Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
30-06-2024 15:38
General
-
Target
??????.exe
-
Size
13.2MB
-
MD5
4d65014ca7fab35caae9d8ac24815e4b
-
SHA1
55d201d950e1053905f191f437962ea4992dbe86
-
SHA256
7d1e09800698caf357c17ddc003e443143a9748230a04acbcb0d3487a0a622c4
-
SHA512
bb668f2a0b42af7b7602c2a016966dace91144d21f9aee03a685190a172b3310dd580fcdac5bc1d3ec68b95fd52c01ceb2a48f1adbd4c13aebe07c1e1130dc19
-
SSDEEP
393216:gPDPWrjWiaqTjWU5JUkCoAvpyS+Vb3izzn72YZ:YKO8JUN0b+zSYZ
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 8 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\______.exe"C:\Users\Admin\AppData\Local\Temp\______.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\¡ïÎåÑò³ÁĬ¡ï\26693______.exeC:\¡ïÎåÑò³ÁĬ¡ï\26693______.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\42056c46bc4e087c47a0de482530e13e.txtFilesize
16B
MD50f6f301a359dfda81ee72a4f6cabbb30
SHA1a49a51882cb334df7fc80b87a51a241f6b6cf09e
SHA256f9f4d903b7f52a0ec9ade6018f4f2d23d3493c5b2c0b341ce40170e33c1831ee
SHA512b3a7adf414a76448423c7fa428375681cb30ce8cd270d1aa0381e18a74ce4d3c03c3cc7969a542c443adb30b8982f96be3df2062c9de15eb9b37b1de69fa70cb
-
C:\¡ïÎåÑò³ÁĬ¡ï\26693______.exeFilesize
13.2MB
MD54d65014ca7fab35caae9d8ac24815e4b
SHA155d201d950e1053905f191f437962ea4992dbe86
SHA2567d1e09800698caf357c17ddc003e443143a9748230a04acbcb0d3487a0a622c4
SHA512bb668f2a0b42af7b7602c2a016966dace91144d21f9aee03a685190a172b3310dd580fcdac5bc1d3ec68b95fd52c01ceb2a48f1adbd4c13aebe07c1e1130dc19
-
memory/1356-50-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1356-19-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1356-21-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1356-20-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1356-18-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1420-3-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1420-17-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1420-7-0x0000000003C80000-0x0000000003C81000-memory.dmpFilesize
4KB
-
memory/1420-8-0x0000000003B10000-0x0000000003B11000-memory.dmpFilesize
4KB
-
memory/1420-9-0x00000000040E0000-0x00000000040E1000-memory.dmpFilesize
4KB
-
memory/1420-0-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1420-1-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB
-
memory/1420-2-0x0000000000400000-0x0000000000926000-memory.dmpFilesize
5.1MB