blackmoon | 24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5

General

Target

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
Size

1.2MB
MD5

dabbdef24d997cfeec98d06664f72bea
SHA1

1b0e59f221a085787267d0617014f49cd786cb8b
SHA256

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5
SHA512

9f92622063fd713903a298a7a82bad85c6851b932381ff408f6a7ac049e863e573cbfcc732843eef45a6d67ec773a40824050950f6cf465df9e6cde16be8b533
SSDEEP

24576:O6rI9Eg9Z/NrgbtXQXAskv3L/Kp5uBaZaVPWXi3AWA1YXrjGKb8JWPlgfuMe:eG81KrskfbKpAa6R3AePGKUWafP

Score

10^/10

blackmoon banker persistence trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1272-137-0x0000000000400000-0x0000000000618000-memory.dmp	family_blackmoon
behavioral2/memory/1272-144-0x0000000000400000-0x0000000000618000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

÷ÈÓ°´«Ëµ.exe

pid process

3976 ÷ÈÓ°´«Ëµ.exe

pid	process
3976	÷ÈÓ°´«Ëµ.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GPWGAMES\Parameters\ServiceDll = "C:\\Program Files (x86)\\÷ÈÓ°´«Ëµ\\meiyweb.dll"	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1272-132-0x0000000000400000-0x0000000000618000-memory.dmp	upx
behavioral2/memory/1272-137-0x0000000000400000-0x0000000000618000-memory.dmp	upx
behavioral2/memory/3976-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1272-144-0x0000000000400000-0x0000000000618000-memory.dmp	upx
behavioral2/memory/3976-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-151-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-155-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-157-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-161-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-177-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-179-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-183-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-187-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-189-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3976-191-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4536-143-0x00000000011B0000-0x0000000001200000-memory.dmp	vmprotect
behavioral2/memory/4536-146-0x00000000011B0000-0x0000000001200000-memory.dmp	vmprotect
behavioral2/memory/4536-149-0x00000000011B0000-0x0000000001200000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

Loads dropped DLL 2 IoCs

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exesvchost.exe

pid process

1272 24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
4536 svchost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

÷ÈÓ°´«Ëµ.exe

description	ioc	process
File opened (read-only)	\??\A:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\B:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\S:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\Y:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\I:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\L:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\N:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\P:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\R:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\W:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\Z:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\G:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\K:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\M:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\U:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\V:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\E:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\F:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\H:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\J:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\O:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\Q:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\T:	÷ÈÓ°´«Ëµ.exe
File opened (read-only)	\??\X:	÷ÈÓ°´«Ëµ.exe

Drops file in Program Files directory 3 IoCs

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

description	ioc	process
File created	C:\Program Files (x86)\÷ÈÓ°´«Ëµ\÷ÈÓ°´«Ëµ.exe	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
File created	C:\Program Files (x86)\÷ÈÓ°´«Ëµ\Ð¶ÔØ.exe	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
File created	C:\Program Files (x86)\÷ÈÓ°´«Ëµ\meiyweb.dll	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\{1B739C33-73C6-4f84-B0AD-14FCDB843C68} svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

÷ÈÓ°´«Ëµ.exe

description pid process

Token: SeShutdownPrivilege 3976 ÷ÈÓ°´«Ëµ.exe
Token: SeCreatePagefilePrivilege 3976 ÷ÈÓ°´«Ëµ.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\{1B739C33-73C6-4f84-B0AD-14FCDB843C68}	svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3976	÷ÈÓ°´«Ëµ.exe
Token: SeCreatePagefilePrivilege	3976	÷ÈÓ°´«Ëµ.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe÷ÈÓ°´«Ëµ.exe

pid	process
1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
3976	÷ÈÓ°´«Ëµ.exe
3976	÷ÈÓ°´«Ëµ.exe
3976	÷ÈÓ°´«Ëµ.exe
3976	÷ÈÓ°´«Ëµ.exe
3976	÷ÈÓ°´«Ëµ.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe

description	pid	process	target process
PID 1272 wrote to memory of 3976	1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe	÷ÈÓ°´«Ëµ.exe
PID 1272 wrote to memory of 3976	1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe	÷ÈÓ°´«Ëµ.exe
PID 1272 wrote to memory of 3976	1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe	÷ÈÓ°´«Ëµ.exe

C:\Users\Admin\AppData\Local\Temp\24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
"C:\Users\Admin\AppData\Local\Temp\24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\÷ÈÓ°´«Ëµ\÷ÈÓ°´«Ëµ.exe
"C:\Program Files (x86)\÷ÈÓ°´«Ëµ\÷ÈÓ°´«Ëµ.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k webGame -s GPWGAMES
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\÷ÈÓ°´«Ëµ\meiyweb.dll
Filesize
223KB

MD5
e6a23ba8e19a8d1f7e3518afefd1e9ae

SHA1
9db8dd10e6d49eb30d91ddb065ac75f959eaad08

SHA256
bcff79151f62e5b673f3176733f7b78674745ec570575104d0b5ffaff4fdcc71

SHA512
0b16886eccaac5848a87c8a5f881227eb7fa901c4ec5e4886d4f6ababac47333b04ed08a38351dc87799ca9b68007db4ee330c312a72cf1e86e1bd4b5c12691f

Download Submit
C:\Program Files (x86)\÷ÈÓ°´«Ëµ\meiyweb.dll
Filesize
223KB

MD5
e6a23ba8e19a8d1f7e3518afefd1e9ae

SHA1
9db8dd10e6d49eb30d91ddb065ac75f959eaad08

SHA256
bcff79151f62e5b673f3176733f7b78674745ec570575104d0b5ffaff4fdcc71

SHA512
0b16886eccaac5848a87c8a5f881227eb7fa901c4ec5e4886d4f6ababac47333b04ed08a38351dc87799ca9b68007db4ee330c312a72cf1e86e1bd4b5c12691f

Download Submit
C:\Program Files (x86)\÷ÈÓ°´«Ëµ\÷ÈÓ°´«Ëµ.exe
Filesize
892KB

MD5
79e15e0499d459b7c0835cea78ac4145

SHA1
3a435e4c34997128662a94b780978e7b6624339a

SHA256
bbf3ea34fe60093466049b79f2ecb788c04c22d268ae3823bc3989841081ded8

SHA512
bc451aeb3b7bb2ff77c70e471b4a4e18edd9ddae2bd5e40e7d5d6997ba8545d11b936203db0cf2344a52a0a5901b09b47a5fe9dc501ef501cd24b96d3e890b07

Download Submit
C:\Program Files (x86)\÷ÈÓ°´«Ëµ\÷ÈÓ°´«Ëµ.exe
Filesize
892KB

MD5
79e15e0499d459b7c0835cea78ac4145

SHA1
3a435e4c34997128662a94b780978e7b6624339a

SHA256
bbf3ea34fe60093466049b79f2ecb788c04c22d268ae3823bc3989841081ded8

SHA512
bc451aeb3b7bb2ff77c70e471b4a4e18edd9ddae2bd5e40e7d5d6997ba8545d11b936203db0cf2344a52a0a5901b09b47a5fe9dc501ef501cd24b96d3e890b07

Download Submit
\??\c:\program files (x86)\÷èó°´«ëµ\meiyweb.dll
Filesize
223KB

MD5
e6a23ba8e19a8d1f7e3518afefd1e9ae

SHA1
9db8dd10e6d49eb30d91ddb065ac75f959eaad08

SHA256
bcff79151f62e5b673f3176733f7b78674745ec570575104d0b5ffaff4fdcc71

SHA512
0b16886eccaac5848a87c8a5f881227eb7fa901c4ec5e4886d4f6ababac47333b04ed08a38351dc87799ca9b68007db4ee330c312a72cf1e86e1bd4b5c12691f

Download Submit
memory/1272-132-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1272-137-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1272-144-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/3976-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-191-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-189-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-151-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-155-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-157-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-161-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-187-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-133-0x0000000000000000-mapping.dmp

Download
memory/3976-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-177-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-179-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-183-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3976-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4536-143-0x00000000011B0000-0x0000000001200000-memory.dmp

Filesize
320KB

Download
memory/4536-149-0x00000000011B0000-0x0000000001200000-memory.dmp

Filesize
320KB

Download
memory/4536-146-0x00000000011B0000-0x0000000001200000-memory.dmp

Filesize
320KB

Download

pid	process
1272	24b375ab545d73d6ecb2b8a8b71a4099b8561acb446274eab726854710d870c5.exe
4536	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads