Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
01-07-2024 07:25
General
-
Target
3f6ec96a5e69041ef802694945864797b544c926f8d3d2272af46b7d45e358ed_NeikiAnalytics.exe
-
Size
236KB
-
MD5
e590820e98907480ca4366a6451cb720
-
SHA1
9eb3a4e73355a796ce2e8402758b3c170aa00838
-
SHA256
3f6ec96a5e69041ef802694945864797b544c926f8d3d2272af46b7d45e358ed
-
SHA512
f812cccc232e8da85cf9789f585f6d2379fd45a6dd34f612df27682050aaee0d7fe529dcb2135eefe3d69c84ccd094750d4ece77d120e77da24527f7284cde96
-
SSDEEP
6144:LPKwmBwdEOI+oR6ZmPzCd/gy+AYtCtdWY5PAaePJLlLTmLPCfM:LiwmBgEOI+w6mrCd/gy+1C3Wm
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 4 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f6ec96a5e69041ef802694945864797b544c926f8d3d2272af46b7d45e358ed_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3f6ec96a5e69041ef802694945864797b544c926f8d3d2272af46b7d45e358ed_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\WlYnnFiUdF.exeew4s5t6d152⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\WlYnnFiUdF.exeery74s3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files (x86)\WlYnnFiUdF.exeFilesize
236KB
MD5e590820e98907480ca4366a6451cb720
SHA19eb3a4e73355a796ce2e8402758b3c170aa00838
SHA2563f6ec96a5e69041ef802694945864797b544c926f8d3d2272af46b7d45e358ed
SHA512f812cccc232e8da85cf9789f585f6d2379fd45a6dd34f612df27682050aaee0d7fe529dcb2135eefe3d69c84ccd094750d4ece77d120e77da24527f7284cde96
-
memory/2004-0-0x00000000003D0000-0x00000000003FF000-memory.dmpFilesize
188KB
-
memory/2004-6-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2004-7-0x00000000003D0000-0x00000000003FF000-memory.dmpFilesize
188KB
-
memory/2576-12-0x00000000002B0000-0x00000000002BB000-memory.dmpFilesize
44KB
-
memory/2576-13-0x00000000002C0000-0x00000000002CB000-memory.dmpFilesize
44KB
-
memory/2576-14-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2576-67-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2960-8-0x0000000000310000-0x000000000033F000-memory.dmpFilesize
188KB
-
memory/2960-11-0x0000000000310000-0x000000000033F000-memory.dmpFilesize
188KB