blackmoon | ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e

Analysis

max time kernel
135s
max time network
154s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29-06-2023 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
Size

1.3MB
MD5

94a84716982065ee4cd63f9771c6f393
SHA1

2c85a761c0b08213ba51b0834fe5c2d91c829845
SHA256

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e
SHA512

597c63f0387a131ff92d0ed2862f3cb495159fa65418be92c89bc4fc32a0d6af485af5e4cdb429b0e8ee07b2147b769332813e9b8035edb4a7d6a2a44e6b833c
SSDEEP

24576:UlKUaRL9e2/tgjto4mop2S1Jdhegf2h/LyGOn25big2D:6iR7lKmq7dhBSLyGOnuig2D

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-81-0x0000000000400000-0x0000000000426000-memory.dmp	family_blackmoon

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1004 jecxz.exe
1284 v.exe

pid	process
1004	jecxz.exe
1284	v.exe

Loads dropped DLL 2 IoCs

Processes:

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe

pid	process
1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1240-66-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral1/memory/1240-70-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral1/memory/1240-85-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral1/memory/1240-92-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral1/memory/1240-95-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral1/memory/1240-112-0x0000000000400000-0x0000000000726000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1700 1240 WerFault.exe ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe

pid	pid_target	process	target process
1700	1240	WerFault.exe	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exejecxz.exe

pid	process
1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe
1004	jecxz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exejecxz.exe

pid	process
1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
1004	jecxz.exe
1004	jecxz.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 1724	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	cmd.exe
PID 1240 wrote to memory of 1724	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	cmd.exe
PID 1240 wrote to memory of 1724	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	cmd.exe
PID 1240 wrote to memory of 1724	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	cmd.exe
PID 1724 wrote to memory of 796	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 796	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 796	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 796	1724	cmd.exe	reg.exe
PID 1240 wrote to memory of 1020	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	WScript.exe
PID 1240 wrote to memory of 1020	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	WScript.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 712	1020	WScript.exe	cmd.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 712 wrote to memory of 1768	712	cmd.exe	reg.exe
PID 1240 wrote to memory of 1284	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	v.exe
PID 1240 wrote to memory of 1284	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	v.exe
PID 1240 wrote to memory of 1284	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	v.exe
PID 1240 wrote to memory of 1284	1240	ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe
"C:\Users\Admin\AppData\Local\Temp\ec43d1b21b5aa1f46ecf8d87d42b3512ef8ab1238dce21f957e4d2b7f48d199e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
4⤵
PID:1768

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1004
2⤵
- Program crash
PID:1700

C:\Users\Public\xiaodaxzqxia\jecxz.exe
"C:\Users\Public\xiaodaxzqxia\jecxz.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\1
Filesize
257KB

MD5
50f419654aa72e792850a6e6d2d9fe72

SHA1
78e2421c812b6a0c282e2fb77facb709901804f9

SHA256
4164a5f09515a6402b6c6e754906897b9f7fa2f21a9dba1f65ce227f2b220bc8

SHA512
8f9c0a4990c2ff3239dbf53dc5bfbe21952b383336321fa19f1c1ba2052da3694d73abd9d9610fd1dddb9c866e02bd810a0bd587b5a833389e6722f03da39111

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.3MB

MD5
2e7dba2c56e27f263d3d68d43936d84d

SHA1
0b47c3400026a96e682794df4afba1f550009db2

SHA256
d6b14b3a9ae0ee3a5a623e4af77e8a1a4739174d2807a9e1f8a966dcd61ef4ed

SHA512
51f6ea93421b5fdfebf4be765f661322471e099bc22d04b59c78498e849be2eee57ce2a3073e0a8b417ac1f8f476394966415107dbfdf7f402faf2e4fc50be3a

Download Submit
C:\Users\Public\xiaodaxzqxia\A.vbs
Filesize
107B

MD5
bcb223ea9c0598f04684216bcd0e12a6

SHA1
2661c8fbca3654a29fa261def7f16ea23a6f3165

SHA256
ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

SHA512
77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
59KB

MD5
f35bd9c3b23391549006311cf0bfff47

SHA1
8d01dcc88b4b969c91fbb0cb81fb1602121236cd

SHA256
ad28076367e295634f4b07091fec9dbab1c8f7c8828f40dcea30c27775fc0060

SHA512
05596f295362581be3814640ead8e175ce76b2edbf4353ac5edcd07deafec2ab6c1031f7e897d4d5a1cab731365d5e01364eefd94104179caa0d86d150ab3f47

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
59KB

MD5
f35bd9c3b23391549006311cf0bfff47

SHA1
8d01dcc88b4b969c91fbb0cb81fb1602121236cd

SHA256
ad28076367e295634f4b07091fec9dbab1c8f7c8828f40dcea30c27775fc0060

SHA512
05596f295362581be3814640ead8e175ce76b2edbf4353ac5edcd07deafec2ab6c1031f7e897d4d5a1cab731365d5e01364eefd94104179caa0d86d150ab3f47

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1004-79-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1004-82-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1004-84-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1004-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1004-78-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1004-73-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1240-85-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1240-92-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1240-95-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1240-70-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1240-66-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1240-112-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/1284-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download