blackmoon | a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
Size

4.7MB
MD5

3d8c45eebb8781f9314a91dcb18bfbed
SHA1

12ef037ce0096d5d5966c4fd399ead0867d07ce8
SHA256

a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328
SHA512

09f276ddc7092a2efe1da3a636dd7fd53e4d80789ebcc2e6b6b35e712d81b2855b8ed9391742e274a435c081c60523c47dd1aec4b0d2c22bfff9704d7083477b
SSDEEP

98304:JyP15fpV4Bkldk2ugRLYyEHFvg3Yz5J/693kTVDio:Gnxyqfk2uWYySauTlio

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/5020-54-0x0000000000400000-0x000000000041B200-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
5020	jecxz.exe
4512	v.exe

Loads dropped DLL 1 IoCs

pid	Process
4512	v.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe
5020	jecxz.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4512	v.exe
Token: 35	4512	v.exe
Token: SeSecurityPrivilege	4512	v.exe
Token: SeSecurityPrivilege	4512	v.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
5020	jecxz.exe
3364	hh.exe
3364	hh.exe
3508	hh.exe
3508	hh.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2768	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	83
PID 4636 wrote to memory of 2768	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	83
PID 4636 wrote to memory of 2768	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	83
PID 2768 wrote to memory of 4028	2768	cmd.exe	85
PID 2768 wrote to memory of 4028	2768	cmd.exe	85
PID 2768 wrote to memory of 4028	2768	cmd.exe	85
PID 4636 wrote to memory of 3404	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	86
PID 4636 wrote to memory of 3404	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	86
PID 4636 wrote to memory of 3404	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	86
PID 3404 wrote to memory of 1052	3404	cmd.exe	88
PID 3404 wrote to memory of 1052	3404	cmd.exe	88
PID 3404 wrote to memory of 1052	3404	cmd.exe	88
PID 4636 wrote to memory of 4512	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	101
PID 4636 wrote to memory of 4512	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	101
PID 4636 wrote to memory of 4512	4636	a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe	101

C:\Users\Admin\AppData\Local\Temp\a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe
"C:\Users\Admin\AppData\Local\Temp\a992d27d83a456329e4b5419916457cee5ed0fa9fe2ace83e3fc8e79d8089328.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\xiaodaxzqxia\n.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:1052
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3420

C:\Users\Public\xiaodaxzqxia\jecxz.exe
"C:\Users\Public\xiaodaxzqxia\jecxz.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5736139502059468\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5736139502059468\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
91df9fac8bda71c57362f8c2aee51455

SHA1
5436fed95d0dbdedb067226cdea3ac8305dcd5c9

SHA256
085975a5eb940ba9a57b4c4da9a3a5b6417f86cb01db171fd57aefb2ab4b35eb

SHA512
d7ebf5e019dade35dbbed26b92e3d25eff3e1d3535146c6c70647b88782131073f53f6738fbf29edab8402f8f02f4034a21d5688b7870d5b856d4f7b45523298

Download Submit
C:\Users\Public\cxzvasdfg\5736139502059468\A11.chm

Filesize
9KB

MD5
2342b3ba19855ddd8c3e311b2842bdbb

SHA1
ecec63f62d445bdcc369af3f29df566611c7d4a5

SHA256
257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6

SHA512
f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9

Download Submit
C:\Users\Public\xiaodaxzqxia\1

Filesize
291KB

MD5
88e7cdd82a2a2bc657f2bbff6eb771ce

SHA1
ff0317e84c63d1c3f32f2c6b9e7122bcd9cf803b

SHA256
400c11d62d763283e234e37920637a7a0a6ec6dac58dd29a294361f9ae8c7a58

SHA512
25083da3afcdc13d9bc7e58f4fd4e6c17e08d805bd6b3b7cdf52a46c13cf3894ab02a8242d844be3b4cf1ac3d5364cb4f38666f14bea285bf545cd0e2cec1e3b

Download Submit
C:\Users\Public\xiaodaxzqxia\111

Filesize
423KB

MD5
e76c1da356a0be50cb905c3fb31453c5

SHA1
1de0d0c6898e6ef1fce93e9750f50b064a5edb40

SHA256
5a247ced83690a49b25ae6d42799fce7bf4f2188851346c540b791a2b3096b6c

SHA512
fd7e204480e426bbdb177d56c4732303d164c534db4a1bacd982a60ad827f0107c6a11345fe9192af040d5289b0076d8c096f8ae6377bf5fcfdfc05bff7c08c0

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
39KB

MD5
fc67cfa99cfe6a556a8ad8a730ecdda6

SHA1
2b97fc2c967622fc7415d8c294a1e2e3180d10f2

SHA256
dda997a1a3a0bfb4d5702a88cfb7dfc1bce101a69d311793fe4c7f746845be8f

SHA512
f62fb2f52c6347246e1d5b3b03eb3c74ae3ddf91d6e80d4d5d26d0cf249488f65bf1359cac54e2b65a89894e0400e393f8bc44f21b89971128122a1ce34a2dec

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe

Filesize
39KB

MD5
fc67cfa99cfe6a556a8ad8a730ecdda6

SHA1
2b97fc2c967622fc7415d8c294a1e2e3180d10f2

SHA256
dda997a1a3a0bfb4d5702a88cfb7dfc1bce101a69d311793fe4c7f746845be8f

SHA512
f62fb2f52c6347246e1d5b3b03eb3c74ae3ddf91d6e80d4d5d26d0cf249488f65bf1359cac54e2b65a89894e0400e393f8bc44f21b89971128122a1ce34a2dec

Download Submit
C:\Users\Public\xiaodaxzqxia\n.cmd

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
memory/4636-0-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/4636-52-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/5020-22-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-23-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-24-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-21-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-19-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-20-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/5020-17-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5020-15-0x0000000000400000-0x000000000041B200-memory.dmp

Filesize
108KB

Download
memory/5020-53-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5020-54-0x0000000000400000-0x000000000041B200-memory.dmp

Filesize
108KB

Download