blackmoon | 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
21-06-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
Size

2.9MB
MD5

b03da2cad31f6dd89dde2e181553da6e
SHA1

5c8ba30aa2c3971e179e5c86ca31462897a3b5a9
SHA256

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556
SHA512

3488b6171534d61620bfc1f42dd11e4c4c826892f466b24da4187a94000f072c1c0f3ed5b4bd0c3a1fe3e7f807e96c638418a6d3eac4d9b6b89f8f094f1a2f6a
SSDEEP

49152:SGOHuqFTiOmBukNbWQZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcn:tOjFTirBPng3Yz5J/693kO

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1664-71-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon
behavioral1/memory/1664-74-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon

Downloads MZ/PE file

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1664 jecxz.exe
1920 v.exe

pid	process
1664	jecxz.exe
1920	v.exe

Loads dropped DLL 4 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

pid	process
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1076 1500 WerFault.exe 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

pid	pid_target	process	target process
1076	1500	WerFault.exe	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

hh.exehh.exehh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exe

pid	process
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe
1664	jecxz.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exehh.exehh.exehh.exe

pid	process
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1664	jecxz.exe
1948	hh.exe
1948	hh.exe
1444	hh.exe
1444	hh.exe
816	hh.exe
816	hh.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 1124	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 1500 wrote to memory of 1124	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 1500 wrote to memory of 1124	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 1500 wrote to memory of 1124	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 1124 wrote to memory of 320	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 320	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 320	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 320	1124	cmd.exe	reg.exe
PID 1500 wrote to memory of 1664	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 1500 wrote to memory of 1664	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 1500 wrote to memory of 1664	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 1500 wrote to memory of 1664	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 1500 wrote to memory of 1920	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe
PID 1500 wrote to memory of 1920	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe
PID 1500 wrote to memory of 1920	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe
PID 1500 wrote to memory of 1920	1500	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
"C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:320

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1304
2⤵
- Program crash
PID:1076

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5720100835927713\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5720100835927713\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5720100835927713\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
36551420bd7bd7cd14d7f4eff977ca5e

SHA1
e25e88b1dddde125a1a6875861eaad70a6d63517

SHA256
acc19d98753d538c7dd820aa689d75b13d20f9bb5a7cc553ad0cac4c7180f319

SHA512
661a97121683dded92cc3292ae97c6e048a355f457da57d4a685e76fe570faeff0fc35281edac681c20a0b76ea359a6ef511436310a8113151fe0878b10e1ac8

Download Submit
C:\Users\Public\cxzvasdfg\5720100835927713\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
66bbcc42fe6cf9c1b890ec4a9049a9d7

SHA1
dd6bf3e2ca01625a1c2d1cd59ec523b55978d32e

SHA256
4950e959cb8ac30540acf2544bbe6a0bdf78e7ea2ce558f248c7f902df29b9ae

SHA512
56daaa94dab1ec09d3a328f78e794d6040822ef26ee5370020e59a9da0e0be7e7c95c4e1805d24cf9270a475219e4dd98aa3a71afc6785df406f99a17110ddb0

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
8030310d4a14ad7db433811b6a999683

SHA1
0df42168454db804f8d67fdee7835560bfb3d3ab

SHA256
238e7e4c3a764f8570d7db9612373343385b63ae65c94ac5684d6d52e3745eba

SHA512
049f74881fc50b9b96f002230b689958f75b7215ccc7bb93bda9580c91f7bfec7ca2fecde902be89a3f501c0622f83b6ee71adadbd7f12c9c6d180a2602dc45b

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1500-73-0x0000000000850000-0x000000000085F000-memory.dmp

Filesize
60KB

Download
memory/1664-71-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1664-80-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1664-78-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1664-76-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1664-100-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1664-75-0x0000000000270000-0x00000000002BA000-memory.dmp

Filesize
296KB

Download
memory/1664-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1920-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1920-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download