Overview

overview

10

Static

static

10

9674a426da...0a.exe

windows7-x64

10

9674a426da...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9674a426da58821b1a356f1927feb7fca51f1a41b0059a8bf970c0ef470b840a.exe

  • Size

    3.4MB

  • MD5

    33d06725feb361eebf2642a397c6496b

  • SHA1

    1a7ecbfcf2cb6656efe907e4c51c3def95dc0305

  • SHA256

    9674a426da58821b1a356f1927feb7fca51f1a41b0059a8bf970c0ef470b840a

  • SHA512

    ff386511e59a2337020b4667793b556f768d81b8be62ed015f7fa7ae72d25c21cd94a168f2ca8cbbb0bf53046e84832d9c88a80f5bda12300dc48058c04a934b

  • SSDEEP

    49152:ltI2W5b62TNfiQuHoXUF+cZp3iWcvct3get:TWV62zVUF+cZp3iWcvcnt

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 11 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9674a426da58821b1a356f1927feb7fca51f1a41b0059a8bf970c0ef470b840a.exe
    "C:\Users\Admin\AppData\Local\Temp\9674a426da58821b1a356f1927feb7fca51f1a41b0059a8bf970c0ef470b840a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qm.qq.com/q/h0VH5a8146
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf0a846f8,0x7ffdf0a84708,0x7ffdf0a84718
        3⤵
          PID:5096
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
          3⤵
            PID:1104
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2640
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
            3⤵
              PID:2240
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              3⤵
                PID:2180
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                3⤵
                  PID:4752
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                  3⤵
                    PID:4100
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1845386593274016598,4943200431680792240,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1576
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1872
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4044

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    d22073dea53e79d9b824f27ac5e9813e

                    SHA1

                    6d8a7281241248431a1571e6ddc55798b01fa961

                    SHA256

                    86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                    SHA512

                    97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    bffcefacce25cd03f3d5c9446ddb903d

                    SHA1

                    8923f84aa86db316d2f5c122fe3874bbe26f3bab

                    SHA256

                    23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                    SHA512

                    761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    f134d2a390e480ddf24c3b555d271df7

                    SHA1

                    e8d4ebca6b6adc34f45922f8b4992e495dbcf180

                    SHA256

                    c89e854dca828b412bb7d1b19ef8a8db7d544ac0ca90e6626e8a67894bd6c2d2

                    SHA512

                    b97ded4d0b65f8e8ccc4b3ba300ad4897021e496447594dc33f55f39b08768b466c203132e0378ba2b81bed5e0cc6df8f7afebd721821eb5b53d7282740e01be

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    6KB

                    MD5

                    9f165f1e94e36eee17f0551a0d352b70

                    SHA1

                    9cf9c56ec84faeedebe50636f60cf770dc30e859

                    SHA256

                    ff4e65ea32f81f1e417b9a9ebf42506cbd934f64afadd07d74c4514071b63be2

                    SHA512

                    1644fcb7bd600bf1c9864914630a58122945c5eda9277fc6e9214e930ae4b603690fe2c16e7863e55848f47d33e8e9b0cdcc24d679643b87f38d7a18b1a15928

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    10KB

                    MD5

                    b8bf8fe7c178508c6164732d3028054c

                    SHA1

                    1cbd588a0db7d620a549d143a745770a2ac367f2

                    SHA256

                    2de47ab4a6bc04e2f8fe55f0a1b7e5ac86c68f9cd752d8a3ef76987d498c74b3

                    SHA512

                    0c52d1d7d1ac504b27d7d116dcf7565e0dd1665f75c0ba395827504f54084dded6bf7a51a09c8987cb12817ad8d9d9dde63c8322941c2fcd86dcd4ee37006dd6

                    Download Submit

                  • memory/3932-3-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-16-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-49-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-48-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-47-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-46-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-45-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-28-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-26-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-24-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-22-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-18-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-14-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-12-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-0-0x000000000055E000-0x000000000055F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3932-42-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-36-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-30-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-10-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-8-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-6-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-4-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-2-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-1-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-50-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-51-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-52-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-53-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-38-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-40-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-44-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-32-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-78-0x0000000000400000-0x0000000000787000-memory.dmp

                    Filesize

                    3.5MB

                    Download

                  • memory/3932-20-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/3932-34-0x0000000010000000-0x000000001003E000-memory.dmp

                    Filesize

                    248KB

                    Download