blackmoon | 69e5ba03fcf8c3400542066d8acb6c5738e31bb7057db124757accee742c9836

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-07-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kura.exe
Size

5.4MB
MD5

267b0895407346eedf5a755a2fcea505
SHA1

06acec975dfec0fa6447c429b1a3d8e5c6748ea2
SHA256

69e5ba03fcf8c3400542066d8acb6c5738e31bb7057db124757accee742c9836
SHA512

1c0ae6b81ffa3baba7bb25d6291177a1e235c40f7970e399f23e9f8361c28eaa6af4398e9f572ea1094e1cfe16ab659e198035e8478d2df6741be776c6f25a0b

Score

10^/10

blackmoon banker evasion persistence themida trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe	family_blackmoon
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp	family_blackmoon
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

kura.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ kura.exe
Executes dropped EXE 3 IoCs

Processes:

._cache_kura.exeSynaptics.exekura.exe

pid process

2748 ._cache_kura.exe
3412 Synaptics.exe
3192 kura.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kura.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

._cache_kura.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	._cache_kura.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3356-149-0x0000000001650000-0x000000000165B000-memory.dmp	upx
behavioral2/memory/3356-152-0x0000000001650000-0x000000000165B000-memory.dmp	upx
behavioral2/memory/1768-154-0x0000000000640000-0x000000000064B000-memory.dmp	upx
behavioral2/memory/1768-155-0x0000000000640000-0x000000000064B000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kura.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kura.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kura.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kura.exe._cache_kura.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	kura.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	._cache_kura.exe

Loads dropped DLL 2 IoCs

Processes:

svchost.exerundll32.exe

pid process

3356 svchost.exe
1768 rundll32.exe

pid	process
3356	svchost.exe
1768	rundll32.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\kura.exe	themida
C:\Users\Admin\AppData\Roaming\kura.exe	themida
behavioral2/memory/3192-142-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp	themida
behavioral2/memory/3192-144-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp	themida
behavioral2/memory/3192-145-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp	themida
behavioral2/memory/3192-156-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp	themida
behavioral2/memory/3192-158-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kura.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	kura.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

kura.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kura.exe
Drops file in System32 directory 1 IoCs

Processes:

._cache_kura.exe

description ioc process

File created C:\Windows\SysWOW64\Delete00.bat ._cache_kura.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

kura.exe

pid process

3192 kura.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2356 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

kura.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ kura.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2624 PING.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kura.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Delete00.bat	._cache_kura.exe

pid	process
3192	kura.exe

pid	process
2356	sc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	kura.exe

pid	process
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_kura.exesvchost.exerundll32.exe

pid	process
2748	._cache_kura.exe
2748	._cache_kura.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
1768	rundll32.exe
1768	rundll32.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

._cache_kura.exesvchost.exerundll32.exe

description pid process

Token: SeDebugPrivilege 2748 ._cache_kura.exe
Token: SeDebugPrivilege 3356 svchost.exe
Token: SeDebugPrivilege 1768 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2748	._cache_kura.exe
Token: SeDebugPrivilege	3356	svchost.exe
Token: SeDebugPrivilege	1768	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

kura.exe._cache_kura.execmd.exesvchost.exekura.exe

description	pid	process	target process
PID 2596 wrote to memory of 2748	2596	kura.exe	._cache_kura.exe
PID 2596 wrote to memory of 2748	2596	kura.exe	._cache_kura.exe
PID 2596 wrote to memory of 2748	2596	kura.exe	._cache_kura.exe
PID 2596 wrote to memory of 3412	2596	kura.exe	Synaptics.exe
PID 2596 wrote to memory of 3412	2596	kura.exe	Synaptics.exe
PID 2596 wrote to memory of 3412	2596	kura.exe	Synaptics.exe
PID 2748 wrote to memory of 3192	2748	._cache_kura.exe	kura.exe
PID 2748 wrote to memory of 3192	2748	._cache_kura.exe	kura.exe
PID 2748 wrote to memory of 2356	2748	._cache_kura.exe	sc.exe
PID 2748 wrote to memory of 2356	2748	._cache_kura.exe	sc.exe
PID 2748 wrote to memory of 2356	2748	._cache_kura.exe	sc.exe
PID 2748 wrote to memory of 1624	2748	._cache_kura.exe	cmd.exe
PID 2748 wrote to memory of 1624	2748	._cache_kura.exe	cmd.exe
PID 2748 wrote to memory of 1624	2748	._cache_kura.exe	cmd.exe
PID 1624 wrote to memory of 2624	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 2624	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 2624	1624	cmd.exe	PING.EXE
PID 3356 wrote to memory of 788	3356	svchost.exe	rundll32.exe
PID 3356 wrote to memory of 788	3356	svchost.exe	rundll32.exe
PID 3356 wrote to memory of 788	3356	svchost.exe	rundll32.exe
PID 3356 wrote to memory of 1768	3356	svchost.exe	rundll32.exe
PID 3356 wrote to memory of 1768	3356	svchost.exe	rundll32.exe
PID 3356 wrote to memory of 1768	3356	svchost.exe	rundll32.exe
PID 3192 wrote to memory of 2012	3192	kura.exe	cmd.exe
PID 3192 wrote to memory of 2012	3192	kura.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\kura.exe
"C:\Users\Admin\AppData\Local\Temp\kura.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe"
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Roaming\kura.exe
"C:\Users\Admin\AppData\Roaming\kura.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2012

C:\Windows\SysWOW64\sc.exe
sc failure Remote reset= 86400 actions= restart/1000
3⤵
- Launches sc.exe
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2624

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |3356
2⤵
PID:788

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |3356
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe
Filesize
4.6MB

MD5
1ab275b9d8f04e2475adf271aed2d083

SHA1
8138da003a24d92bad64fc631f1b5b12068f8c3a

SHA256
513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51

SHA512
49089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe
Filesize
4.6MB

MD5
1ab275b9d8f04e2475adf271aed2d083

SHA1
8138da003a24d92bad64fc631f1b5b12068f8c3a

SHA256
513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51

SHA512
49089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74

Download Submit
C:\Users\Admin\AppData\Roaming\kura.exe
Filesize
3.3MB

MD5
208a92b2100ef3dc268b709e7a9aa3e2

SHA1
2825a5777445dd584289fe35e41c836f8743dbcb

SHA256
5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0

SHA512
fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a

Download Submit
C:\Users\Admin\AppData\Roaming\kura.exe
Filesize
3.3MB

MD5
208a92b2100ef3dc268b709e7a9aa3e2

SHA1
2825a5777445dd584289fe35e41c836f8743dbcb

SHA256
5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0

SHA512
fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a

Download Submit
C:\Windows\SysWOW64\Delete00.bat
Filesize
113B

MD5
0451282afa533054b497d0b6c4a93f5b

SHA1
b57a3c4e6655ca44d884860af0cf05386b1a72ef

SHA256
4825b3349123c01edc3e6b278f7360a845264fd192fb1613a55cb8f8881c8731

SHA512
d4e02414bc05b17399b7c8bf8eb5ab620dbe5a8c4f6a407517bec72b0523b97d70ab665a555d845b2c1eb92eb11e3dc7fbcb092009065770dc90cb0f8e3f9379

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp
Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
memory/788-150-0x0000000000000000-mapping.dmp

Download
memory/1624-141-0x0000000000000000-mapping.dmp

Download
memory/1768-154-0x0000000000640000-0x000000000064B000-memory.dmp

Filesize
44KB

Download
memory/1768-155-0x0000000000640000-0x000000000064B000-memory.dmp

Filesize
44KB

Download
memory/1768-151-0x0000000000000000-mapping.dmp

Download
memory/2012-157-0x0000000000000000-mapping.dmp

Download
memory/2356-138-0x0000000000000000-mapping.dmp

Download
memory/2624-148-0x0000000000000000-mapping.dmp

Download
memory/2748-130-0x0000000000000000-mapping.dmp

Download
memory/3192-142-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp

Filesize
9.0MB

Download
memory/3192-144-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp

Filesize
9.0MB

Download
memory/3192-143-0x00007FF809FD0000-0x00007FF80A1C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-145-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp

Filesize
9.0MB

Download
memory/3192-136-0x0000000000000000-mapping.dmp

Download
memory/3192-156-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp

Filesize
9.0MB

Download
memory/3192-158-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp

Filesize
9.0MB

Download
memory/3192-159-0x00007FF809FD0000-0x00007FF80A1C5000-memory.dmp

Filesize
2.0MB

Download
memory/3356-152-0x0000000001650000-0x000000000165B000-memory.dmp

Filesize
44KB

Download
memory/3356-149-0x0000000001650000-0x000000000165B000-memory.dmp

Filesize
44KB

Download
memory/3412-133-0x0000000000000000-mapping.dmp

Download