aba11f37b4c374b2f2264b8dbd550983b4f12503411c4b2

  • SSDEEP

    12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y4:fNKl6b8JYgyP8WTGIuhZvPqw

Score
10/10
blackmoonbankerdefense_evasiondiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 8 IoCs
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 30 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
    "C:\Users\Admin\AppData\Local\Temp\2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\usgcpao\faduco.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2204
      • \??\c:\windows\fonts\usgcpao\faduco.exe
        c:\windows\fonts\usgcpao\faduco.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1684
  • \??\c:\windows\fonts\usgcpao\faduco.exe
    c:\windows\fonts\usgcpao\faduco.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\TEMP\3037548166044671.exe
      C:\Windows\TEMP\3037548166044671.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN uijdc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN uijdc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2988
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2644
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\TEMP\d4fc2de4.exe
          "C:\Windows\TEMP\d4fc2de4.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\TEMP\d332088c.exe
          "C:\Windows\TEMP\d332088c.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1236
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\TEMP\defda2f5.exe
          "C:\Windows\TEMP\defda2f5.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN uijdc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:2904
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN uijdc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1872
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1212
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1076
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2712
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2892
        • C:\Windows\TEMP\dd338e8c.exe
          "C:\Windows\TEMP\dd338e8c.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2932
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1908
        • C:\Windows\TEMP\d7fe1705.exe
          "C:\Windows\TEMP\d7fe1705.exe"
          4⤵
          • Executes dropped EXE
          PID:2480
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:920
        • C:\Windows\TEMP\d1a9a17e.exe
          "C:\Windows\TEMP\d1a9a17e.exe"
          4⤵
          • Executes dropped EXE
          PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN uijdc /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:1960
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN uijdc /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1152
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:612
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1488
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:236
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1720
        • C:\Windows\TEMP\d68bde24.exe
          "C:\Windows\TEMP\d68bde24.exe"
          4⤵
          • Executes dropped EXE
          PID:908
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3032
        • C:\Windows\TEMP\d03678ad.exe
          "C:\Windows\TEMP\d03678ad.exe"
          4⤵
          • Executes dropped EXE
          PID:2532
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2548
        • C:\Windows\TEMP\dbf10115.exe
          "C:\Windows\TEMP\dbf10115.exe"
          4⤵
          • Executes dropped EXE
          PID:884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN hswcb /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:1532
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN hswcb /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="jlghwq" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="nwxqy" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='jlghwq'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1636
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="jlghwq" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2312
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="nwxqy" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2020
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='jlghwq'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2176
        • C:\Windows\TEMP\da37edad.exe
          "C:\Windows\TEMP\da37edad.exe"
          4⤵
          • Executes dropped EXE
          PID:1684
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2668
        • C:\Windows\TEMP\d4f27626.exe
          "C:\Windows\TEMP\d4f27626.exe"
          4⤵
          • Executes dropped EXE
          PID:2844
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2628
        • C:\Windows\TEMP\dfad00af.exe
          "C:\Windows\TEMP\dfad00af.exe"
          4⤵
          • Executes dropped EXE
          PID:2260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 652
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\3037548166044671.exe
    Filesize

    244KB

    MD5

    de3b294b4edf797dfa8f45b33a0317b4

    SHA1

    d46f49e223655eca9a21249a60de3719fe3795e0

    SHA256

    d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

    SHA512

    1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

    Download Submit

  • C:\Windows\Temp\d4fc2de4.exe
    Filesize

    95KB

    MD5

    9c74e2f24cddadc6ce4dd14c76eee796

    SHA1

    0bd9fc3fbf74bc244aa05b04980c12eef96bba9a

    SHA256

    a334a9a06ab2dbb47c2914f2fd301f02de3af23b4c68329207f2faa9dfe19891

    SHA512

    3342899c5af0cb73aa97210e8fedd4b6dfa0a5b21aa4a2ba55c2b967f76a26849127aa64995a54584baa7fde3dbe58aabdeab537217b0c8fa949486d1d86fbc1

    Download Submit

  • C:\Windows\Temp\uin77.exe
    Filesize

    173KB

    MD5

    c90b284158d97b9b0671a7ba4c0cbcc3

    SHA1

    5b7b4dda02fd8a28c507c23b0255cdc212610a58

    SHA256

    3994e287e4b5aab4e9890531db99b6f857842d77355dcc42dad7eac281511d1e

    SHA512

    8720ae53da7d7b0da9ad0833d8fa8ded623b7f23f6068f70d4abe4e99968e368474c0414fb2fda54249aa6c966ffa61d936764f87f393d317b329b1518f1829d

    Download Submit

  • C:\Windows\Temp\uin77.exe
    Filesize

    173KB

    MD5

    583eb8d1e8b30ce33e8159aff74a603c

    SHA1

    c88c5dd58575a544163b48c0d1f656688fddb1b6

    SHA256

    f4d95300c4d677ce441e895f077f541471fcd8f72ff6675860b780e9cea606b4

    SHA512

    a9e6418fb3948f54bd8a28de30e164e6027af2642081631ef14fc520fa8200d1f808d2d09994bf79e83a6b0cb361807d333babe3252a05fc245813b3422c30de

    Download Submit

  • \Windows\Fonts\usgcpao\faduco.exe
    Filesize

    2.0MB

    MD5

    ba6e0ec746059f5ef5d4f1dac778a8e5

    SHA1

    81fed540e5be979437b0160e17b451d6a0fa0433

    SHA256

    20f28b755fe616471c58de5ad2e7e5cc8526d99899279093e56be685d6743980

    SHA512

    b3fa7bf53b90cd729e34adeb4aa68b746b12db1cff1d09c910e11e98b1cdc3d8bee9d096b75f8509ca1a4075068e6684c0422b77079ee044a9baa6c15111e72f

    Download Submit

  • \Windows\Temp\d68bde24.exe
    Filesize

    95KB

    MD5

    f63a92d67978914cfb8d0bc7f77e2508

    SHA1

    8a0526e2bf317fd485c1de4f933ee2074114ca80

    SHA256

    3ce560323af98a9c57dc342dea47e54355aec1daf718df72ecfce4716fed7626

    SHA512

    cd9c148f48f805019a8a32237c0e030e05a3849c8ce17e19f1a8825462eb9c25c1aaab3d58a80f57c6da256dd7776b9cce374541de2f46195c45b6d911443c3a

    Download Submit

  • memory/812-21-0x00000000012B0000-0x000000000133C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/812-15-0x00000000012B0000-0x000000000133C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/812-41-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/812-160-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1684-12-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1724-0-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1724-5-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2764-44-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2764-66-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2764-108-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2764-153-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download