blackmoon | b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296

Analysis

max time kernel
134s
max time network
153s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
Size

1.3MB
MD5

0b037e3d12262a1638c1217fae8773a1
SHA1

e233cc1d6d71034f77d17d89658d2052b1038db5
SHA256

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296
SHA512

35a2381a73e56718ff6d55661708a0230a4de2c3770ff7b5825f22dfc1a757515a5555a14fce737d9806406df3833c7f415a15a30b3ff67fcc43f3239b408529
SSDEEP

24576:fzgTLkcevOAJHPSTacyR3uunznkX4C+YyRGG6yaHDMEw:fzgTOey7gX4KiSD0

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon
C:\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon
\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon
C:\Users\Public\xiaodaxzqxia\jecxz.exe	family_blackmoon

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1552 jecxz.exe
1580 v.exe

pid	process
1552	jecxz.exe
1580	v.exe

Loads dropped DLL 4 IoCs

Processes:

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

pid	process
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1240-66-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/1240-80-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/1240-87-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/1240-95-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/1240-113-0x0000000000400000-0x0000000000717000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1864 1240 WerFault.exe b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

pid	pid_target	process	target process
1864	1240	WerFault.exe	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

hh.exehh.exehh.exehh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

pid process

1240 b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exejecxz.exehh.exehh.exehh.exehh.exe

pid	process
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
1552	jecxz.exe
1052	hh.exe
1052	hh.exe
692	hh.exe
692	hh.exe
476	hh.exe
476	hh.exe
1700	hh.exe
1700	hh.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 1216	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	cmd.exe
PID 1240 wrote to memory of 1216	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	cmd.exe
PID 1240 wrote to memory of 1216	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	cmd.exe
PID 1240 wrote to memory of 1216	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	cmd.exe
PID 1240 wrote to memory of 1020	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	WScript.exe
PID 1216 wrote to memory of 620	1216	cmd.exe	reg.exe
PID 1216 wrote to memory of 620	1216	cmd.exe	reg.exe
PID 1216 wrote to memory of 620	1216	cmd.exe	reg.exe
PID 1216 wrote to memory of 620	1216	cmd.exe	reg.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 1240 wrote to memory of 1552	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	jecxz.exe
PID 1240 wrote to memory of 1552	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	jecxz.exe
PID 1240 wrote to memory of 1552	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	jecxz.exe
PID 1240 wrote to memory of 1552	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	jecxz.exe
PID 1240 wrote to memory of 1580	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	v.exe
PID 1240 wrote to memory of 1580	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	v.exe
PID 1240 wrote to memory of 1580	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	v.exe
PID 1240 wrote to memory of 1580	1240	b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe
"C:\Users\Admin\AppData\Local\Temp\b029c08789c6001aa1f9e870a06ef049433d0cc25becc1beb9f0d6302508b296.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
4⤵
PID:1768

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 956
2⤵
- Program crash
PID:1864

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7640156142027398\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7640156142027398\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7640156142027398\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7640156142027398\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
4c16c0b8b51f70016d273fac84b049a8

SHA1
278e655c8c5d866fea981fc5a8c281386a514c8e

SHA256
2feabf8bf26dac43725d4799e39ad3f370eac8f5a3dc29f7eb0dfd28f9ed590d

SHA512
bcd81f84786e22cd2dfaa9b2af97aed162870adaf40926020663fae7a6fb1a84a3b1aa51dfa54699cfbaf2d2dc3d584f95f8e675bf081f80ff56286699a59d7f

Download Submit
C:\Users\Public\cxzvasdfg\7640156142027398\A11.chm

Filesize
9KB

MD5
2342b3ba19855ddd8c3e311b2842bdbb

SHA1
ecec63f62d445bdcc369af3f29df566611c7d4a5

SHA256
257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6

SHA512
f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9

Download Submit
C:\Users\Public\xiaodaxzqxia\1

Filesize
291KB

MD5
41491b143fa836c282aeba0f13969c6c

SHA1
f321d3e7b6834b71f9ddf7bba93fc919972afd63

SHA256
7ac8e8505b31643f18945df4acd88d8afd5738bdf36f2954ace446fe4f8250ad

SHA512
dd42914d25d2dc686909017e8500db22a478b74571a1a87ad6568d2a71a2d1c605d534facdecbf29ed79c9d0be2d4fbf74301393ff49bb72ada1459044ca07cf

Download Submit
C:\Users\Public\xiaodaxzqxia\111

Filesize
459KB

MD5
fec66e83d76cb59ec338b4f69f545ffd

SHA1
73054f1a52af4d16a980c0716d8a65c505b6f7b2

SHA256
eed8361a9ef3e72da41913733b697279c964a423517a0220b93a25befaacf120

SHA512
cc8fa3cb5544cca63b4a25222b8f30b1279c135fe80c4d7282fd21a0e909f8c47c86612e90d9bd81f59d2b2010e35082965b8253c77e2ecb1c95ba1da7f0c1fc

Download Submit
C:\Users\Public\xiaodaxzqxia\A.vbs

Filesize
107B

MD5
bcb223ea9c0598f04684216bcd0e12a6

SHA1
2661c8fbca3654a29fa261def7f16ea23a6f3165

SHA256
ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

SHA512
77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
80KB

MD5
b3252b687b3c8af8aefaf9a9207a4182

SHA1
e58ffa59b59fede7ee9dd18126be4950e6f6ccf9

SHA256
103ec95089baac16f23c3f6ace40d5a5817bee5eb1ec079eadfbd64a0117aa98

SHA512
6a9caa4e910ed73a8566933a1ddbed91b296b2f301b7ceb372d3c2c5bfaf7a333c1174fa9037eb7fbcfc0d922f808749f486bc5faddb5b060362d9b4a80cfa62

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
80KB

MD5
b3252b687b3c8af8aefaf9a9207a4182

SHA1
e58ffa59b59fede7ee9dd18126be4950e6f6ccf9

SHA256
103ec95089baac16f23c3f6ace40d5a5817bee5eb1ec079eadfbd64a0117aa98

SHA512
6a9caa4e910ed73a8566933a1ddbed91b296b2f301b7ceb372d3c2c5bfaf7a333c1174fa9037eb7fbcfc0d922f808749f486bc5faddb5b060362d9b4a80cfa62

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
80KB

MD5
b3252b687b3c8af8aefaf9a9207a4182

SHA1
e58ffa59b59fede7ee9dd18126be4950e6f6ccf9

SHA256
103ec95089baac16f23c3f6ace40d5a5817bee5eb1ec079eadfbd64a0117aa98

SHA512
6a9caa4e910ed73a8566933a1ddbed91b296b2f301b7ceb372d3c2c5bfaf7a333c1174fa9037eb7fbcfc0d922f808749f486bc5faddb5b060362d9b4a80cfa62

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
80KB

MD5
b3252b687b3c8af8aefaf9a9207a4182

SHA1
e58ffa59b59fede7ee9dd18126be4950e6f6ccf9

SHA256
103ec95089baac16f23c3f6ace40d5a5817bee5eb1ec079eadfbd64a0117aa98

SHA512
6a9caa4e910ed73a8566933a1ddbed91b296b2f301b7ceb372d3c2c5bfaf7a333c1174fa9037eb7fbcfc0d922f808749f486bc5faddb5b060362d9b4a80cfa62

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1240-87-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1240-80-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1240-95-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1240-66-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1240-113-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1552-81-0x0000000000300000-0x000000000034A000-memory.dmp

Filesize
296KB

Download
memory/1552-78-0x0000000000300000-0x000000000034A000-memory.dmp

Filesize
296KB

Download
memory/1552-77-0x0000000000300000-0x000000000034A000-memory.dmp

Filesize
296KB

Download
memory/1552-112-0x0000000000300000-0x000000000034A000-memory.dmp

Filesize
296KB

Download
memory/1580-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download