blackmoon | 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63

General

Target

92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Size

5.0MB
MD5

d97ff1102e8ba106596d50a100021b9f
SHA1

a9484405b91d2b0e19f845b85516d88e271b5184
SHA256

92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63
SHA512

05d055943264b1bab63127ff90edaa6a0cf7ef69282739d0466df4bd015abcc5531910896a0f93e67aa24689e1af4010dbd5e6b3793039bf0da08a6b77887fff
SSDEEP

98304:D+HVb4W8Qh49un3vR3riSm+NJSBGwd43W9FRq:D+HJ8C49O/RHNJSEDiFw

Score

10^/10

blackmoon banker evasion themida trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\点我启动软件.exe	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Clean WeChat X.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Clean WeChat X.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Clean WeChat X.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Clean WeChat X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Clean WeChat X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Clean WeChat X.exe

Executes dropped EXE 3 IoCs

Processes:

sg.tmp点我启动软件.exeClean WeChat X.exe

pid process

2284 sg.tmp
2760 点我启动软件.exe
2192 Clean WeChat X.exe

pid	process
2284	sg.tmp
2760	点我启动软件.exe
2192	Clean WeChat X.exe

Loads dropped DLL 4 IoCs

Processes:

92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe点我启动软件.exe

pid	process
2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
2760	点我启动软件.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\Clean WeChat X.exe	themida
behavioral1/memory/2760-30-0x0000000001E90000-0x0000000002828000-memory.dmp	themida
behavioral1/memory/2192-31-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-33-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-34-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-32-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-38-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-40-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-41-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-42-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-43-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-44-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-46-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-47-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-48-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-49-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-50-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-51-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-52-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-53-0x0000000000400000-0x0000000000D98000-memory.dmp	themida
behavioral1/memory/2192-54-0x0000000000400000-0x0000000000D98000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Clean WeChat X.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Clean WeChat X.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Clean WeChat X.exe

pid process

2192 Clean WeChat X.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Clean WeChat X.exe

pid	process
2192	Clean WeChat X.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

点我启动软件.exeClean WeChat X.exe

pid	process
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2192	Clean WeChat X.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe
2760	点我启动软件.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Clean WeChat X.exe

pid process

2192 Clean WeChat X.exe

pid	process
2192	Clean WeChat X.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exesg.tmpClean WeChat X.exe

description	pid	process
Token: SeBackupPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeRestorePrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: 33	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: 33	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: 33	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeBackupPrivilege	2428	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeRestorePrivilege	2428	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: 33	2428	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2428	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: 33	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeRestorePrivilege	2284	sg.tmp
Token: 35	2284	sg.tmp
Token: SeSecurityPrivilege	2284	sg.tmp
Token: SeSecurityPrivilege	2284	sg.tmp
Token: 33	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeIncBasePriorityPrivilege	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Token: SeDebugPrivilege	2192	Clean WeChat X.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Clean WeChat X.exe

pid process

2192 Clean WeChat X.exe
2192 Clean WeChat X.exe
2192 Clean WeChat X.exe

pid	process
2192	Clean WeChat X.exe
2192	Clean WeChat X.exe
2192	Clean WeChat X.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe点我启动软件.exe

description	pid	process	target process
PID 2972 wrote to memory of 2196	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	cmd.exe
PID 2972 wrote to memory of 2196	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	cmd.exe
PID 2972 wrote to memory of 2196	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	cmd.exe
PID 2972 wrote to memory of 2196	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	cmd.exe
PID 2972 wrote to memory of 2428	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
PID 2972 wrote to memory of 2428	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
PID 2972 wrote to memory of 2428	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
PID 2972 wrote to memory of 2428	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
PID 2972 wrote to memory of 2284	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	sg.tmp
PID 2972 wrote to memory of 2284	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	sg.tmp
PID 2972 wrote to memory of 2284	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	sg.tmp
PID 2972 wrote to memory of 2284	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	sg.tmp
PID 2972 wrote to memory of 2760	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	点我启动软件.exe
PID 2972 wrote to memory of 2760	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	点我启动软件.exe
PID 2972 wrote to memory of 2760	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	点我启动软件.exe
PID 2972 wrote to memory of 2760	2972	92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe	点我启动软件.exe
PID 2760 wrote to memory of 2192	2760	点我启动软件.exe	Clean WeChat X.exe
PID 2760 wrote to memory of 2192	2760	点我启动软件.exe	Clean WeChat X.exe
PID 2760 wrote to memory of 2192	2760	点我启动软件.exe	Clean WeChat X.exe
PID 2760 wrote to memory of 2192	2760	点我启动软件.exe	Clean WeChat X.exe

C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
"C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1726464 -len=3470184 "C:\Users\Admin\AppData\Local\Temp\~657901858608980152.tmp",,C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\~8815582267015043702~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~657901858608980152.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1483941487892139892.."
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\点我启动软件.exe
  "C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\点我启动软件.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\Clean WeChat X.exe
    "C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\Clean WeChat X.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\Clean WeChat X.exe

Filesize
3.6MB

MD5
eeddf37e807097fc5aad876724c92f85

SHA1
38aebdfd0bfd7acf866156b1fbf43f4f2fa00f05

SHA256
c8f82ba8e56e5c1d24745a637e6d76bd6d593ccf539c6a101a7bfb9eca3624f7

SHA512
c1965ce51533be4617362223bc4b5850d4367e87bf243f0ee9ab2bea8de2478b7298c0347a31f03592fc8de052d6e0f799208e80590b920051b7012bb3357c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1483941487892139892..\点我启动软件.exe

Filesize
453KB

MD5
5dfe0fb8655ed70a0c8bda2167b156af

SHA1
8613f0213e2be06212fe1f8cf47855e8e37efb57

SHA256
18f7352254e97c5a655b8bd202615905f77b686ed587a501f895533a2016f58c

SHA512
941a12790ea9200c7b944d98e48884fe36625960ad51c774b472ea49ea8b2efe3270d189a939a3218d6b7d1471185250cefe3599d4c12634da2d187d8040ae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~657901858608980152.tmp

Filesize
3.3MB

MD5
d3694c868bf680ae3524ee5aa6a642ef

SHA1
05e34034f05e5be7839450fc3da409976e1fc6b8

SHA256
a93a2fe8d6b6942fffb58b3e9dd073ba3d671f02c423a5da4b9333b67131e0a7

SHA512
824a551b3a188c0445b7fee742980f6588a9f8a4075a8dbcf8b55cd38916eec7923dd18b0788c34ee94ce506a9a92fd863eef9ac4de02229445861a5afba43a2

Download Submit
\Users\Admin\AppData\Local\Temp\~8815582267015043702~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2192-46-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-42-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-33-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-34-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-32-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-35-0x0000000002B20000-0x0000000002B4B000-memory.dmp

Filesize
172KB

Download
memory/2192-36-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2192-38-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-54-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-40-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-41-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-31-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-43-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-44-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-53-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-47-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-48-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-49-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-50-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-51-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2192-52-0x0000000000400000-0x0000000000D98000-memory.dmp

Filesize
9.6MB

Download
memory/2760-30-0x0000000001E90000-0x0000000002828000-memory.dmp

Filesize
9.6MB

Download
memory/2760-39-0x0000000001E90000-0x0000000002828000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads