blackmoon | 6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c2e949a2f92c4f458ea1e18ef0829b.exe
Size

2.0MB
MD5

64c2e949a2f92c4f458ea1e18ef0829b
SHA1

5274af76387950b897e4cd1fd9f8cf69755dd05e
SHA256

6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f
SHA512

6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29
SSDEEP

24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl

Score

10^/10

blackmoon banker bootkit persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022775-5.dat	family_blackmoon
behavioral2/files/0x000900000002303e-19.dat	family_blackmoon
behavioral2/files/0x0002000000022775-41.dat	family_blackmoon
behavioral2/files/0x0002000000022775-83.dat	family_blackmoon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ippatch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	64c2e949a2f92c4f458ea1e18ef0829b.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk	ippatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk	ippatch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe

Executes dropped EXE 3 IoCs

pid	Process
3716	ippatch.exe
4892	ipsee.exe
1960	ippatch.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	64c2e949a2f92c4f458ea1e18ef0829b.exe
File opened for modification	\??\PhysicalDrive0	ippatch.exe
File opened for modification	\??\PhysicalDrive0	ippatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 13 IoCs

evasion

pid	Process
3264	taskkill.exe
3776	taskkill.exe
3592	taskkill.exe
1200	taskkill.exe
3636	taskkill.exe
4028	taskkill.exe
3576	taskkill.exe
4636	taskkill.exe
3456	taskkill.exe
2488	taskkill.exe
1452	taskkill.exe
1000	taskkill.exe
908	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
4892	ipsee.exe
4892	ipsee.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
4892	ipsee.exe
4892	ipsee.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe
3716	ippatch.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
4648	64c2e949a2f92c4f458ea1e18ef0829b.exe
3716	ippatch.exe
3716	ippatch.exe
4892	ipsee.exe
4892	ipsee.exe
1960	ippatch.exe
1960	ippatch.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1000	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	89
PID 4648 wrote to memory of 1000	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	89
PID 4648 wrote to memory of 1000	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	89
PID 4648 wrote to memory of 908	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	90
PID 4648 wrote to memory of 908	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	90
PID 4648 wrote to memory of 908	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	90
PID 4648 wrote to memory of 3716	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	94
PID 4648 wrote to memory of 3716	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	94
PID 4648 wrote to memory of 3716	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	94
PID 3716 wrote to memory of 3264	3716	ippatch.exe	95
PID 3716 wrote to memory of 3264	3716	ippatch.exe	95
PID 3716 wrote to memory of 3264	3716	ippatch.exe	95
PID 3716 wrote to memory of 4892	3716	ippatch.exe	97
PID 3716 wrote to memory of 4892	3716	ippatch.exe	97
PID 3716 wrote to memory of 4892	3716	ippatch.exe	97
PID 4648 wrote to memory of 1960	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	98
PID 4648 wrote to memory of 1960	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	98
PID 4648 wrote to memory of 1960	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	98
PID 4648 wrote to memory of 3592	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	100
PID 4648 wrote to memory of 3592	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	100
PID 4648 wrote to memory of 3592	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	100
PID 4648 wrote to memory of 3576	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	99
PID 4648 wrote to memory of 3576	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	99
PID 4648 wrote to memory of 3576	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	99
PID 4648 wrote to memory of 3776	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	105
PID 4648 wrote to memory of 3776	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	105
PID 4648 wrote to memory of 3776	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	105
PID 4648 wrote to memory of 1200	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	103
PID 4648 wrote to memory of 1200	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	103
PID 4648 wrote to memory of 1200	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	103
PID 4648 wrote to memory of 3636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	108
PID 4648 wrote to memory of 3636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	108
PID 4648 wrote to memory of 3636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	108
PID 4648 wrote to memory of 4636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	107
PID 4648 wrote to memory of 4636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	107
PID 4648 wrote to memory of 4636	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	107
PID 4648 wrote to memory of 2488	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	114
PID 4648 wrote to memory of 2488	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	114
PID 4648 wrote to memory of 2488	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	114
PID 4648 wrote to memory of 3456	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	111
PID 4648 wrote to memory of 3456	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	111
PID 4648 wrote to memory of 3456	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	111
PID 4648 wrote to memory of 1452	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	116
PID 4648 wrote to memory of 1452	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	116
PID 4648 wrote to memory of 1452	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	116
PID 4648 wrote to memory of 4028	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	115
PID 4648 wrote to memory of 4028	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	115
PID 4648 wrote to memory of 4028	4648	64c2e949a2f92c4f458ea1e18ef0829b.exe	115

C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe
"C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ippatch.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ipsee.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Users\Admin\AppData\Roaming\ippatch.exe
  "C:\Users\Admin\AppData\Roaming\ippatch.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4892
- C:\Users\Admin\AppData\Roaming\ippatch.exe
  "C:\Users\Admin\AppData\Roaming\ippatch.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:3576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:4636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:4028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCXDB5E.tmp

Filesize
868KB

MD5
7af7c62d50dec501bfc58e901c2bbbd8

SHA1
eb3f934e1a945f99a2d6a236a3121afb79b3a62f

SHA256
92ed44ca0b55f08046c95851af3cbeacacf11e83266fec7f57553084e00fdaa3

SHA512
b8a06aab4271e8f7c9a9b1e82a8eef485834f4faee15d020d51217a5d552ef07b6b8dcfb14a6c9974ca22ba8957db199c0190ebbcc79cae2eb6a02042bc2f7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk

Filesize
771B

MD5
dc3680bf14b0a5fd30028468e4d25ff7

SHA1
8b9ff1998c8f6b6e3d9dfd5d9f21f6e840758504

SHA256
d10eb01b3025a6e516254283643256de86f90d7ab94ddfe348d1a5981e7704a3

SHA512
f0b7b0f4e54c5163d5c022976f5ead7b4e06decec704c88f93c555553ead5c6f87a2a1ccd6997a4b5d0896a021d752c1700403e32d8d6ed2611962adfb546a56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll

Filesize
154B

MD5
40b80bda339faae4739d77caa3ebd0eb

SHA1
54e11813769d714dbf3153ec6f2620b919a00fca

SHA256
c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

SHA512
ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

Download Submit
C:\Users\Admin\AppData\Roaming\RCXD18A.tmp

Filesize
2.0MB

MD5
5a02df66de9f06f1c663f4de15e4cf76

SHA1
351ed739292d7dd8c625960208686fc7a31a565c

SHA256
f61cbb8e4c5afa716af3b5f63827d30bd6f1db0c2b75199df9a2ad351470686d

SHA512
e74a88ccbf537b8fd688925526896da63d0e8d4cdd049ad04a40df410a4747200aa35279dc0393a28b541371d04828b7e3e92541ee176586093fb55555b680dd

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
74769dd065370932047c9d1857e7c17a

SHA1
1ec56e2ad227f47b1314a5497776ec992b927873

SHA256
1df3bfbe43b5f7503e2a6144f588f67186f0e734b62cb8282fae469971e41aac

SHA512
c04515d0887dc92c8a26c6480ee9a800a0bbb98dca90f680532c2e75aefe4ff3348709eacee7dc9d90663eabdb710523993d2b56ff2a91777acb8d31c9eb302a

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
28fc9f34712a112403dcf2e20409b934

SHA1
6cb9a8accf922f056f048c533e00193506b4e9bf

SHA256
2f1f9a34716ac06c8b820c7bdc11362e45edbd5e2e1b7eb47f8bcf0813d118ae

SHA512
c2dd346f2bf5730747acdfb9cb011e3b702cdfc0d4332ef2fc45b406821afff6a6906090ed78e816fb737c0b0309b3fe4e60b9fdc8d7fad9087be5888d6e227e

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
a9898e8a6837513918a139b3db7d1814

SHA1
879e897fa85cee1b289f132e50a2694a1b6f0f6c

SHA256
4eaf4dbc1563c05f7363d8fb5e5a0d27828f46a5d882d9b0148bb45239ffe2a5

SHA512
3f51d05669f04475578b7a4e87cebdd98946c25c4d3bcd98267eb65423b00ed64bd05e5c7c8001dae9f9b4a098dc45854f9c81a318fadc297a2a2173e3981f34

Download Submit