blackmoon | ae8369a28b53ba7e283436a65c211ef032af555515fb961e6cb0c56c635d1834

Analysis

max time kernel
132s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
submitted
22-07-2022 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tfccltd.exe
Size

292KB
MD5

a1bfff3769a3962c5075e041c1c937b3
SHA1

2936ad4944f553277842155b0de2aa5f43d741fb
SHA256

ae8369a28b53ba7e283436a65c211ef032af555515fb961e6cb0c56c635d1834
SHA512

31eb0d602e1621b40cbc27acc85ac96eae2ab5d11d074fd13df2e08501c55bce328e75acb53ac666d4135246e018e85ac90e2a8b3099deb0d148c9e88186b7c5

Score

10^/10

blackmoon banker discovery persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\test.exe	family_blackmoon

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 10 IoCs

Processes:

test.exetest.exetest.exetest.exetest.exetest.exetest.exetest.exetest.exetest.exe

pid process

3464 test.exe
4912 test.exe
3912 test.exe
3852 test.exe
4092 test.exe
4972 test.exe
3860 test.exe
448 test.exe
3044 test.exe
4076 test.exe

pid	process
3464	test.exe
4912	test.exe
3912	test.exe
3852	test.exe
4092	test.exe
4972	test.exe
3860	test.exe
448	test.exe
3044	test.exe
4076	test.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tfccltd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\CurrentVersion\Run	tfccltd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bootcontfccltd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tfccltd.exe"	tfccltd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

44452 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 44452 taskkill.exe

pid	process
44452	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	44452	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

tfccltd.exetest.exetest.exetest.exetest.exetest.exe

description	pid	process	target process
PID 2708 wrote to memory of 3464	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3464	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3464	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3852	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3852	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3852	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 3912	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4092	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4092	2708	tfccltd.exe	test.exe
PID 2708 wrote to memory of 4092	2708	tfccltd.exe	test.exe
PID 4092 wrote to memory of 3860	4092	test.exe	test.exe
PID 4092 wrote to memory of 3860	4092	test.exe	test.exe
PID 4092 wrote to memory of 3860	4092	test.exe	test.exe
PID 3912 wrote to memory of 4972	3912	test.exe	test.exe
PID 3912 wrote to memory of 4972	3912	test.exe	test.exe
PID 3912 wrote to memory of 4972	3912	test.exe	test.exe
PID 4912 wrote to memory of 448	4912	test.exe	test.exe
PID 4912 wrote to memory of 448	4912	test.exe	test.exe
PID 4912 wrote to memory of 448	4912	test.exe	test.exe
PID 3464 wrote to memory of 3044	3464	test.exe	test.exe
PID 3464 wrote to memory of 3044	3464	test.exe	test.exe
PID 3464 wrote to memory of 3044	3464	test.exe	test.exe
PID 3852 wrote to memory of 4076	3852	test.exe	test.exe
PID 3852 wrote to memory of 4076	3852	test.exe	test.exe
PID 3852 wrote to memory of 4076	3852	test.exe	test.exe
PID 2708 wrote to memory of 44452	2708	tfccltd.exe	taskkill.exe
PID 2708 wrote to memory of 44452	2708	tfccltd.exe	taskkill.exe
PID 2708 wrote to memory of 44452	2708	tfccltd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\tfccltd.exe
"C:\Users\Admin\AppData\Local\Temp\tfccltd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"
    3⤵
    - Executes dropped EXE
    PID:3860
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"
    3⤵
    - Executes dropped EXE
    PID:4076
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"
    3⤵
    - Executes dropped EXE
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"
    3⤵
    - Executes dropped EXE
    PID:448
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"
    3⤵
    - Executes dropped EXE
    PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im test.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:44452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
6dffe4f58e220cd779b530478e9a40a0

SHA1
6def979cb57b7a4fa97b87f3c0e0b02a37c17c85

SHA256
d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348

SHA512
c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973

Download Submit
memory/448-143-0x0000000000000000-mapping.dmp

Download
memory/3044-144-0x0000000000000000-mapping.dmp

Download
memory/3464-130-0x0000000000000000-mapping.dmp

Download
memory/3852-132-0x0000000000000000-mapping.dmp

Download
memory/3860-141-0x0000000000000000-mapping.dmp

Download
memory/3912-133-0x0000000000000000-mapping.dmp

Download
memory/4076-149-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000000000000-mapping.dmp

Download
memory/4912-131-0x0000000000000000-mapping.dmp

Download
memory/4972-142-0x0000000000000000-mapping.dmp

Download
memory/44452-151-0x0000000000000000-mapping.dmp

Download