blackmoon | 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a

General

Target

2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe
Size

4.3MB
MD5

ea3e9d19106196e24b10b15d2ae9210d
SHA1

0194afbf5ccd49db5e168815b31b19871b8fdb7f
SHA256

2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a
SHA512

8472297798911213ef8eec4a943898978463756e89a3295f3a4ad12d6a26669cfb9c0c18bfc176d549f99e7b3b0e15a6b06803cbf2040c9aa79d5691f00b55a5
SSDEEP

98304:XqlBDmLNAlORoPZ6YCSEvDAKOHG2eSgw41WSqBgZT4kxL4tbezpJ:XqvtkiR6YCSEvKm4IqiZ3YeNJ

Score

10^/10

blackmoon banker bootkit persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4660-133-0x0000000002D80000-0x00000000032D9000-memory.dmp	family_blackmoon
behavioral2/memory/4660-134-0x0000000010000000-0x0000000010575000-memory.dmp	family_blackmoon

Sets service image path in registry 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cttunesvr.exe58658cfca9fa4e98.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\10372e96baa\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\10372e96baa.bin"	cttunesvr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RTCore64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\RTCore64.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Gdrv\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\Gdrv.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GLCKIo2\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\GLCKIo2.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\1013be9d1b9\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\1013be9d1b9.bin"	cttunesvr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\102f2c738ee\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\102f2c738ee.bin"	cttunesvr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\NalDrv.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ATSZIO\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\ATSZIO.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MsIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\MsIo64.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EneIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\EneIo64.sys"	58658cfca9fa4e98.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EneTechIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\EneTechIo64.sys"	58658cfca9fa4e98.exe

Executes dropped EXE 1 IoCs

Processes:

58658cfca9fa4e98.exe

pid process

3684 58658cfca9fa4e98.exe
Loads dropped DLL 1 IoCs

Processes:

cttunesvr.exe

pid process

4660 cttunesvr.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cttunesvr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cttunesvr.exe

pid	process
3684	58658cfca9fa4e98.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cttunesvr.exe

Drops file in System32 directory 8 IoCs

Processes:

58658cfca9fa4e98.exe

description	ioc	process
File created	C:\Windows\SYSWOW64\NalDrv.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\RTCore64.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\Gdrv.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\ATSZIO.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\MsIo64.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\GLCKIo2.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\EneIo64.sys	58658cfca9fa4e98.exe
File created	C:\Windows\SYSWOW64\EneTechIo64.sys	58658cfca9fa4e98.exe

Drops file in Windows directory 1 IoCs

Processes:

cttunesvr.exe

description ioc process

File opened for modification C:\Windows\Konfig.ini cttunesvr.exe

description	ioc	process
File opened for modification	C:\Windows\Konfig.ini	cttunesvr.exe

Suspicious behavior: LoadsDriver 12 IoCs

Processes:

cttunesvr.exe58658cfca9fa4e98.exe

pid	process
4660	cttunesvr.exe
4660	cttunesvr.exe
4660	cttunesvr.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe
3684	58658cfca9fa4e98.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe

pid process

4320 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe

pid	process
4320	2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

wmic.execttunesvr.exe58658cfca9fa4e98.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5012	wmic.exe
Token: SeSecurityPrivilege	5012	wmic.exe
Token: SeTakeOwnershipPrivilege	5012	wmic.exe
Token: SeLoadDriverPrivilege	5012	wmic.exe
Token: SeSystemProfilePrivilege	5012	wmic.exe
Token: SeSystemtimePrivilege	5012	wmic.exe
Token: SeProfSingleProcessPrivilege	5012	wmic.exe
Token: SeIncBasePriorityPrivilege	5012	wmic.exe
Token: SeCreatePagefilePrivilege	5012	wmic.exe
Token: SeBackupPrivilege	5012	wmic.exe
Token: SeRestorePrivilege	5012	wmic.exe
Token: SeShutdownPrivilege	5012	wmic.exe
Token: SeDebugPrivilege	5012	wmic.exe
Token: SeSystemEnvironmentPrivilege	5012	wmic.exe
Token: SeRemoteShutdownPrivilege	5012	wmic.exe
Token: SeUndockPrivilege	5012	wmic.exe
Token: SeManageVolumePrivilege	5012	wmic.exe
Token: 33	5012	wmic.exe
Token: 34	5012	wmic.exe
Token: 35	5012	wmic.exe
Token: 36	5012	wmic.exe
Token: SeIncreaseQuotaPrivilege	5012	wmic.exe
Token: SeSecurityPrivilege	5012	wmic.exe
Token: SeTakeOwnershipPrivilege	5012	wmic.exe
Token: SeLoadDriverPrivilege	5012	wmic.exe
Token: SeSystemProfilePrivilege	5012	wmic.exe
Token: SeSystemtimePrivilege	5012	wmic.exe
Token: SeProfSingleProcessPrivilege	5012	wmic.exe
Token: SeIncBasePriorityPrivilege	5012	wmic.exe
Token: SeCreatePagefilePrivilege	5012	wmic.exe
Token: SeBackupPrivilege	5012	wmic.exe
Token: SeRestorePrivilege	5012	wmic.exe
Token: SeShutdownPrivilege	5012	wmic.exe
Token: SeDebugPrivilege	5012	wmic.exe
Token: SeSystemEnvironmentPrivilege	5012	wmic.exe
Token: SeRemoteShutdownPrivilege	5012	wmic.exe
Token: SeUndockPrivilege	5012	wmic.exe
Token: SeManageVolumePrivilege	5012	wmic.exe
Token: 33	5012	wmic.exe
Token: 34	5012	wmic.exe
Token: 35	5012	wmic.exe
Token: 36	5012	wmic.exe
Token: SeLoadDriverPrivilege	4660	cttunesvr.exe
Token: SeSystemEnvironmentPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe
Token: SeDebugPrivilege	3684	58658cfca9fa4e98.exe
Token: SeLoadDriverPrivilege	3684	58658cfca9fa4e98.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.execttunesvr.exe

description	pid	process	target process
PID 4320 wrote to memory of 4660	4320	2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe	cttunesvr.exe
PID 4320 wrote to memory of 4660	4320	2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe	cttunesvr.exe
PID 4320 wrote to memory of 4660	4320	2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe	cttunesvr.exe
PID 4660 wrote to memory of 5012	4660	cttunesvr.exe	wmic.exe
PID 4660 wrote to memory of 5012	4660	cttunesvr.exe	wmic.exe
PID 4660 wrote to memory of 5012	4660	cttunesvr.exe	wmic.exe
PID 4660 wrote to memory of 3684	4660	cttunesvr.exe	58658cfca9fa4e98.exe
PID 4660 wrote to memory of 3684	4660	cttunesvr.exe	58658cfca9fa4e98.exe

C:\Users\Admin\AppData\Local\Temp\2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe
"C:\Users\Admin\AppData\Local\Temp\2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\SYSWOW64\cttunesvr.exe"
2⤵
- Sets service image path in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic BaseBoard get SerialNumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\AppData\Local\Temp\58658cfca9fa4e98.exe
"C:\Users\Admin\AppData\Local\Temp\58658cfca9fa4e98.exe"
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58658cfca9fa4e98.exe

Filesize
456KB

MD5
b37b7cb0d855149fc56b7d76fa40d54f

SHA1
e402a250ec28e5d5c3f30dc706bdd729ac87b922

SHA256
2281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45

SHA512
08089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357

Download Submit
C:\Users\Admin\AppData\Local\Temp\58658cfca9fa4e98.exe

Filesize
456KB

MD5
b37b7cb0d855149fc56b7d76fa40d54f

SHA1
e402a250ec28e5d5c3f30dc706bdd729ac87b922

SHA256
2281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45

SHA512
08089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.dll

Filesize
1.7MB

MD5
6bde7211a233d168d3e1fdec55ed6e0e

SHA1
bb97c032c48989bbc10e1e0cff3c8d7c9f45b097

SHA256
37eec4edf943a97649b44461365a08ab128cefb12cbe9c92275794e3e9a5c721

SHA512
e728e99a1a369c4e8013061510c6e0bd543951cd05d315e7dd3c6a3597b8147462ad4e4c1195dc84763cd198fc2817b91f7702eea90dbfb7ee7d3e01b7d0a7cf

Download Submit
memory/4660-133-0x0000000002D80000-0x00000000032D9000-memory.dmp

Filesize
5.3MB

Download
memory/4660-134-0x0000000010000000-0x0000000010575000-memory.dmp

Filesize
5.5MB

Download
memory/4660-147-0x0000000073EE0000-0x0000000074213000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads