blackmoon | 45255d4f37ac8ffba92977d0c93f70855dc8191f72822b03881f5a195d07f830

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
Size

440KB
MD5

5e19d436e2167778eb5596e16c49fb20
SHA1

f8e48141d4318f5cf47b3a1d8f8faf37b0c3634e
SHA256

45255d4f37ac8ffba92977d0c93f70855dc8191f72822b03881f5a195d07f830
SHA512

377036011e5137ef6e770a650927ff3a36d4b73a1fb9e11b6ca49e4c4aa4006c6024c827a1cdc236c9253e208ea22c0c747da48511654f027cc05afe1abfa351
SSDEEP

6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAP:xgXQKSLpOCtV0R8xMSaAP

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023264-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1684	Syslemhvpfh.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	Syslemhvpfh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe
1684	Syslemhvpfh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1684	3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe	94
PID 3292 wrote to memory of 1684	3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe	94
PID 3292 wrote to memory of 1684	3292	5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e19d436e2167778eb5596e16c49fb20_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\Syslemhvpfh.exe
  "C:\Users\Admin\AppData\Local\Temp\Syslemhvpfh.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syslemhvpfh.exe

Filesize
440KB

MD5
e653f8cee18b2b5fabc816242bef972a

SHA1
dfde48e456681276752ff191be0916f796a94a12

SHA256
6331a904bc54859cd3bcc9ffd447ac03f070916086db155abd2ec8a048f58954

SHA512
225e71f4fbdf97a016515b341a17df8e6fa8058982cb809400a09bc82824eaf343bf140bc0dbd772d14655c490f36175e3b05e2f5298f9cbd7bf3937e9c7dbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
85B

MD5
7758927f68c6cb60ecd6e8c363f9e28f

SHA1
0540c190bff37469f94d1a2df9c15c19f21a7dd3

SHA256
ad76cfd654740944890ff91169864a0bff56f13f225238822da60d3c0236d2df

SHA512
0984f144de98b46856ac423ec45a15e389033459bc68f05a3e20dd1a89a6762ae6b111dca0ee6c0e26c856b46a3e5bd473ab4b1b8192e10e827ce5402172d7c0

Download Submit