blackmoon | a299fe9f7c5902b0faa026ef0c9aa59292dfe3fa9983e1abd801472cb2d3e26d

General

Target

tmp.exe
Size

107KB
MD5

5b2dbd6f2668a6d4a304007a7554806c
SHA1

cb40d7f273af19a4474dbe0a96bddb68a8e535df
SHA256

a299fe9f7c5902b0faa026ef0c9aa59292dfe3fa9983e1abd801472cb2d3e26d
SHA512

8226086ac4e1f6a3c40d3b8f69d88d78262696a51101eb94aec3b82f6abb35e633da640dc8826ab2753009bf12d40f51a0e48ccc32f738d69c0e5b0124b72281
SSDEEP

1536:swSFvo7h95drZApq4nVNlobB+3aA4XrPZlfyo63EnOGkE+Z7XbT7mNhcbAsgFnxM:b93Inri+KAo/xOZ1X7bbAsE

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4652-133-0x0000000000400000-0x0000000000463000-memory.dmp	family_blackmoon
behavioral2/memory/4652-144-0x0000000000400000-0x0000000000463000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
372	z.exe
3676	z.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b\ImagePath = "\\??\\C:\\Windows\\temp\\b.sys"	z.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\f\ImagePath = "\\??\\C:\\Windows\\temp\\f.sys"	z.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4652-133-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4652-144-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Kills process with taskkill 4 IoCs

evasion

pid	Process
4640	taskkill.exe
1900	taskkill.exe
1864	taskkill.exe
4988	taskkill.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
372	z.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeLoadDriverPrivilege	372	z.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeLoadDriverPrivilege	3676	z.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4652	tmp.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 2688	4652	tmp.exe	80
PID 4652 wrote to memory of 2688	4652	tmp.exe	80
PID 4652 wrote to memory of 2688	4652	tmp.exe	80
PID 2688 wrote to memory of 4640	2688	cmd.exe	82
PID 2688 wrote to memory of 4640	2688	cmd.exe	82
PID 2688 wrote to memory of 4640	2688	cmd.exe	82
PID 4652 wrote to memory of 4884	4652	tmp.exe	83
PID 4652 wrote to memory of 4884	4652	tmp.exe	83
PID 4652 wrote to memory of 4884	4652	tmp.exe	83
PID 4884 wrote to memory of 372	4884	cmd.exe	85
PID 4884 wrote to memory of 372	4884	cmd.exe	85
PID 2688 wrote to memory of 1900	2688	cmd.exe	86
PID 2688 wrote to memory of 1900	2688	cmd.exe	86
PID 2688 wrote to memory of 1900	2688	cmd.exe	86
PID 4652 wrote to memory of 836	4652	tmp.exe	87
PID 4652 wrote to memory of 836	4652	tmp.exe	87
PID 4652 wrote to memory of 836	4652	tmp.exe	87
PID 836 wrote to memory of 3676	836	cmd.exe	90
PID 836 wrote to memory of 3676	836	cmd.exe	90
PID 2688 wrote to memory of 1864	2688	cmd.exe	91
PID 2688 wrote to memory of 1864	2688	cmd.exe	91
PID 2688 wrote to memory of 1864	2688	cmd.exe	91
PID 2688 wrote to memory of 4988	2688	cmd.exe	93
PID 2688 wrote to memory of 4988	2688	cmd.exe	93
PID 2688 wrote to memory of 4988	2688	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c z.exe f.sys b.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\temp\z.exe
    z.exe f.sys b.sys
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c z.exe b.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\temp\z.exe
    z.exe b.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\z.exe

Filesize
19KB

MD5
5a553b1c9a9dd4a03331d9b33951adad

SHA1
c26e3652ef52539924d873631295a0bd74f4791f

SHA256
9dd7c4d245afd85ca1fbaf786d629e1a941616c6f6fb8cb55300d3fa5cacdb79

SHA512
f02709fb20e4646e8b7342983d3ba9428f824cde84d9223d55be300d74e8a2d60388ee603eb25e52f92a412e0467d6cc9ff603f3b506afb1fb286e391d82a567

Download Submit
C:\Windows\Temp\z.exe

Filesize
19KB

MD5
5a553b1c9a9dd4a03331d9b33951adad

SHA1
c26e3652ef52539924d873631295a0bd74f4791f

SHA256
9dd7c4d245afd85ca1fbaf786d629e1a941616c6f6fb8cb55300d3fa5cacdb79

SHA512
f02709fb20e4646e8b7342983d3ba9428f824cde84d9223d55be300d74e8a2d60388ee603eb25e52f92a412e0467d6cc9ff603f3b506afb1fb286e391d82a567

Download Submit
memory/372-136-0x0000000000000000-mapping.dmp

Download
memory/836-139-0x0000000000000000-mapping.dmp

Download
memory/1864-142-0x0000000000000000-mapping.dmp

Download
memory/1900-138-0x0000000000000000-mapping.dmp

Download
memory/2688-132-0x0000000000000000-mapping.dmp

Download
memory/3676-140-0x0000000000000000-mapping.dmp

Download
memory/4640-134-0x0000000000000000-mapping.dmp

Download
memory/4652-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4652-144-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4884-135-0x0000000000000000-mapping.dmp

Download
memory/4988-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing