Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 01:03

General

  • Target

    38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe

  • Size

    2.8MB

  • MD5

    eca60170fa4fb7c4ceba3cd1889dc770

  • SHA1

    5e01caec92849f371aba5752b98855186b684fbc

  • SHA256

    38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918

  • SHA512

    1f51fadffdf2b46f845e5439be26811ca878c43d90a8789b02b3b7b81d85148032d7c513c4ea2ee8d317123c5b6b289635b5ac4187e838d6375eb7a0aa69b0bc

  • SSDEEP

    12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 9 IoCs
  • Executes dropped EXE 27 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Drops file in System32 directory 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 8 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe
    "C:\Users\Admin\AppData\Local\Temp\38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\dfbln\oapu.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3620
      • \??\c:\windows\fonts\dfbln\oapu.exe
        c:\windows\fonts\dfbln\oapu.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4944
  • \??\c:\windows\fonts\dfbln\oapu.exe
    c:\windows\fonts\dfbln\oapu.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\TEMP\9173944077969848.exe
      C:\Windows\TEMP\9173944077969848.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN yqulb /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN yqulb /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1592
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:384
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3372
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:364
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\TEMP\52f275a6.exe
          "C:\Windows\TEMP\52f275a6.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2376
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Windows\TEMP\5139513e.exe
          "C:\Windows\TEMP\5139513e.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1632
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\TEMP\5bf3eaa7.exe
          "C:\Windows\TEMP\5bf3eaa7.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN yqulb /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN yqulb /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4216
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1848
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2992
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\TEMP\5b3ad64e.exe
          "C:\Windows\TEMP\5b3ad64e.exe"
          4⤵
          • Executes dropped EXE
          PID:4512
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3136
        • C:\Windows\TEMP\5a80b1d6.exe
          "C:\Windows\TEMP\5a80b1d6.exe"
          4⤵
          • Executes dropped EXE
          PID:212
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4984
        • C:\Windows\TEMP\553b4b4e.exe
          "C:\Windows\TEMP\553b4b4e.exe"
          4⤵
          • Executes dropped EXE
          PID:2204
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN yqulb /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:2564
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN yqulb /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3584
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3328
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:760
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3692
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2696
        • C:\Windows\TEMP\590d78f4.exe
          "C:\Windows\TEMP\590d78f4.exe"
          4⤵
          • Executes dropped EXE
          PID:2636
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2352
        • C:\Windows\TEMP\54c8027d.exe
          "C:\Windows\TEMP\54c8027d.exe"
          4⤵
          • Executes dropped EXE
          PID:4124
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2412
        • C:\Windows\TEMP\5e83abe6.exe
          "C:\Windows\TEMP\5e83abe6.exe"
          4⤵
          • Executes dropped EXE
          PID:5052
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /DELETE /TN wmelx /F
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        PID:976
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /TN wmelx /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="lojud" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="dnia" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='lojud'" DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3444
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="lojud" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4308
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="dnia" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:432
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='lojud'" DELETE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1608
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4284
        • C:\Windows\TEMP\5255d99c.exe
          "C:\Windows\TEMP\5255d99c.exe"
          4⤵
          • Executes dropped EXE
          PID:3312
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:220
        • C:\Windows\TEMP\5d006205.exe
          "C:\Windows\TEMP\5d006205.exe"
          4⤵
          • Executes dropped EXE
          PID:3708
      • C:\Windows\TEMP\uin77.exe
        C:\Windows\TEMP\uin77.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:636
        • C:\Windows\TEMP\57cbfc8e.exe
          "C:\Windows\TEMP\57cbfc8e.exe"
          4⤵
          • Executes dropped EXE
          PID:528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1324
      2⤵
      • Program crash
      PID:1484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3432 -ip 3432
    1⤵
      PID:1368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Fonts\dfbln\oapu.exe

      Filesize

      2.9MB

      MD5

      ddf1a8d5ad6f369acc25a91846c3254a

      SHA1

      650743f41337534f0c089a8bac470cd2a04aca65

      SHA256

      48e4af5f1bd47b46ee9782dd7368ef74785845733cf4fb7b295f57887cf46cb8

      SHA512

      741318b93a57fd3a52c55f9845bcc3963304ecd0cd8e9f4433cc9fe5ff63c668a57ad19af64d866981531a7c0a0b2d4a748bc12f344f0c24699e8a5eb0b4aa56

    • C:\Windows\TEMP\590d78f4.exe

      Filesize

      95KB

      MD5

      c92d736ce1a72ad6d4bb5b6e542a2a87

      SHA1

      a53bece2458892d9c301ca76cfded99d48ec10a9

      SHA256

      4171fd76196400f48fe259a4974744547c4e69021463152115c048a1484757af

      SHA512

      91bff24706f88b72ec550da4a09971555a785283b44c5ee1db4d61e8a1a4bda56b1fc50e09589974839d653c311781b64ac0010300109306adc6edff94bf5cd5

    • C:\Windows\Temp\52f275a6.exe

      Filesize

      95KB

      MD5

      22a93a07a6b4c4a54aa443fd825cb9ab

      SHA1

      c952dced642e71f0524628a9109d3afc41583ef6

      SHA256

      af027f4eeef26a6075c6324843cd370bcf0be4ed9b6b0a18e8501a023ec90ad9

      SHA512

      1a767491febcaee619078fc27be44154cd762d5e5204b3efafe8fe6c2404d2d40fa548ddf28438ed6cd17e628e89589a694786d280d8149e6068a7886689bcbe

    • C:\Windows\Temp\9173944077969848.exe

      Filesize

      244KB

      MD5

      de3b294b4edf797dfa8f45b33a0317b4

      SHA1

      d46f49e223655eca9a21249a60de3719fe3795e0

      SHA256

      d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

      SHA512

      1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

    • C:\Windows\Temp\uin77.exe

      Filesize

      173KB

      MD5

      cb322583a02dd3e80881de4b07c04b57

      SHA1

      5a169558bca2d7d97b9317a2d31aeeb2c5280274

      SHA256

      4257c82c06504e9c8f5604450dc87c95f2eb31f9c5def94bfe8ecf63566baea2

      SHA512

      8dfa0082163cf57393a197df5544937977631641393bfb248e5bc84386739dfe9f7855e82a00096120eeb81c91ecd6dfaafc4b11bc0de821cfa83c4e3275eb96

    • C:\Windows\Temp\uin77.exe

      Filesize

      173KB

      MD5

      2f5b8491dc5be59160f5c31b36e15052

      SHA1

      06f258db62158e132b5601abcb8d623490d42bcd

      SHA256

      e9005926511f9f1ff9532950af06d6986968b50fd56d3c481d09505b8780dfc3

      SHA512

      d8ee911e9f574e9727ac1bf8a5ad7fbc6b2efc20d618c8d3d8d0d988fd50e07515c06dddac6856018fdb7a0f67b2a2e1211a6539c7963f7d64f5115e98244fd7

    • memory/2992-0-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/2992-4-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/3012-15-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/3012-33-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/3012-47-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/3012-109-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/3432-9-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/3432-30-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/3432-112-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/4944-13-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB