blackmoon | 60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b

General

Target

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
Size

4.7MB
MD5

e8d2018514da477fc1c3e218a24125d6
SHA1

6d7cfc49bb0929c2eb0f4028fe97983b876516cc
SHA256

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b
SHA512

98446881984402431b960ae7bd4faa1c420b5e2c0ebca2bb1bba01e070fc314884ce97b690f7211da76b3baabb17c1a4e773c63168bc97fbe38339babc68f303
SSDEEP

98304:ABTTPtxvAOlouIZdRytp5UJ8rA9s9o36B:rHm2J8rACn

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\winfsp-x86.dll	family_blackmoon

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4pmUM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4pmUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\4pmUM = "C:\\ProgramData\\cande\\{y8A2i57GQNoV0x07ljM}\\4pmUM.exe"	4pmUM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe

Executes dropped EXE 1 IoCs

Processes:

4pmUM.exe

pid process

4636 4pmUM.exe
Loads dropped DLL 1 IoCs

Processes:

4pmUM.exe

pid process

4636 4pmUM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4pmUM.exe

pid process

4636 4pmUM.exe
4636 4pmUM.exe
4636 4pmUM.exe
4636 4pmUM.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4pmUM.exe

description pid process

Token: SeDebugPrivilege 4636 4pmUM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4pmUM.exe

pid process

4636 4pmUM.exe
4636 4pmUM.exe
4636 4pmUM.exe
4636 4pmUM.exe

pid	process
4636	4pmUM.exe

pid	process
4636	4pmUM.exe

pid	process
4636	4pmUM.exe
4636	4pmUM.exe
4636	4pmUM.exe
4636	4pmUM.exe

description	pid	process
Token: SeDebugPrivilege	4636	4pmUM.exe

pid	process
4636	4pmUM.exe
4636	4pmUM.exe
4636	4pmUM.exe
4636	4pmUM.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe

description	pid	process	target process
PID 3968 wrote to memory of 4012	3968	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 3968 wrote to memory of 4012	3968	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 3968 wrote to memory of 4012	3968	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
PID 4012 wrote to memory of 4636	4012	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	4pmUM.exe
PID 4012 wrote to memory of 4636	4012	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	4pmUM.exe
PID 4012 wrote to memory of 4636	4012	60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe	4pmUM.exe

C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
"C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe
  C:\Users\Admin\AppData\Local\Temp\60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b.exe 46053F055905550577056A05620577056405680541056405710564055905660564056B056105600559057E057C053D05440537056C0530053205420554054B056A05530535057D053505320569056F0548057805590531057505680550054805--365
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\4pmUM.exe
    "C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\4pmUM.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\4pmUM.exe

Filesize
41KB

MD5
90f1cbf523b201c20adf2e6cb5a91e2d

SHA1
e485907216de02d71a127623d6d8b155fa25aafa

SHA256
84ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2

SHA512
6d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521

Download Submit
C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\4pmUM.txt

Filesize
369B

MD5
4bd2afe90974a48e19b9916c7b10ef08

SHA1
8ffbec325a46696244f42fb13565a894bcfe3f00

SHA256
af0b941914e0a9d7a65f049e9e7468dfd63e8afb465dc8849e9c56e985172ee7

SHA512
59517e502f146c705cff4810ba1a2e07c37dffdf7f20352a8c8dae671333e45697387f24563553fb6d872d7396bbcf5c791c07a956caa23783721deeddaffe73

Download Submit
C:\ProgramData\cande\{y8A2i57GQNoV0x07ljM}\winfsp-x86.dll

Filesize
3.3MB

MD5
e705514b37a15fe778a12406ea309f0c

SHA1
b517800efdfb174aa9ad14632e330a8043bd94e4

SHA256
b00df8776e786fdb006f315bfe68c404d76758582eae0f92c6398e109cfee036

SHA512
05ed9c0be82729c4219b83facb42dba6029aaff5545a1883cbcddb673ff0297b9abc69da6161b985545b7a24b9a022fe69ca506f96dc2524046dcb71ff611667

Download Submit
memory/4636-30-0x0000000004260000-0x000000000434B000-memory.dmp

Filesize
940KB

Download
memory/4636-33-0x00000000026E0000-0x00000000027C7000-memory.dmp

Filesize
924KB

Download
memory/4636-20-0x00000000026E0000-0x00000000027C7000-memory.dmp

Filesize
924KB

Download
memory/4636-21-0x00000000026E0000-0x00000000027C7000-memory.dmp

Filesize
924KB

Download
memory/4636-23-0x00000000026E0000-0x00000000027C7000-memory.dmp

Filesize
924KB

Download
memory/4636-18-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4636-24-0x0000000003D40000-0x0000000003F51000-memory.dmp

Filesize
2.1MB

Download
memory/4636-29-0x0000000004260000-0x000000000434B000-memory.dmp

Filesize
940KB

Download
memory/4636-28-0x0000000000C60000-0x0000000000CB6000-memory.dmp

Filesize
344KB

Download
memory/4636-17-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4636-34-0x00000000048B0000-0x0000000004A25000-memory.dmp

Filesize
1.5MB

Download
memory/4636-19-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4636-32-0x00000000044C0000-0x0000000004559000-memory.dmp

Filesize
612KB

Download
memory/4636-35-0x00000000048B0000-0x0000000004A25000-memory.dmp

Filesize
1.5MB

Download
memory/4636-37-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download
memory/4636-38-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4636-39-0x0000000003D40000-0x0000000003F51000-memory.dmp

Filesize
2.1MB

Download
memory/4636-40-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download
memory/4636-41-0x0000000003D40000-0x0000000003F51000-memory.dmp

Filesize
2.1MB

Download
memory/4636-42-0x0000000000C60000-0x0000000000CB6000-memory.dmp

Filesize
344KB

Download
memory/4636-43-0x0000000004260000-0x000000000434B000-memory.dmp

Filesize
940KB

Download
memory/4636-44-0x00000000044C0000-0x0000000004559000-memory.dmp

Filesize
612KB

Download
memory/4636-45-0x00000000048B0000-0x0000000004A25000-memory.dmp

Filesize
1.5MB

Download
memory/4636-46-0x0000000004A30000-0x0000000004A82000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads