blackmoon | fe7bcdcf12d34097b36cffe0ca7f56d29fb9079741d6926baf1cb76285bee367

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

373KB
MD5

ba9ba28edcd2e019634a2cd354291059
SHA1

57e197322f588f7696ff8953e377bc75728d1ce8
SHA256

fe7bcdcf12d34097b36cffe0ca7f56d29fb9079741d6926baf1cb76285bee367
SHA512

e1a0114abe0a043e60d1d1e43c0faf9f0f8f7d743c5dea878882bd33c693545e94ef127207b9515df15677255d3e03a80cb4df4039518b4b56a602fb469b3a1c
SSDEEP

6144:4mjmFJUEhqnuMotJTR364xjLRYPxSPqLFl/3vKC3WNlF7qMF934yApNhoSX:LjmFgmJk4BLRYpSyLFl//P31fzoS

Score

10^/10

blackmoon banker persistence trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1300-54-0x0000000000400000-0x0000000000534000-memory.dmp	family_blackmoon
behavioral1/memory/1300-56-0x0000000000400000-0x0000000000534000-memory.dmp	family_blackmoon
\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon
C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	family_blackmoon

Drops file in Drivers directory 4 IoCs

Processes:

lmagingDevices.exelmagingDevices.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Drivers\eOOM2VoK.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\eOOM2VoK.sys	lmagingDevices.exe
File opened for modification	C:\Windows\system32\Drivers\OihsJt20SHC.sys	lmagingDevices.exe
File created	C:\Windows\system32\Drivers\OihsJt20SHC.sys	lmagingDevices.exe

Executes dropped EXE 2 IoCs

Processes:

lmagingDevices.exelmagingDevices.exe

pid process

1820 lmagingDevices.exe
1408 lmagingDevices.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lmagingDevices.exelmagingDevices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eOOM2VoK\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\eOOM2VoK.sys"	lmagingDevices.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\OihsJt20SHC\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\OihsJt20SHC.sys"	lmagingDevices.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1300-54-0x0000000000400000-0x0000000000534000-memory.dmp	upx
behavioral1/memory/1300-56-0x0000000000400000-0x0000000000534000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Windows\Help\7202706.yRB	vmprotect
behavioral1/memory/1820-63-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
behavioral1/memory/1820-65-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
\Windows\Help\7237947.xk1	vmprotect
behavioral1/memory/1408-72-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect
behavioral1/memory/1408-74-0x0000000010000000-0x00000000100D4000-memory.dmp	vmprotect

Loads dropped DLL 8 IoCs

Processes:

tmp.exelmagingDevices.exelmagingDevices.exe

pid process

1300 tmp.exe
1300 tmp.exe
1820 lmagingDevices.exe
1820 lmagingDevices.exe
1300 tmp.exe
1300 tmp.exe
1408 lmagingDevices.exe
1408 lmagingDevices.exe

Drops file in Program Files directory 4 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe	tmp.exe

Drops file in Windows directory 11 IoCs

Processes:

tmp.exelmagingDevices.exelmagingDevices.exe

description	ioc	process
File created	C:\Windows\Help\7181428.C3v	tmp.exe
File created	C:\Windows\Help\7237947.xk1	lmagingDevices.exe
File created	C:\Windows\Help\7238820.77T	lmagingDevices.exe
File created	C:\Windows\Help\7200943.aN5	lmagingDevices.exe
File created	C:\Windows\Help\7202706.yRB	lmagingDevices.exe
File created	C:\Windows\Help\7203580.lTt	lmagingDevices.exe
File created	C:\Windows\Help\7236184.7ZV	lmagingDevices.exe
File created	C:\Windows\Help\7108700.N39	tmp.exe
File created	C:\Windows\Help\7163675.a77	tmp.exe
File created	\??\c:\windows\P039.bat	tmp.exe
File created	C:\Windows\Help\7179228.d89	tmp.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exe

pid	process
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe
1300	tmp.exe

Suspicious behavior: LoadsDriver 8 IoCs

Processes:

lmagingDevices.exelmagingDevices.exe

pid	process
1820	lmagingDevices.exe
1820	lmagingDevices.exe
1820	lmagingDevices.exe
1820	lmagingDevices.exe
1408	lmagingDevices.exe
1408	lmagingDevices.exe
1408	lmagingDevices.exe
1408	lmagingDevices.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

lmagingDevices.exelmagingDevices.exe

description	pid	process
Token: SeLoadDriverPrivilege	1820	lmagingDevices.exe
Token: SeDebugPrivilege	1820	lmagingDevices.exe
Token: SeLoadDriverPrivilege	1820	lmagingDevices.exe
Token: SeDebugPrivilege	1820	lmagingDevices.exe
Token: SeLoadDriverPrivilege	1408	lmagingDevices.exe
Token: SeDebugPrivilege	1408	lmagingDevices.exe
Token: SeLoadDriverPrivilege	1408	lmagingDevices.exe
Token: SeDebugPrivilege	1408	lmagingDevices.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1300 wrote to memory of 1820	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1820	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1820	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1820	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1408	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1408	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1408	1300	tmp.exe	lmagingDevices.exe
PID 1300 wrote to memory of 1408	1300	tmp.exe	lmagingDevices.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
C:\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\Program Files (x86)\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\Program Files\Windows Photo Viewer\lmagingDevices.exe
Filesize
2.1MB

MD5
5009251600f40d7d7e319dc03b526f05

SHA1
2f93d0eb117400559089189c8435d365e27ca40d

SHA256
cb5620524177df89b0b5614c70c6b45b05dfdbb2f8249034dd6b3611c7d6595f

SHA512
f8e59b98393bfd186352dff115b53110422d06b38cc5b65ff983f58e87b1bea1205708d30f6ebdce675b743f80e591da355a7286e486e2535c1ad020a1223135

Download Submit
\Windows\Help\7200943.aN5
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
\Windows\Help\7202706.yRB
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
\Windows\Help\7236184.7ZV
Filesize
142KB

MD5
bc131c9f96f79b417fa4e716555f6c7e

SHA1
ba650f5b06614a55a9939703cc8761cb03d62f28

SHA256
12bc8ebd1048a98f347d419d9c3ab6a0304f633c8d5532c4fb4f9d4f9da29bbd

SHA512
3546b5e13c28b74537c37bc6a1ae05ac389e4b6dc11cb6552aca4b131a7e468b2ee993f3179763da4ed7ecacd27b113db05f27885f019b50da7ecdfab2bd74dc

Download Submit
\Windows\Help\7237947.xk1
Filesize
432KB

MD5
f5308b223e7846e8b061fe0d84ab7488

SHA1
ab2594d8b19219c72afac83fb4c8d4bc7333232b

SHA256
77347c3f34bfac7c0d5e790629ae94a7df434e0c4c85927c84de231a0d14be7c

SHA512
b7e78876858b3a811072924f598145a227526d6b2cd88901e715692b1e356ecdb63ab0b2a9c34a6070a84ffa7c7a87be323e4d21976b10ea474c12a66a6e7bb1

Download Submit
memory/1300-56-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1300-54-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1300-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1408-68-0x0000000000000000-mapping.dmp

Download
memory/1408-72-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/1408-74-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/1820-59-0x0000000000000000-mapping.dmp

Download
memory/1820-65-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/1820-63-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download