blackmoon | 69e5ba03fcf8c3400542066d8acb6c5738e31bb7057db124757accee742c9836

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-07-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kura.exe
Size

5.4MB
MD5

267b0895407346eedf5a755a2fcea505
SHA1

06acec975dfec0fa6447c429b1a3d8e5c6748ea2
SHA256

69e5ba03fcf8c3400542066d8acb6c5738e31bb7057db124757accee742c9836
SHA512

1c0ae6b81ffa3baba7bb25d6291177a1e235c40f7970e399f23e9f8361c28eaa6af4398e9f572ea1094e1cfe16ab659e198035e8478d2df6741be776c6f25a0b

Score

10^/10

blackmoon banker persistence themida trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_kura.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe	family_blackmoon
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp	family_blackmoon
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon

Executes dropped EXE 3 IoCs

Processes:

._cache_kura.exeSynaptics.exekura.exe

pid process

304 ._cache_kura.exe
1948 Synaptics.exe
1972 kura.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

._cache_kura.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	._cache_kura.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/520-73-0x0000000000160000-0x000000000016B000-memory.dmp	upx
behavioral1/memory/1092-78-0x0000000000170000-0x000000000017B000-memory.dmp	upx
behavioral1/memory/520-79-0x0000000000160000-0x000000000016B000-memory.dmp	upx
behavioral1/memory/1092-81-0x0000000000170000-0x000000000017B000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

kura.exe._cache_kura.exesvchost.exerundll32.exe

pid process

960 kura.exe
960 kura.exe
960 kura.exe
304 ._cache_kura.exe
520 svchost.exe
1092 rundll32.exe

pid	process
960	kura.exe
960	kura.exe
960	kura.exe
304	._cache_kura.exe
520	svchost.exe
1092	rundll32.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\kura.exe	themida
C:\Users\Admin\AppData\Roaming\kura.exe	themida
behavioral1/memory/1972-80-0x000000013FD80000-0x0000000140684000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kura.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	kura.exe

Drops file in System32 directory 1 IoCs

Processes:

._cache_kura.exe

description ioc process

File created C:\Windows\SysWOW64\Delete00.bat ._cache_kura.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1496 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

844 PING.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\Delete00.bat	._cache_kura.exe

pid	process
1496	sc.exe

pid	process
844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_kura.exesvchost.exerundll32.exe

pid	process
304	._cache_kura.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
1092	rundll32.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe
520	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

._cache_kura.exesvchost.exerundll32.exe

description pid process

Token: SeDebugPrivilege 304 ._cache_kura.exe
Token: SeDebugPrivilege 520 svchost.exe
Token: SeDebugPrivilege 1092 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	304	._cache_kura.exe
Token: SeDebugPrivilege	520	svchost.exe
Token: SeDebugPrivilege	1092	rundll32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

kura.exe._cache_kura.execmd.exesvchost.exe

description	pid	process	target process
PID 960 wrote to memory of 304	960	kura.exe	._cache_kura.exe
PID 960 wrote to memory of 304	960	kura.exe	._cache_kura.exe
PID 960 wrote to memory of 304	960	kura.exe	._cache_kura.exe
PID 960 wrote to memory of 304	960	kura.exe	._cache_kura.exe
PID 960 wrote to memory of 1948	960	kura.exe	Synaptics.exe
PID 960 wrote to memory of 1948	960	kura.exe	Synaptics.exe
PID 960 wrote to memory of 1948	960	kura.exe	Synaptics.exe
PID 960 wrote to memory of 1948	960	kura.exe	Synaptics.exe
PID 304 wrote to memory of 1972	304	._cache_kura.exe	kura.exe
PID 304 wrote to memory of 1972	304	._cache_kura.exe	kura.exe
PID 304 wrote to memory of 1972	304	._cache_kura.exe	kura.exe
PID 304 wrote to memory of 1972	304	._cache_kura.exe	kura.exe
PID 304 wrote to memory of 1496	304	._cache_kura.exe	sc.exe
PID 304 wrote to memory of 1496	304	._cache_kura.exe	sc.exe
PID 304 wrote to memory of 1496	304	._cache_kura.exe	sc.exe
PID 304 wrote to memory of 1496	304	._cache_kura.exe	sc.exe
PID 304 wrote to memory of 1536	304	._cache_kura.exe	cmd.exe
PID 304 wrote to memory of 1536	304	._cache_kura.exe	cmd.exe
PID 304 wrote to memory of 1536	304	._cache_kura.exe	cmd.exe
PID 304 wrote to memory of 1536	304	._cache_kura.exe	cmd.exe
PID 1536 wrote to memory of 844	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 844	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 844	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 844	1536	cmd.exe	PING.EXE
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe
PID 520 wrote to memory of 1092	520	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\kura.exe
"C:\Users\Admin\AppData\Local\Temp\kura.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe"
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Roaming\kura.exe
"C:\Users\Admin\AppData\Roaming\kura.exe"
3⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\sc.exe
sc failure Remote reset= 86400 actions= restart/1000
3⤵
- Launches sc.exe
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\System32\\Delete00.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:844

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |520
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe
Filesize
4.6MB

MD5
1ab275b9d8f04e2475adf271aed2d083

SHA1
8138da003a24d92bad64fc631f1b5b12068f8c3a

SHA256
513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51

SHA512
49089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74

Download Submit
C:\Users\Admin\AppData\Roaming\kura.exe
Filesize
3.3MB

MD5
208a92b2100ef3dc268b709e7a9aa3e2

SHA1
2825a5777445dd584289fe35e41c836f8743dbcb

SHA256
5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0

SHA512
fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a

Download Submit
C:\Windows\SysWOW64\Delete00.bat
Filesize
113B

MD5
0451282afa533054b497d0b6c4a93f5b

SHA1
b57a3c4e6655ca44d884860af0cf05386b1a72ef

SHA256
4825b3349123c01edc3e6b278f7360a845264fd192fb1613a55cb8f8881c8731

SHA512
d4e02414bc05b17399b7c8bf8eb5ab620dbe5a8c4f6a407517bec72b0523b97d70ab665a555d845b2c1eb92eb11e3dc7fbcb092009065770dc90cb0f8e3f9379

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_kura.exe
Filesize
4.6MB

MD5
1ab275b9d8f04e2475adf271aed2d083

SHA1
8138da003a24d92bad64fc631f1b5b12068f8c3a

SHA256
513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51

SHA512
49089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74

Download Submit
\Users\Admin\AppData\Roaming\kura.exe
Filesize
3.3MB

MD5
208a92b2100ef3dc268b709e7a9aa3e2

SHA1
2825a5777445dd584289fe35e41c836f8743dbcb

SHA256
5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0

SHA512
fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a

Download Submit
memory/304-56-0x0000000000000000-mapping.dmp

Download
memory/520-79-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/520-73-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/844-74-0x0000000000000000-mapping.dmp

Download
memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1092-75-0x0000000000000000-mapping.dmp

Download
memory/1092-78-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/1092-81-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/1496-67-0x0000000000000000-mapping.dmp

Download
memory/1536-71-0x0000000000000000-mapping.dmp

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download
memory/1972-65-0x0000000000000000-mapping.dmp

Download
memory/1972-80-0x000000013FD80000-0x0000000140684000-memory.dmp

Filesize
9.0MB

Download