blackmoon | cd1d744dc39adf50bc17b587d203d5fce77995c4c51cc0438187dfc9eabbd948

General

Target

py-hzz.msi
Size

118.5MB
MD5

647864bf491144519120e6aef0ccee2b
SHA1

aa0f4f5ae485cc31c80d1241442bd07710db353e
SHA256

1e87ebcf8bf36d40079573ee61efb7f4e7f70b46c85ca1888899490b4be5f98d
SHA512

12bdbed6a35d0c22e3266f1356ad8261d66d539be4e344084aeb7a3d05d438081ffd328ba6da9028f745b17e50af96b27e80ebc7cec2969acda308657c7019c1
SSDEEP

3145728:n92fD6MoAr3Z1q3oeZJDN/Mfm1eoT1Fl0f5yQBtmpX4:gfD6Moc3a3oeZnMGBRsdtmR

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\Videos\study95\2.dll	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

QuickQ.exe

pid process

3524 QuickQ.exe
Loads dropped DLL 2 IoCs

Processes:

QuickQ.exe

pid process

3524 QuickQ.exe
3524 QuickQ.exe

pid	process
3524	QuickQ.exe

pid	process
3524	QuickQ.exe
3524	QuickQ.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe	msiexec.exe
File created	C:\Program Files (x86)\搜狗输入法\搜狗输入法\1.exe	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E4458E65-796A-4E15-A2C6-AC6ECD7989A5}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3C8.tmp	msiexec.exe
File created	C:\Windows\Installer\e58beb7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58beb7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000055d7aba751873b30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000055d7aba0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900055d7aba000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d055d7aba000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000055d7aba00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4184 msiexec.exe
4184 msiexec.exe

pid	process
4184	msiexec.exe
4184	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3328	msiexec.exe
Token: SeSecurityPrivilege	4184	msiexec.exe
Token: SeCreateTokenPrivilege	3328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3328	msiexec.exe
Token: SeLockMemoryPrivilege	3328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3328	msiexec.exe
Token: SeMachineAccountPrivilege	3328	msiexec.exe
Token: SeTcbPrivilege	3328	msiexec.exe
Token: SeSecurityPrivilege	3328	msiexec.exe
Token: SeTakeOwnershipPrivilege	3328	msiexec.exe
Token: SeLoadDriverPrivilege	3328	msiexec.exe
Token: SeSystemProfilePrivilege	3328	msiexec.exe
Token: SeSystemtimePrivilege	3328	msiexec.exe
Token: SeProfSingleProcessPrivilege	3328	msiexec.exe
Token: SeIncBasePriorityPrivilege	3328	msiexec.exe
Token: SeCreatePagefilePrivilege	3328	msiexec.exe
Token: SeCreatePermanentPrivilege	3328	msiexec.exe
Token: SeBackupPrivilege	3328	msiexec.exe
Token: SeRestorePrivilege	3328	msiexec.exe
Token: SeShutdownPrivilege	3328	msiexec.exe
Token: SeDebugPrivilege	3328	msiexec.exe
Token: SeAuditPrivilege	3328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3328	msiexec.exe
Token: SeChangeNotifyPrivilege	3328	msiexec.exe
Token: SeRemoteShutdownPrivilege	3328	msiexec.exe
Token: SeUndockPrivilege	3328	msiexec.exe
Token: SeSyncAgentPrivilege	3328	msiexec.exe
Token: SeEnableDelegationPrivilege	3328	msiexec.exe
Token: SeManageVolumePrivilege	3328	msiexec.exe
Token: SeImpersonatePrivilege	3328	msiexec.exe
Token: SeCreateGlobalPrivilege	3328	msiexec.exe
Token: SeBackupPrivilege	2664	vssvc.exe
Token: SeRestorePrivilege	2664	vssvc.exe
Token: SeAuditPrivilege	2664	vssvc.exe
Token: SeBackupPrivilege	4184	msiexec.exe
Token: SeRestorePrivilege	4184	msiexec.exe
Token: SeRestorePrivilege	4184	msiexec.exe
Token: SeTakeOwnershipPrivilege	4184	msiexec.exe
Token: SeRestorePrivilege	4184	msiexec.exe
Token: SeTakeOwnershipPrivilege	4184	msiexec.exe
Token: SeBackupPrivilege	1936	srtasks.exe
Token: SeRestorePrivilege	1936	srtasks.exe
Token: SeSecurityPrivilege	1936	srtasks.exe
Token: SeTakeOwnershipPrivilege	1936	srtasks.exe
Token: SeBackupPrivilege	1936	srtasks.exe
Token: SeRestorePrivilege	1936	srtasks.exe
Token: SeSecurityPrivilege	1936	srtasks.exe
Token: SeTakeOwnershipPrivilege	1936	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3328 msiexec.exe

pid	process
3328	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4184 wrote to memory of 1936	4184	msiexec.exe	srtasks.exe
PID 4184 wrote to memory of 1936	4184	msiexec.exe	srtasks.exe
PID 4184 wrote to memory of 3524	4184	msiexec.exe	QuickQ.exe
PID 4184 wrote to memory of 3524	4184	msiexec.exe	QuickQ.exe
PID 4184 wrote to memory of 3524	4184	msiexec.exe	QuickQ.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\py-hzz.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe
"C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe" /Install
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe

Filesize
3.0MB

MD5
1e1b42b6c885280e082ac373f7b59f3f

SHA1
1e6646b827f5089aefedac669f62ef55a19d7ad2

SHA256
14b6a49fb11961fb851c51b3dbca5ee8cb02d86e5dfcf7cdbd9edcd06f2c118c

SHA512
56826f422d8f68d6c9a6b7cd23c0a48fa7ee48c4e90588f630d4b08588b63e8cfff230549272d8411cd2fe229f158ddc108a48cba658064ded4e76e0d9064c64

Download Submit
C:\Program Files (x86)\搜狗输入法\搜狗输入法\QuickQ.exe

Filesize
3.0MB

MD5
1e1b42b6c885280e082ac373f7b59f3f

SHA1
1e6646b827f5089aefedac669f62ef55a19d7ad2

SHA256
14b6a49fb11961fb851c51b3dbca5ee8cb02d86e5dfcf7cdbd9edcd06f2c118c

SHA512
56826f422d8f68d6c9a6b7cd23c0a48fa7ee48c4e90588f630d4b08588b63e8cfff230549272d8411cd2fe229f158ddc108a48cba658064ded4e76e0d9064c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GAKQU0X5\KCUR85CH.htm

Filesize
399KB

MD5
a5f97480d1600d61613389f8ee25bcc9

SHA1
f824a32259bb881e012555c56391bb13a0c11f49

SHA256
552fc34678f4333a4f0e61f9b1d3421bc3bf6f055ef7baeb41211433c58109f2

SHA512
c66191d8d82881fb6ff21a88489305a448c41f924986b9aea3900326d4b77cb582be00d88c079bd3adff0094633f4e023cfff18ab985a30fdea55184f1b08ba2

Download Submit
C:\Users\Public\Videos\study95\1.dll

Filesize
1.9MB

MD5
efb4f7f2c29f4b812ec344782c751ead

SHA1
84e6ec5323d1c535dcf4c7bbdde259a9847eee39

SHA256
d48fb613b4336547f5925f88ffd5de78bb36974634aad096deeb5af4be1b96c6

SHA512
dc85c2005c84da617bf2280471db7afb4e4bb3f85aa885136b6daf14041ee6d0dd4afd043ac1d16e4b14eddc05ad93aa8e2dec55d1e8e22e05427666cfb2c4c4

Download Submit
C:\Users\Public\Videos\study95\2.dll

Filesize
576KB

MD5
e1b3cf30274e632c35be299d4d6e3931

SHA1
9c52dccc089995899c566d1897d4b6e623c790b6

SHA256
37987d399b9d543125909768f6197783fe8ea92d2575622ae3df9e396444f6fd

SHA512
1b9475c430d70cd18097849d5eecd1d41493811f7162ca89cc29ce87093b7261e9c594567d9b39cf49157e6feb50f0f014ca93d5923fe124bafe9504db976443

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d87eda5fff4e2ec51cb4ef640615e1e7

SHA1
c5eef6c61b90364a1394a4f056cb7aebfd0302ef

SHA256
3a911f864f421ba7e08d6cd2bdce455f99b23ef9a7a6657499355257d072667a

SHA512
6e0a2aa2f7169124f4352d9afcfbb83ba7848b1377c9e6c4b1a46df52771667619395064e25a6b11fbc41f117d63800d6e74b8b30a07ed75d1b1276e47ce9e7a

Download Submit
\??\Volume{ba7a5d05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0bb26103-f56b-4c49-b865-c4d3426450b4}_OnDiskSnapshotProp

Filesize
5KB

MD5
7a8d1b4d29cd72e678df7cbeb97e3f56

SHA1
691bd5a50848adee0432dc7cb1fb1a0c1c80e4ed

SHA256
38206c8eced71bdf4091e43564e493dfc84a1f96cbf005a05ef15d1a7c20d68a

SHA512
700a90ef481ea008302259531d8f545d0f44245725d89a204e127d3eeed74f0f3952209ab019fdc17b1e11bd0a0f2f1c0da9fd868ba65d05f0752d3f7be0b0e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads