blackmoon | c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
Size

1.3MB
MD5

cef823eb157b4fa0e8524ed48307f345
SHA1

60d5405cbde42850c6d6f9fc5b7fe1773a720f28
SHA256

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0
SHA512

7b7afd582955f000d62b63f4159d68b7f9d45b8c685e3ad0992ae1eef638cc6e15636adf0dc9fbc6373fd3c58f44f46bf74dfb37a7bb9ec3eae6c74a21b53abc
SSDEEP

24576:Dqmi8tpifdQ8ABVABskA1rz4B8VzWhRTOdlmuC/uZ7R9Ti1wGJRQvZ:umi8bifd+VABnYra3nTOhlxUwGs

Score

10^/10

blackmoon aspackv2 banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1796-142-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon
behavioral2/memory/1796-148-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon

Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1796 jecxz.exe
4616 v.exe

pid	process
1796	jecxz.exe
4616	v.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3288-133-0x0000000000400000-0x0000000000720000-memory.dmp	upx
behavioral2/memory/3288-163-0x0000000000400000-0x0000000000720000-memory.dmp	upx
behavioral2/memory/3288-165-0x0000000000400000-0x0000000000720000-memory.dmp	upx
behavioral2/memory/3288-181-0x0000000000400000-0x0000000000720000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe

Modifies registry class 1 IoCs

Processes:

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exejecxz.exe

pid	process
3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe
1796	jecxz.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exejecxz.exehh.exehh.exe

pid	process
3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
1796	jecxz.exe
4216	hh.exe
4216	hh.exe
4796	hh.exe
4796	hh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.execmd.exe

description	pid	process	target process
PID 3288 wrote to memory of 3796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	cmd.exe
PID 3288 wrote to memory of 3796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	cmd.exe
PID 3288 wrote to memory of 3796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	cmd.exe
PID 3796 wrote to memory of 1716	3796	cmd.exe	reg.exe
PID 3796 wrote to memory of 1716	3796	cmd.exe	reg.exe
PID 3796 wrote to memory of 1716	3796	cmd.exe	reg.exe
PID 3288 wrote to memory of 1796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	jecxz.exe
PID 3288 wrote to memory of 1796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	jecxz.exe
PID 3288 wrote to memory of 1796	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	jecxz.exe
PID 3288 wrote to memory of 4616	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	v.exe
PID 3288 wrote to memory of 4616	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	v.exe
PID 3288 wrote to memory of 4616	3288	c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe
"C:\Users\Admin\AppData\Local\Temp\c5513671884fc3e02c5812b2a0b1645b8b664c9fb97ca332bedd18c051e591e0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:1716

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3972

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5068437916610034\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5068437916610034\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
bcdd26198f91725903f25e5b150bf300

SHA1
4678763f6d71f11feb0eed2d45f0d6ba8e57e582

SHA256
7079d415073a987e0c2d95b35bfe4b59a0ce97aebe25d76efbc5d5e9f6655c6f

SHA512
01022a85d1351f10d63ccf00a0bba0dca8b20c57deadbff371b74fd4e9e764a89a153400acec8b061d76b1f0193748c764aed668b698d9e5e389e7753ea69588

Download Submit
C:\Users\Public\cxzvasdfg\5068437916610034\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
66bbcc42fe6cf9c1b890ec4a9049a9d7

SHA1
dd6bf3e2ca01625a1c2d1cd59ec523b55978d32e

SHA256
4950e959cb8ac30540acf2544bbe6a0bdf78e7ea2ce558f248c7f902df29b9ae

SHA512
56daaa94dab1ec09d3a328f78e794d6040822ef26ee5370020e59a9da0e0be7e7c95c4e1805d24cf9270a475219e4dd98aa3a71afc6785df406f99a17110ddb0

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
78b14e29ba9b0da4a01a6aebb494b5ca

SHA1
914a015f18646dd9f3e95e6494dc8cd9e599782f

SHA256
63e82f4038c4de8221de2c6a50626299db28a1976880dc47a4b48c6f0e4b362f

SHA512
929100f7d8fcb9502f8bd4dbfe73a180515cb2805f91e706d6c360049b4b5de99fcb1a409dfd3d73cf9995a58ad654fb17a3ba501498ae94459c0bcf16aa268d

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1796-149-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/1796-148-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1796-147-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/1796-146-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/1796-144-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/1796-142-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1796-180-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/3288-133-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3288-163-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3288-165-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3288-181-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4616-177-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download