blackmoon | 440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d

Analysis

max time kernel
138s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d.exe
Size

103KB
MD5

174a4a1a62b10885fc0aa5b65d32e7f0
SHA1

8b999466a127712a6e91e3e3591c3a6c3d958147
SHA256

440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d
SHA512

6a348b3156f12fad76daf4c876963c189443a03268eaf67d18526d535531d7cf110ee9dab1816137dbe462d675f82ae7a128458bffc07f3a475eeb8bd01794f6
SSDEEP

1536:sE5w4qnGS5jNqm1Rf9ziE31wsapsSw+KjvuWRCdm9ozXW7DI376KEhIogtwGF1q3:soqnGS5xJr9zicOsSwqWUXW787ggt/q

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3784-132-0x0000000000400000-0x0000000000457000-memory.dmp	family_blackmoon
behavioral2/memory/3784-133-0x0000000000400000-0x0000000000457000-memory.dmp	family_blackmoon

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3784-132-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3784-133-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6472BB3D-4914-11ED-B696-DAE60F07E07D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\caiyyqq.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\caiyyqq.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000f09ed1c6290eb0edb4ac655a635f3f626ee94ceba6159093211c0f77f378857b000000000e80000000020000200000007a28eb1bf063af0c494b507389d5004ae573a663b9a26919e479146f6db84d572000000012c4db8ae08f9a2601a6833d6cfa100ed20908b9e0f49efd895b3e66f41d42b74000000018915202fa3cd001532f8d88a1d63227d3508c5b6309e6a11e47796c1724e0223733a903c18a62b3caad7969fb027f77d160ed7fecdd774bfbfff453f3c18dcb	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\caiyyqq.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9006395c21ddd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000480ff5f41ca47ae8b1bb41f6861ecdd45902eecaa6fa6c80293fee42bbdd30c1000000000e80000000020000200000001c5cb1489fec1e1f110e565823f086f65cd0c8803478bfd356fb45216524681d200000002931162de5c873a338938538986a86c6b894a1ef5677e0af8a205cfb15b3ef10400000004b11fc1a510bf3f46d3d95f4247b49d8f79b3d1330b6830fe6d6f6878c2c2ee4bba4b37001a8eb66e7826c38a3aa7458d7317c26d001333cea5995e27bb0e66e	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "982866579"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b50b5c21ddd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "967710921"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\caiyyqq.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "967710921"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.caiyyqq.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.caiyyqq.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372223722"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1252	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
4032	IEXPLORE.EXE
4032	IEXPLORE.EXE
4032	IEXPLORE.EXE
4032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1252	3784	440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d.exe	81
PID 3784 wrote to memory of 1252	3784	440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d.exe	81
PID 1252 wrote to memory of 4032	1252	IEXPLORE.EXE	82
PID 1252 wrote to memory of 4032	1252	IEXPLORE.EXE	82
PID 1252 wrote to memory of 4032	1252	IEXPLORE.EXE	82

C:\Users\Admin\AppData\Local\Temp\440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d.exe
"C:\Users\Admin\AppData\Local\Temp\440677bd9021db929a504bc2480225a0f9809564a5cdc2d588fbe89596dcc47d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://caiyyqq.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fceed7a5f76725fb398c6a91ff552899

SHA1
237aec000ae7c7c35a639664b1ad6c0d842a0749

SHA256
2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

SHA512
adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
9aca23676e92c7d9c9a18e921d45a713

SHA1
de4086c9db29f7f7f3ca898eb451298456230cb2

SHA256
3204aa44181152e5e401b9028a45732733fbeb25289fd8cf9614a411b078250e

SHA512
3381321f77bf8197d33d787caf36bb90dd0dabfb35e41dc50e75e99a2e836a48a933f6c6ab6167412260acb528a42e844bc2914ab802ca229b4fff40f58a4e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
9KB

MD5
2aca1ef106aa6e0fdda2da205b7015a7

SHA1
544e39ca993aefa8febdc93256e8291ce4d210f0

SHA256
78544957157402f527b20d217903758c22eba023b0ae49cfea0ec79d1724dedc

SHA512
c40ee5217c2adaf1865145e3064061cad18cfe45f1e86ae559af13878d334d79fa31f5ca48276374e75936c175d88af59bf6d9cd0d9c754467fdc5430c9f4906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\favicon[1].ico

Filesize
9KB

MD5
1af6c08eb07f675c862fa3cd50640511

SHA1
bfc9fbddea831a3cae067a570bcb4450280c7f45

SHA256
7fc7fdb7ea134949cefdbd00ac02724e091e0201c1cee06795f84db28a1586d4

SHA512
163ab2dfa0aa242f55051c914bb467c7e3eb8163f0736548f6a26d1c5d12fa4fc21db08067cedfc96465627d27a840cf347f42d35f4e24129deceefde54d167d

Download Submit
memory/3784-132-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3784-133-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download