blackmoon | 7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8

Analysis

max time kernel
149s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
Size

338KB
MD5

4e41e5c0337518e0af73d40dcac7fe28
SHA1

2d0aac986459b1cfb11a3d80154053553bc43523
SHA256

7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8
SHA512

9e7302d2332e093d598bab3c8292d84a240144d04889c42c39b3b2d76f6f8da70ae695d13dae5b1cd2377963a375121531237412965d8f05eb484422cb324196
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeM:b5/Q58drihGiLhmGNiZsx0B/zkXoeM

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015cca-34.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2224	Sysceammwnwg.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe
2224	Sysceammwnwg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2224	2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	29
PID 2796 wrote to memory of 2224	2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	29
PID 2796 wrote to memory of 2224	2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	29
PID 2796 wrote to memory of 2224	2796	7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe	29

C:\Users\Admin\AppData\Local\Temp\7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe
"C:\Users\Admin\AppData\Local\Temp\7bedb97f8d7696215bdaad9a743979047c71a798d737c4176af4c04f2bd1a5c8.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\Sysceammwnwg.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceammwnwg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
05651edc7e6882d86621e189f61da8ca

SHA1
af3e7fc472ed2e8f83a80382b71990cceac67780

SHA256
4b41dba679ca244d3e15b5e100c0deb6ff76764f1731a1477f5d921e1229df35

SHA512
117800d588a55cd209d3a2111cb630944f1aefdb10baf7d755d95be54b09db9fcc1e5a34ed04a5c2e0741ff786183b301dd0a5a9f9b3dcb3159505512bb98c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
a2e7b1441875f636f9f7ebbd038d396a

SHA1
9fe7abd976554c9e7bf1b126e5bc351370d65521

SHA256
edf0af90c4630d96df73574ed2b3ec8bf46a6096053e8a16a7e40d636c2dc0eb

SHA512
f6cf0ad1aa01247ccfd8cbd6256c663252516cb0ed2c449d77a08de29731732640b58d15e4889d152fd739b73838d29406704f43c913c0429091e4bb29772ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
f65f27f41acb28105e071c710851626f

SHA1
993444938d84861187f643506a47076b85f152a8

SHA256
65f87fda17c1d76cb51023d917689d8cb692271809990e9ea9399580d350c4f5

SHA512
b5c376aa0325d4c7963df4c318adacad217573b3391ecf6655504e6ba50e02d4405c0eb7847a753c1f13676361431c7f4eff79360fb510edee48e9e09641eb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b315c12276adeca50bc7557f56840272

SHA1
aa595bdc4b07cf4c66f6fdde508ecf2f70fde4c8

SHA256
ca5dcd9db3808826542eb06e18a6a08202c24e78d1c8ad94d1152a344296a182

SHA512
c1c322e026929fe3ee1a69683de9399a1c279fc39f6937835a6a95a20e77c258fe004f7a0ac72c9f49d860fbb77aeef0fd8863d8b601defa946253f1d4b92134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
417f2fb5415fbc6c19ffe868abda5c98

SHA1
57ea26a6f030c06fb1c647c81c0c8774a7019722

SHA256
28d105291276d48573cb6ae5d47cd2ee29ad471698c51f25c4a033cf57498b9c

SHA512
749fa5046404294bd30150fbce1773a6dc5ea0fc36541942158b293f6fc936a90a395bd3c69dcac6804babfeddf7f10cbbfeea9f3b4027d4c32481bdba39c79a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
778a143748a5fbb86ae27cfe2dbf7b23

SHA1
80f361e3f96ae30e02cc95441e4f0c99d44b6f97

SHA256
c335ddf03f79d1a77197bf8509233e4e3e2dba6e60f1b406b9866978fd9a1b33

SHA512
c4d6cd40147ed67b8e6894ad1b3b66d858c25ce92035107980406955319b1b27e32fe935509cf8e9d6e49727cfd2b40e73467682baa235be23cf2d6c10960e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1d8b779c39eb4e2d705887ee3cfa6ca

SHA1
841a15a0527be6c54084c55bf3c1fa28fa852323

SHA256
00ba81e60bd99a3d4c5dabf72c60e6bbcec633b1ef02b61a542ca68780ed64a8

SHA512
c3719ba1b8b3ca9830db537257d697f6b30a36275a36192452282abf04cad927b27d9259f8080c0e0ec4b8e274a0ff8bd340fcebd2f3d2be87d8804981c9d1ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
01b5ed03b81c43873dca1b66192fed5e

SHA1
f34bdc3f334d6a16257b6ec0c73b541a6098bd8a

SHA256
c8764c14ca0700992fecacd9159dac1913a2dec6032212d5e93abde9e6c5af3f

SHA512
08bc59c74d9e8ea83ca778ae04cf3f372c3c528d9a4ad6924f95348a6843fdd3bbb2ae05fb50bef1cc684ac621f2419c1979468d975aaecf2df0f9c0395dd7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
c44d896e3e8131b60fde72795ad7a10e

SHA1
700d72ba61d0effbdc92a53c9d2b98364431a51c

SHA256
ab372647fd57e68f5a700c120d78e54552393a11314e652cc2351e4f79b931d2

SHA512
fef4de07df3aa48af4e5c51a31d1b8cb66aa9c3395cc2c00d160e5f05e2a01e9b217a58e02bc21f72f240edac54919d23c2e8eefc77151a498a918a84e336eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C7B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
ed0b0b80f777083e90626f85fb2b57ef

SHA1
d36d42becfaef3d9d3aa0c894707ce5bfaf8cb38

SHA256
33ad609a71c8dad5ab01022f341fab4af467a8deb7ec7b6ba40a3721be1c1613

SHA512
055a8788f815402eaf19e5c29de9508c5d0a59a9714ca2ea434d2850268bd089814f203f8e8a4da15c8682c13a63f566a43dc441311294227cee8df7d92926cb

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceammwnwg.exe

Filesize
338KB

MD5
1ffbcd7a70f894ee8ddddab12d2defcf

SHA1
b5e73349c97c61f1fb252297ae59c0720937234f

SHA256
0421af6a09da890bdb09449cdf71f94569c5c9d455cb0fc39b8605244e99d231

SHA512
be08bb6658a52b29b944b8ef6e83e76307d0332811bb4f069044fc1ee85ca2e86d7301345f1658419615ed492724eb2804c37c1ab8a49ede9510c439ca3cb004

Download Submit