blackmoon | 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556

Analysis

max time kernel
144s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
Size

2.9MB
MD5

b03da2cad31f6dd89dde2e181553da6e
SHA1

5c8ba30aa2c3971e179e5c86ca31462897a3b5a9
SHA256

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556
SHA512

3488b6171534d61620bfc1f42dd11e4c4c826892f466b24da4187a94000f072c1c0f3ed5b4bd0c3a1fe3e7f807e96c638418a6d3eac4d9b6b89f8f094f1a2f6a
SSDEEP

49152:SGOHuqFTiOmBukNbWQZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcn:tOjFTirBPng3Yz5J/693kO

Score

10^/10

blackmoon aspackv2 banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1256-141-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon
behavioral2/memory/1256-143-0x0000000000400000-0x000000000040F000-memory.dmp	family_blackmoon

Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1256 jecxz.exe
4876 v.exe

pid	process
1256	jecxz.exe
4876	v.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Modifies registry class 1 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exe

pid	process
4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe
1256	jecxz.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exehh.exehh.exe

pid	process
4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
1256	jecxz.exe
1580	hh.exe
1580	hh.exe
2536	hh.exe
2536	hh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.execmd.exe

description	pid	process	target process
PID 4088 wrote to memory of 4256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 4088 wrote to memory of 4256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 4088 wrote to memory of 4256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	cmd.exe
PID 4256 wrote to memory of 4668	4256	cmd.exe	reg.exe
PID 4256 wrote to memory of 4668	4256	cmd.exe	reg.exe
PID 4256 wrote to memory of 4668	4256	cmd.exe	reg.exe
PID 4088 wrote to memory of 1256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 4088 wrote to memory of 1256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 4088 wrote to memory of 1256	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	jecxz.exe
PID 4088 wrote to memory of 4876	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe
PID 4088 wrote to memory of 4876	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe
PID 4088 wrote to memory of 4876	4088	7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
"C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:4668

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9353431270583033\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9353431270583033\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
27c0984984114dac6d17e6a07c237c42

SHA1
13746cfcdfa47d2b53bf13318c6761218e4d45ef

SHA256
a92efcfaa827808ba734eb086b83bee153987740bb89894bace60dd31802bfe2

SHA512
bec4023adfdde0af26a9792dbda8a8fdd4eaa175cfe8b4922bbf6a673e99b40da70f25f190d03f01b211ca823cdab45bdb90f14e91bc029f5d48d3149a2dc22c

Download Submit
C:\Users\Public\cxzvasdfg\9353431270583033\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
66bbcc42fe6cf9c1b890ec4a9049a9d7

SHA1
dd6bf3e2ca01625a1c2d1cd59ec523b55978d32e

SHA256
4950e959cb8ac30540acf2544bbe6a0bdf78e7ea2ce558f248c7f902df29b9ae

SHA512
56daaa94dab1ec09d3a328f78e794d6040822ef26ee5370020e59a9da0e0be7e7c95c4e1805d24cf9270a475219e4dd98aa3a71afc6785df406f99a17110ddb0

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
8030310d4a14ad7db433811b6a999683

SHA1
0df42168454db804f8d67fdee7835560bfb3d3ab

SHA256
238e7e4c3a764f8570d7db9612373343385b63ae65c94ac5684d6d52e3745eba

SHA512
049f74881fc50b9b96f002230b689958f75b7215ccc7bb93bda9580c91f7bfec7ca2fecde902be89a3f501c0622f83b6ee71adadbd7f12c9c6d180a2602dc45b

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
16KB

MD5
9a0dd06445e36d0c2fc29cbcfe11d8f9

SHA1
a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

SHA256
a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

SHA512
fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1256-147-0x00000000020F0000-0x000000000213A000-memory.dmp

Filesize
296KB

Download
memory/1256-148-0x00000000020F0000-0x000000000213A000-memory.dmp

Filesize
296KB

Download
memory/1256-141-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1256-146-0x00000000020F0000-0x000000000213A000-memory.dmp

Filesize
296KB

Download
memory/1256-144-0x00000000020F0000-0x000000000213A000-memory.dmp

Filesize
296KB

Download
memory/1256-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1256-177-0x00000000020F0000-0x000000000213A000-memory.dmp

Filesize
296KB

Download
memory/4876-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download