blackmoon | d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c

General

Target

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
Size

10.8MB
MD5

80c197ffef9b5b63c2dc081063fa64b2
SHA1

e3dfab32ddf92c7a4b51cdbb57b92f23c77e454d
SHA256

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c
SHA512

20489868402c510c6f4adb0addba7f96219b1eea6974423c9b6c2aa54e9a9db8cb2ec255a01bd415e4d05dbe9beebeee38248cfbdba1243674f9e1b35c670af4
SSDEEP

196608:hrly/HDDQ32xE0LjsXkMxLJPRIGsg51CN7aeL8nDfd+n+ycjoJlcM44QdvK8Ue/M:ryhxhLjsX1xLJ57sicgeS1+nlc03f441

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\{64AsP856xDhE}\ctxmui.dll	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LUiKm7w91.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	LUiKm7w91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LUiKm7w91 = "C:\\ProgramData\\{64AsP856xDhE}\\LUiKm7w91.exe"	LUiKm7w91.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe

Executes dropped EXE 4 IoCs

Processes:

快手传奇【盾】.exe块手传奇【盾】.exe块手传奇【盾】.exeLUiKm7w91.exe

pid process

3896 快手传奇【盾】.exe
1692 块手传奇【盾】.exe
1732 块手传奇【盾】.exe
1836 LUiKm7w91.exe
Loads dropped DLL 1 IoCs

Processes:

LUiKm7w91.exe

pid process

1836 LUiKm7w91.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

LUiKm7w91.exe

pid process

1836 LUiKm7w91.exe
1836 LUiKm7w91.exe
1836 LUiKm7w91.exe
1836 LUiKm7w91.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

LUiKm7w91.exe

description pid process

Token: SeDebugPrivilege 1836 LUiKm7w91.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

快手传奇【盾】.exeLUiKm7w91.exe

pid process

3896 快手传奇【盾】.exe
1836 LUiKm7w91.exe
1836 LUiKm7w91.exe
1836 LUiKm7w91.exe
1836 LUiKm7w91.exe

pid	process
3896	快手传奇【盾】.exe
1692	块手传奇【盾】.exe
1732	块手传奇【盾】.exe
1836	LUiKm7w91.exe

pid	process
1836	LUiKm7w91.exe

pid	process
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe

description	pid	process
Token: SeDebugPrivilege	1836	LUiKm7w91.exe

pid	process
3896	快手传奇【盾】.exe
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe
1836	LUiKm7w91.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe块手传奇【盾】.exe块手传奇【盾】.exe

description	pid	process	target process
PID 2364 wrote to memory of 3896	2364	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	快手传奇【盾】.exe
PID 2364 wrote to memory of 3896	2364	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	快手传奇【盾】.exe
PID 2364 wrote to memory of 3896	2364	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	快手传奇【盾】.exe
PID 2364 wrote to memory of 1692	2364	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	块手传奇【盾】.exe
PID 2364 wrote to memory of 1692	2364	d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe	块手传奇【盾】.exe
PID 1692 wrote to memory of 1732	1692	块手传奇【盾】.exe	块手传奇【盾】.exe
PID 1692 wrote to memory of 1732	1692	块手传奇【盾】.exe	块手传奇【盾】.exe
PID 1732 wrote to memory of 1836	1732	块手传奇【盾】.exe	LUiKm7w91.exe
PID 1732 wrote to memory of 1836	1732	块手传奇【盾】.exe	LUiKm7w91.exe
PID 1732 wrote to memory of 1836	1732	块手传奇【盾】.exe	LUiKm7w91.exe

C:\Users\Admin\AppData\Local\Temp\d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe
"C:\Users\Admin\AppData\Local\Temp\d36f19ae84d802e4dd51916e92b272f17bd14f9ed3a91d61b95f63dd13f8593c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364

C:\ProgramData\快手传奇【盾】.exe
"C:\ProgramData\快手传奇【盾】.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896

C:\ProgramData\块手传奇【盾】.exe
"C:\ProgramData\块手传奇【盾】.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692

C:\ProgramData\块手传奇【盾】.exe
C:\ProgramData\块手传奇【盾】.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A710A3C0A3E0A4B0A790A5A0A320A3F0A3C0A720A4E0A620A4F0A770A560A460A5F0A630A410A670A3D0A7D0A330A3B0A-0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732

C:\ProgramData\{64AsP856xDhE}\LUiKm7w91.exe
"C:\ProgramData\{64AsP856xDhE}\LUiKm7w91.exe"
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8
1⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{64AsP856xDhE}\LUiKm7w91.exe
Filesize
30KB

MD5
9e80b662cc6335824592af506a46c20c

SHA1
76f447db453e28835de09f7c865f373903bb50b4

SHA256
18716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1

SHA512
ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae

Download Submit
C:\ProgramData\{64AsP856xDhE}\LUiKm7w91.txt
Filesize
269B

MD5
38296012d815bf39eb65962a77395abd

SHA1
f07c54d99c6a6648a086a630bdc40f2e9afcab2e

SHA256
1857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1

SHA512
e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585

Download Submit
C:\ProgramData\{64AsP856xDhE}\ctxmui.dll
Filesize
620KB

MD5
0cb6f6e96088df211fc775308d0d3c76

SHA1
8742f2b0217c4c713f112f81897d866e6be8a895

SHA256
1275a2a6a039209d40b960d8736909867b07f8814789ed794fb7e95594a4cc60

SHA512
8992d157c9f73a4cb2586a0f9bc14c593b63b8c3ad265e446a24166104f26f2f278287191c0036ef69481d2140fdffc5296e80bc4a7365435cf160068d4a1e7e

Download Submit
C:\ProgramData\块手传奇【盾】.exe
Filesize
1.2MB

MD5
5515de7957086d6889f32e29022855b3

SHA1
296e06481623144908613aa78086d9f76a9f5cef

SHA256
1a91a368898eff84850aabfdc0ca57d586bad2990f5fe593096b2fdb0cef4195

SHA512
7dabf4f6b2ab8d6f31e1ded5b244c776d30ac8a0b4661ee1ffeda793e9560172218bd742b69a4d8fc0105367351c82a340a2d875647c5165da382e6e774387e6

Download Submit
C:\ProgramData\快手传奇【盾】.exe
Filesize
35.0MB

MD5
44fce30e45a43448fb68005516017e46

SHA1
431ac46383aa6e76324f19a3f181a47f560362c6

SHA256
55dd3f3076323a4fe4a8ff240a6259542afc5f707027e5e2a1a210ca32266288

SHA512
89f5988acada2dcb80dfee5e1e154f718e06c72fbfa33c2ff4c9cb412099cbcba402c0e6b3a8ad4881c55c16d0b6ac615aef7d38bbb1e702f5a59278a63fbfba

Download Submit
memory/1836-47-0x0000000004AB0000-0x0000000004B9B000-memory.dmp

Filesize
940KB

Download
memory/1836-52-0x0000000004BC0000-0x0000000004C12000-memory.dmp

Filesize
328KB

Download
memory/1836-34-0x00000000033F0000-0x00000000034D7000-memory.dmp

Filesize
924KB

Download
memory/1836-36-0x00000000033F0000-0x00000000034D7000-memory.dmp

Filesize
924KB

Download
memory/1836-51-0x0000000004690000-0x00000000048A1000-memory.dmp

Filesize
2.1MB

Download
memory/1836-49-0x0000000005150000-0x00000000052C5000-memory.dmp

Filesize
1.5MB

Download
memory/3896-37-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/3896-43-0x0000000000400000-0x0000000002A73000-memory.dmp

Filesize
38.4MB

Download
memory/3896-42-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/3896-41-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/3896-38-0x0000000010000000-0x0000000010B48000-memory.dmp

Filesize
11.3MB

Download
memory/3896-28-0x0000000000400000-0x0000000002A73000-memory.dmp

Filesize
38.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads