blackmoon | cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a

General

Target

fwexe.exe
Size

84KB
MD5

bc6da13176887a094ff712a2e2a58ba4
SHA1

e67aff93f62eaf757b3167d86936cb71d653c8cf
SHA256

cede6ac238893e42da9d3df998429d991ff02cdcd018f7de4e7b379c3d5fdc6a
SHA512

555a7898693be4d4c5b265a6ed14656515efafd1f03beeb248e6aafafe3638095d39d5eb60589f74b5ca46a2fd835f182ca54ed0e1ad600c53098b57f57ed016
SSDEEP

1536:qZye8psDhdvoYIflDvf+RBe50UE8Feu6JsuDTpU0WyTwJg:6vdvYlDvWRBeiUDTBwVU0H8O

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-54-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/1068-55-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/1068-56-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral1/memory/1068-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon

Downloads MZ/PE file

Drops file in Drivers directory 8 IoCs

Processes:

svchosh.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Drivers\9DgUGMD.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\9DgUGMD.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\exrVRwv.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\exrVRwv.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\12WvgkIwzo.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\12WvgkIwzo.sys	svchosh.exe
File opened for modification	C:\Windows\system32\Drivers\P8XLghpxVi.sys	svchosh.exe
File created	C:\Windows\system32\Drivers\P8XLghpxVi.sys	svchosh.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchosh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\12WvgkIwzo\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\12WvgkIwzo.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\P8XLghpxVi\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\P8XLghpxVi.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\9DgUGMD\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\9DgUGMD.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\X9s4QcMBSlr\ImagePath = "\\??\\C:\\ProgramData\\Microsoft\\Network\\X9s4QcMBSlr.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uYrUkR6s\ImagePath = "\\??\\C:\\PerfLogs\\Admin\\uYrUkR6s.sys"	svchosh.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\exrVRwv\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\exrVRwv.sys"	svchosh.exe

Executes dropped EXE 3 IoCs

Processes:

zlib.exesvchosh.exedrx.exe

pid process

572 zlib.exe
984 svchosh.exe
948 drx.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

316 cmd.exe
316 cmd.exe

pid	process
572	zlib.exe
984	svchosh.exe
948	drx.exe

pid	process
316	cmd.exe
316	cmd.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1068-54-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1068-55-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1068-56-0x0000000000400000-0x0000000000454000-memory.dmp	upx
C:\Windows\zlib.exe	upx
behavioral1/memory/1068-62-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/572-76-0x0000000000A80000-0x0000000000BCE000-memory.dmp	upx
\Windows\Temp\drxm\drx.exe	upx
C:\Windows\Temp\drxm\drx.exe	upx
behavioral1/memory/948-86-0x000000013F1C0000-0x000000013F29B000-memory.dmp	upx
behavioral1/memory/948-122-0x000000013F1C0000-0x000000013F29B000-memory.dmp	upx
C:\Windows\Temp\drxm\drx.exe	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchosh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	svchosh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchosh.exe

Drops file in Windows directory 1 IoCs

Processes:

fwexe.exe

description ioc process

File created C:\Windows\zlib.exe fwexe.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1856 PING.EXE

description	ioc	process
File created	C:\Windows\zlib.exe	fwexe.exe

pid	process
1856	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

svchosh.exedrx.execonvert.exe

pid	process
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
948	drx.exe
948	drx.exe
948	drx.exe
948	drx.exe
948	drx.exe
948	drx.exe
948	drx.exe
1504	convert.exe
1504	convert.exe

Suspicious behavior: LoadsDriver 12 IoCs

Processes:

svchosh.exe

pid	process
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe
984	svchosh.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

svchosh.exedrx.exe

description	pid	process
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	948	drx.exe
Token: SeTcbPrivilege	948	drx.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	948	drx.exe
Token: SeIncBasePriorityPrivilege	948	drx.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe
Token: SeLoadDriverPrivilege	984	svchosh.exe
Token: SeDebugPrivilege	984	svchosh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fwexe.exe

pid process

1068 fwexe.exe

pid	process
1068	fwexe.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

fwexe.exezlib.execmd.exedrx.exe

description	pid	process	target process
PID 1068 wrote to memory of 572	1068	fwexe.exe	zlib.exe
PID 1068 wrote to memory of 572	1068	fwexe.exe	zlib.exe
PID 1068 wrote to memory of 572	1068	fwexe.exe	zlib.exe
PID 1068 wrote to memory of 572	1068	fwexe.exe	zlib.exe
PID 572 wrote to memory of 316	572	zlib.exe	cmd.exe
PID 572 wrote to memory of 316	572	zlib.exe	cmd.exe
PID 572 wrote to memory of 316	572	zlib.exe	cmd.exe
PID 572 wrote to memory of 316	572	zlib.exe	cmd.exe
PID 316 wrote to memory of 984	316	cmd.exe	svchosh.exe
PID 316 wrote to memory of 984	316	cmd.exe	svchosh.exe
PID 316 wrote to memory of 984	316	cmd.exe	svchosh.exe
PID 316 wrote to memory of 984	316	cmd.exe	svchosh.exe
PID 316 wrote to memory of 1856	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 1856	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 1856	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 1856	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 948	316	cmd.exe	drx.exe
PID 316 wrote to memory of 948	316	cmd.exe	drx.exe
PID 316 wrote to memory of 948	316	cmd.exe	drx.exe
PID 316 wrote to memory of 948	316	cmd.exe	drx.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1504	948	drx.exe	convert.exe
PID 948 wrote to memory of 1820	948	drx.exe	cmd.exe
PID 948 wrote to memory of 1820	948	drx.exe	cmd.exe
PID 948 wrote to memory of 1820	948	drx.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fwexe.exe
"C:\Users\Admin\AppData\Local\Temp\fwexe.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\zlib.exe
  C:\Windows\\zlib.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\temp\drxm\xm.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\Temp\drxm\svchosh.exe
      C:\Windows\Temp\drxm\\svchosh.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:984
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1856
  - - C:\Windows\Temp\drxm\drx.exe
      C:\Windows\Temp\drxm\\drx.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\system32\convert.exe
        
        "C:\Windows\system32\convert.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Windows\Temp\drxm\drx.exe"
        5⤵
        
        PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
C:\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
C:\Windows\Temp\drxm\xm.bat

Filesize
203B

MD5
7ad87393edbfa2718bb172d84eb7ffc8

SHA1
59e87ca229b3fa0a4d023571d9b23e7652fe91a9

SHA256
638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

SHA512
ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

Download Submit
C:\Windows\temp\drxm\xm.bat

Filesize
203B

MD5
7ad87393edbfa2718bb172d84eb7ffc8

SHA1
59e87ca229b3fa0a4d023571d9b23e7652fe91a9

SHA256
638a70fc5c280af5821d6cc6a03877229a6458ed56df156c91fd0ec8f1a5965c

SHA512
ebed640fcf594e26fb175079160ee47c9dffb864f23903b588ee5d12910f3d35204ccd991ef46695a1a8da1531386d317256295eaeb2fe32fe5d86f843acbde6

Download Submit
C:\Windows\zlib.exe

Filesize
1.1MB

MD5
2156499ed40b54d8602275a06fa527b9

SHA1
88bfaffeaf61e7c5dd2c5f9f60307adedbb6566f

SHA256
6933b2cb03952e5894ae9fcda474d628fd58b982167c6e70f1af468299c71223

SHA512
dc15fd515e411512072ceb033e9819865dc60908965a70b30ef435011f70e5c33e9485bc31e01bc30dd96cc8761d5eca6ae4de076d1b0f7ed8e328550c1ffae3

Download Submit
\Windows\Temp\drxm\drx.exe

Filesize
222KB

MD5
fda6409e19a40a1b6dc73568199331f7

SHA1
a61f7250bd1f776c3dc63eaf12770690a399f25d

SHA256
b4937c04c982c68bacaeb575765d01aa5cdcacc8d42bfd7d62a51e19a1b4e0e5

SHA512
e33c360527cd6af875b60bce8ad95ded315a310975c62e122895b8957c3ebbd16ed984a8834e7c83bf690a0f92bdec773fb9c7ddb3a56ff10705c5520b0e0e84

Download Submit
\Windows\Temp\drxm\svchosh.exe

Filesize
766KB

MD5
a6dc95dbe25ef89c40c6943ab64d8b2d

SHA1
0d01f835a589191b6c28d264ee34a318df63012f

SHA256
8515560816e2e3caac0653012822b3fcc452568ce5544b97d19dbaccb03a03c5

SHA512
e8af6f224ad5deb8adcb63dc5f1feda67575f8c42da5969da335f536010c91879b3da9f128e6f949109ad848bd2eb9e962a51bc1a4e7b777a03d9f6f915954f9

Download Submit
memory/572-76-0x0000000000A80000-0x0000000000BCE000-memory.dmp

Filesize
1.3MB

Download
memory/948-86-0x000000013F1C0000-0x000000013F29B000-memory.dmp

Filesize
876KB

Download
memory/948-93-0x000007FE7F7B0000-0x000007FE7F7B1000-memory.dmp

Filesize
4KB

Download
memory/948-122-0x000000013F1C0000-0x000000013F29B000-memory.dmp

Filesize
876KB

Download
memory/948-92-0x000007FE7F7A0000-0x000007FE7F7A1000-memory.dmp

Filesize
4KB

Download
memory/948-90-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/948-91-0x000007FE7F790000-0x000007FE7F791000-memory.dmp

Filesize
4KB

Download
memory/1068-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1068-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1068-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1068-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1504-116-0x0000000000180000-0x0000000000577000-memory.dmp

Filesize
4.0MB

Download
memory/1504-117-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1504-120-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1504-121-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1504-124-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1504-126-0x0000000002070000-0x000000000246C000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads