blackmoon | cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe
Size

338KB
MD5

8ff28dbc196e05cbfc53400a600f0651
SHA1

c76bc39f4044b131171ac0c2e5d42c77b90b215f
SHA256

cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6
SHA512

c782f0b010eafa830cbe2aaaa2a6edf36ee9338661c9c36e9a02ed3908f66b0085a4f0ef58782081fd8f094cd5efb452e26eee1ec061bb3ce1badcc73006e32f
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeh:b5/Q58drihGiLhmGNiZsx0B/zkXoeh

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343a-25.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	Sysceamegycr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe
2784	Sysceamegycr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2784	2756	cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe	99
PID 2756 wrote to memory of 2784	2756	cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe	99
PID 2756 wrote to memory of 2784	2756	cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe	99

C:\Users\Admin\AppData\Local\Temp\cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe
"C:\Users\Admin\AppData\Local\Temp\cf0d77061ff2c2455c38a960272346bae3f01b9553a673b3bde1a8529773dcc6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Sysceamegycr.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamegycr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
eeb0852c364cd645d4806487a79dda7e

SHA1
8e449d2bcd2efceb5c3e9b98ffb12aa09c725aea

SHA256
221e698ef68612b0c7db292d24cdce0f0638367d87c0a41e76c5c58c89fcd766

SHA512
16f732dd1d098b56d14b251f00b780d84eb7dba9ba79e1af8fa27448583abcfbb9ae91d6e228f8f93c6b9555a5728dafad2b23033c5fccd26f0d177de61165d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
a193ca6f9d0f9e0d5cedabcd2029d384

SHA1
c77b5711de882e6e38eaac54560733bf0c8cd202

SHA256
98fa5a7bac951c067cc2cd4daabd0f28da92137d47b74a2cddf5f17ea53b4b8e

SHA512
8db75f375370605b15f5454121d157680ea1666d75d6e3c0da9f8a7f1320568993564fb8e567b6970ccef77df19ca5f8a241af875031553fb0ce6f994a8fb8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
248dbd35c4c00ffdffacefd88c138599

SHA1
e1711091287a570311dbcd472d66eec05b87fbf4

SHA256
ed64a2f296ce2bedd77242acfb142d1d21c09f07057fbb107d9c0bcc042cf600

SHA512
174314b5ea55f00e1256e2cee5330211529e1aa0c58d49258aef7d31986ec7c5d235d83fb2e20ee00a0a2af8e237a0d9961de518256bcfde7a05904d04456227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
2553bbb41aad30b7f8cda37e2132574c

SHA1
14d13496ddf1d755a4c295aae583f7d6e68d8f48

SHA256
5efac88dcc6a70e673a7b7e396aa98bdbbedfca655e37233dfb659ce5d7ca627

SHA512
d2a0d5ab695b96fa0fb03510a744f9d4688eb2748cb625ff90f2b7ab69002c4bbe720b8d76eab153f564d4235c975ac80bcf261b41595ef919859fc9154db4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
0a225846a82a20852ffa7166b9ca8e42

SHA1
a765075b82bca2cfa81abb8369d9847047889a89

SHA256
ebbc9c88c78393f0423289dda03f6e619c0b74cb87268564503bdb9fd36cbf59

SHA512
648f78b6ea80f6e07923a74e5f8348ce1d89fdcb81fe2a956be7de9b6d6c8bd5a8d80800a04e130457ba3094c9bd05e01186d4773bb7642699929cb318a05ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
fb96d1c2a89e376e6534cc6024a0c2e0

SHA1
a9b058222953767139168b5cdfd57234cf1338f9

SHA256
aaa3736a1f4b48b0c0cacaf1e84c7a42b87755da4a8e86fdd3d23913d95bb160

SHA512
87490fc2f262360e58c52918b86fe88246a7503dee1a7299394c671003eef2fe8f7ec78b1c2af772309a5c93c67c292bda9131b1ad572af390cb082561d01bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
af2a73029d2b12bdcdfa2cb011e60c86

SHA1
b0308994dac9b2f49bf5a2a0cd0d1c1c79e54ca0

SHA256
43ed51663d8c153004f21c7aa0689d637b0d1a9f6f124c82add64e1456816d00

SHA512
f9d40c7cd412bc348b35040e3dc621b724088728247d8d50baea64f5e2a84aa739ddb158941f57e32fd6eee886d3571d4feea684a003cdc400ab761677f61b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
3296f5cd675edcabc993ce9baa8a2d53

SHA1
c34bdc42db792e21f6f87b56d2eac600b7c52b9f

SHA256
ac7e44a30aeed5ccecc38df39ab4bfdd293a23689d87c73a6759bc6014f60537

SHA512
36f785b96f7e00a26a799dd2105ed9c1475f9b3a5647eca5cbe432b33fe2037e242c515ce4a066f0cdb08026701a627b824a70133bbc6b1fe74d30a77b77a526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamegycr.exe

Filesize
338KB

MD5
c9b51cabb41d724c7367347325adadca

SHA1
4d025dbbd95509e4f810b5f294d3f20aff223668

SHA256
8971c5ad2d0e6923287acab79a3275e1b0d7267bbfbbf30a6bffec0cceb98156

SHA512
36498a2c6032de5e459e414897da855907588fbdccccd34d6c22ebc39dc17230a613c339e24156ad8d09f8d7c479546f00c16f4a5399c9bb0db27a098661588d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
18441a8183830d2ff971d77f40955a3c

SHA1
8fffb18882fedefdd05c735a3f4364edf5b2956b

SHA256
edb779474059be9f9ffa2c65114223741d5461707f36bc5f8c135a1e4d980b2a

SHA512
cb84257f17b0d169c4a35d8c0411a6263898ba48fae9a810867ebe4c329497b6e793d648e8519feefeb84ffc9ddeb17273925ab5d27db3cb621379625d193a8d

Download Submit