blackmoon | 41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
25-06-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe
Size

233KB
MD5

f7c625d7263c18ecc8168c219dc9724c
SHA1

d2420a7a7e230efb3a7747c82cc6c45cac439a1f
SHA256

41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72
SHA512

78844189eba5420cdcf0ed13fb65cfd1a0fdafffd25fde409a376b49143910fa7ad2c367499e7beb70f872aea3172cabf909dd7ce312598177c648f9b7f8ae90
SSDEEP

6144:t5/xaoPuPKgyVX1e6IreazzIb4iue7G2r:t7a4lJ1e6IrotG2r

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe	family_blackmoon

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NIEPAN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\R\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\R.sys"	NIEPAN.exe

Executes dropped EXE 3 IoCs

Processes:

NIEPAN.exeJQM.exekdmapper.exe

pid process

872 NIEPAN.exe
848 JQM.exe
1364 kdmapper.exe
Loads dropped DLL 4 IoCs

Processes:

NIEPAN.exeJQM.execmd.exe

pid process

872 NIEPAN.exe
848 JQM.exe
848 JQM.exe
1920 cmd.exe

pid	process
872	NIEPAN.exe
848	JQM.exe
1364	kdmapper.exe

pid	process
872	NIEPAN.exe
848	JQM.exe
848	JQM.exe
1920	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe"	41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\JQM.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\JQM.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\JQM.exe	nsis_installer_2

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1800 taskkill.exe
552 taskkill.exe
432 taskkill.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

NIEPAN.exe

pid process

872 NIEPAN.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1800 taskkill.exe
Token: SeDebugPrivilege 552 taskkill.exe
Token: SeDebugPrivilege 432 taskkill.exe

pid	process
1800	taskkill.exe
552	taskkill.exe
432	taskkill.exe

pid	process
872	NIEPAN.exe

pid	process
460
460

description	pid	process
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.execmd.exeNIEPAN.exeJQM.execmd.exe

description	pid	process	target process
PID 1252 wrote to memory of 1244	1252	41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe	cmd.exe
PID 1252 wrote to memory of 1244	1252	41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe	cmd.exe
PID 1252 wrote to memory of 1244	1252	41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe	cmd.exe
PID 1244 wrote to memory of 872	1244	cmd.exe	NIEPAN.exe
PID 1244 wrote to memory of 872	1244	cmd.exe	NIEPAN.exe
PID 1244 wrote to memory of 872	1244	cmd.exe	NIEPAN.exe
PID 1244 wrote to memory of 872	1244	cmd.exe	NIEPAN.exe
PID 872 wrote to memory of 848	872	NIEPAN.exe	JQM.exe
PID 872 wrote to memory of 848	872	NIEPAN.exe	JQM.exe
PID 872 wrote to memory of 848	872	NIEPAN.exe	JQM.exe
PID 872 wrote to memory of 848	872	NIEPAN.exe	JQM.exe
PID 848 wrote to memory of 1920	848	JQM.exe	cmd.exe
PID 848 wrote to memory of 1920	848	JQM.exe	cmd.exe
PID 848 wrote to memory of 1920	848	JQM.exe	cmd.exe
PID 848 wrote to memory of 1920	848	JQM.exe	cmd.exe
PID 1920 wrote to memory of 1364	1920	cmd.exe	kdmapper.exe
PID 1920 wrote to memory of 1364	1920	cmd.exe	kdmapper.exe
PID 1920 wrote to memory of 1364	1920	cmd.exe	kdmapper.exe
PID 1920 wrote to memory of 1364	1920	cmd.exe	kdmapper.exe
PID 1920 wrote to memory of 1800	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 1800	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 1800	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 1800	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 552	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 552	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 552	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 552	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 432	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 432	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 432	1920	cmd.exe	taskkill.exe
PID 1920 wrote to memory of 432	1920	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe
"C:\Users\Admin\AppData\Local\Temp\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe
C:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\JQM.exe
C:\Users\Admin\AppData\Local\Temp\JQM.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\bhWm.bat
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\kdmapper.exe
kdmapper.exe Null.sys
6⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JQM.exe
Filesize
164KB

MD5
22a93b1e9dc4a606f774f63efab9593b

SHA1
40c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5

SHA256
1a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84

SHA512
9629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQM.exe
Filesize
164KB

MD5
22a93b1e9dc4a606f774f63efab9593b

SHA1
40c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5

SHA256
1a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84

SHA512
9629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe
Filesize
194KB

MD5
be4769e52155fad728b27ddbb7cad92b

SHA1
ffbd07acf14b41ee569e7da98cda2ce3beceb769

SHA256
2a86f387314411d6f91b66439e0c3ef82d37e7060dcbe0dc098d2c52f41fbcab

SHA512
525d2479a0cc5bf42a4d113eda4bf5069ef07abe56f6ed7962e0410b374ac14ff252346b2a8a20269910b13d597b829f4d50ca130049e116ed5cc96de856d80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe
Filesize
194KB

MD5
be4769e52155fad728b27ddbb7cad92b

SHA1
ffbd07acf14b41ee569e7da98cda2ce3beceb769

SHA256
2a86f387314411d6f91b66439e0c3ef82d37e7060dcbe0dc098d2c52f41fbcab

SHA512
525d2479a0cc5bf42a4d113eda4bf5069ef07abe56f6ed7962e0410b374ac14ff252346b2a8a20269910b13d597b829f4d50ca130049e116ed5cc96de856d80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2040.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2040.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\bhWm.bat
Filesize
137B

MD5
e74a5a81e2c45c7bfb4a7e96d3a0c733

SHA1
26c4f82ba5cee30cab96fab7cd2d8c1fd2552566

SHA256
7b25b47ccc09d1156fec0913b7000659eae1bedd7efafbd17d0dc45fb2714ad5

SHA512
bdd70104091d52b8a1bd4e79dfd1eec3fb4c752fa8179661f40f5b0cc6b7e8bf9bfbb55687cb2f30669c2f883666c806ca08ec7e8d121223402232a90dc6db99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\bhWm.bat
Filesize
137B

MD5
e74a5a81e2c45c7bfb4a7e96d3a0c733

SHA1
26c4f82ba5cee30cab96fab7cd2d8c1fd2552566

SHA256
7b25b47ccc09d1156fec0913b7000659eae1bedd7efafbd17d0dc45fb2714ad5

SHA512
bdd70104091d52b8a1bd4e79dfd1eec3fb4c752fa8179661f40f5b0cc6b7e8bf9bfbb55687cb2f30669c2f883666c806ca08ec7e8d121223402232a90dc6db99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\kdmapper.exe
Filesize
107KB

MD5
d63c0a558ae60ae055d8f2aae1d0a494

SHA1
51ed78431c44402abcea6913ecf845e1662777ba

SHA256
779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729

SHA512
c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b

Download Submit
\Users\Admin\AppData\Local\Temp\JQM.exe
Filesize
164KB

MD5
22a93b1e9dc4a606f774f63efab9593b

SHA1
40c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5

SHA256
1a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84

SHA512
9629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2040.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2040.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÂ½¨ÎÄ¼þ¼Ð\kdmapper.exe
Filesize
107KB

MD5
d63c0a558ae60ae055d8f2aae1d0a494

SHA1
51ed78431c44402abcea6913ecf845e1662777ba

SHA256
779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729

SHA512
c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b

Download Submit