blackmoon | 3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
Size

447KB
MD5

9dd5731762febf26965ea7e5356ac932
SHA1

24328448a6ae4d25f4056a383d3c47e1429a9818
SHA256

3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486
SHA512

93db702e93827bb32cd9726f8682b67e83f32a6f041bf4b29bbf839bda59ad33375c7a4f91e99f184bdb0cc3c720f9e3f618e01127ef72bd8900e17b1c05acb9
SSDEEP

6144:sZrK+r+l0eNPBJrOxQD90saoTXWIg7mljhubc:sZ++qlRBBOxQDU2XWIg6Bic

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000472000-memory.dmp	family_blackmoon
behavioral1/memory/2724-22-0x0000000000400000-0x0000000000472000-memory.dmp	family_blackmoon
behavioral1/files/0x00070000000141b5-19.dat	family_blackmoon
behavioral1/memory/2112-23-0x0000000000400000-0x0000000000472000-memory.dmp	family_blackmoon
behavioral1/memory/2724-45-0x0000000000400000-0x0000000000472000-memory.dmp	family_blackmoon

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000472000-memory.dmp	UPX
behavioral1/memory/2724-22-0x0000000000400000-0x0000000000472000-memory.dmp	UPX
behavioral1/files/0x00070000000141b5-19.dat	UPX
behavioral1/memory/2112-23-0x0000000000400000-0x0000000000472000-memory.dmp	UPX
behavioral1/memory/2724-45-0x0000000000400000-0x0000000000472000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2724	Syslemchgzu.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2724-22-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/files/0x00070000000141b5-19.dat	upx
behavioral1/memory/2112-23-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2724-45-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Syslemchgzu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Syslemchgzu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe
2724	Syslemchgzu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2724	2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe	29
PID 2112 wrote to memory of 2724	2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe	29
PID 2112 wrote to memory of 2724	2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe	29
PID 2112 wrote to memory of 2724	2112	3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe	29

C:\Users\Admin\AppData\Local\Temp\3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe
"C:\Users\Admin\AppData\Local\Temp\3afc48d5b92da1948f3f112c4e896e476fe8858090c7001b955c2b459c742486.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\Syslemchgzu.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemchgzu.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemchgzu.exe

Filesize
447KB

MD5
eca4aea09089b55672c53962ed755473

SHA1
5390a5ce020ad38bc79ac5dba0377d3bc76c58a6

SHA256
34d6fe6db990a3c266519282508cf7cf547b71972061e635b26c0ac625cc3b9a

SHA512
b1cd1b92f320c3b2875cfd92bc74db6a8cac90b3f64a9358a52bcdd0c47669324a79bd12d3d52e8e973057ac2d7f272507818e4a9d31eaad00a6e62bc147cf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
e9a96da6579a1b6725ad0681f9185eed

SHA1
233446d1e866c848c09df7e8e525e4cb62e04c92

SHA256
3d6a9bc8b127791206a13ccb144588a70edaa3c9f0093001f636ef0bf9e3b32d

SHA512
ecedbe9208c2929470f20649a9089bfea3998d6a6b0adb32583a24590f9df47e30430e0cec414855a946877f5167b3b5feeb27904beddad69b3d12d530076b81

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2112-21-0x0000000003AC0000-0x0000000003B32000-memory.dmp

Filesize
456KB

Download
memory/2112-20-0x0000000003AC0000-0x0000000003B32000-memory.dmp

Filesize
456KB

Download
memory/2112-23-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2724-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2724-45-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download