blackmoon | fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Size

2.3MB
MD5

d9c1ca97433bbfad45d6109aaf6db50d
SHA1

8f702f11009a9a5f27a5e697e51decb032a0e233
SHA256

fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4
SHA512

20b844ea3e234ed10c4d12699a9cc79c96ba01de2f16823ddeb225d6155f8c948609418b3b0e92985e9adde9063dd6e1317783139fa9b1f4346352636d7a85b3
SSDEEP

49152:OAR6pHImCXi45lSevpEie7zoDp349aXZmMAQ0f3/xtg813zvH48:OwI7Wl5Yei1o1349unnoxm8NzA

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233c4-22.dat	family_blackmoon
behavioral2/memory/1320-33-0x0000000000400000-0x00000000004D4000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Microsoft.exe

Executes dropped EXE 5 IoCs

pid	Process
2252	sg.tmp
1320	Microsoft.exe
5048	四方平台-卡商端.exe
2740	Microsoft.exe
4156	Microsoft.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\system32\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\system32\Microsoft.exe	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2440	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1320	Microsoft.exe
1320	Microsoft.exe
2740	Microsoft.exe
2740	Microsoft.exe
2740	Microsoft.exe
2740	Microsoft.exe
2740	Microsoft.exe
2740	Microsoft.exe
4156	Microsoft.exe
4156	Microsoft.exe
5048	四方平台-卡商端.exe
4156	Microsoft.exe
4156	Microsoft.exe
4156	Microsoft.exe
4156	Microsoft.exe
4156	Microsoft.exe
4156	Microsoft.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeRestorePrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: 33	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: 33	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: 33	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeBackupPrivilege	2276	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeRestorePrivilege	2276	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: 33	2276	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2276	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: 33	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeRestorePrivilege	2252	sg.tmp
Token: 35	2252	sg.tmp
Token: SeSecurityPrivilege	2252	sg.tmp
Token: SeSecurityPrivilege	2252	sg.tmp
Token: 33	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeIncBasePriorityPrivilege	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
Token: SeDebugPrivilege	5048	四方平台-卡商端.exe
Token: SeDebugPrivilege	4156	Microsoft.exe
Token: SeDebugPrivilege	4156	Microsoft.exe
Token: SeDebugPrivilege	4156	Microsoft.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1320	Microsoft.exe
2740	Microsoft.exe
4156	Microsoft.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2816	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	82
PID 2744 wrote to memory of 2816	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	82
PID 2744 wrote to memory of 2276	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	84
PID 2744 wrote to memory of 2276	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	84
PID 2744 wrote to memory of 2276	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	84
PID 2744 wrote to memory of 2252	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	85
PID 2744 wrote to memory of 2252	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	85
PID 2744 wrote to memory of 2252	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	85
PID 2744 wrote to memory of 1320	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	87
PID 2744 wrote to memory of 1320	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	87
PID 2744 wrote to memory of 1320	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	87
PID 2744 wrote to memory of 5048	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	88
PID 2744 wrote to memory of 5048	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	88
PID 2744 wrote to memory of 5048	2744	fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe	88
PID 1320 wrote to memory of 2740	1320	Microsoft.exe	89
PID 1320 wrote to memory of 2740	1320	Microsoft.exe	89
PID 1320 wrote to memory of 2740	1320	Microsoft.exe	89
PID 1320 wrote to memory of 2752	1320	Microsoft.exe	90
PID 1320 wrote to memory of 2752	1320	Microsoft.exe	90
PID 1320 wrote to memory of 2752	1320	Microsoft.exe	90
PID 2740 wrote to memory of 4156	2740	Microsoft.exe	92
PID 2740 wrote to memory of 4156	2740	Microsoft.exe	92
PID 2740 wrote to memory of 4156	2740	Microsoft.exe	92
PID 2752 wrote to memory of 2440	2752	cmd.exe	93
PID 2752 wrote to memory of 2440	2752	cmd.exe	93
PID 2752 wrote to memory of 2440	2752	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
"C:\Users\Admin\AppData\Local\Temp\fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1397248 -len=983820 "C:\Users\Admin\AppData\Local\Temp\~7138543200642989446.tmp",,C:\Users\Admin\AppData\Local\Temp\fac6e21ff51aed5adeeb92a7b10966a81dd62861edfc2cc2b25f48a003187df4.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\~1109734940593239639~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~7138543200642989446.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6587029943965823795.." -psdgvdhgdtjkfylk
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\Microsoft.exe
  "C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\Microsoft.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\Microsoft.exe
    -auto
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\Microsoft.exe
      -troj
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2440
- C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\四方平台-卡商端.exe
  "C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\四方平台-卡商端.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1109734940593239639~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\Microsoft.exe

Filesize
772KB

MD5
8847c7592559c1abae98e4a2ff27fe56

SHA1
e2021e630c04f1a17a9b0adbd82d0352336660c3

SHA256
54fbc5b98a9a81aaa1af810240b93c6d59ae80c0423932ab47be6d6e3bb68593

SHA512
51e0b1e3a27c3c6e2fa2d44b7b05b0caaae007938e622f1abaa786ff665fffbadc12a711fc9a52459cd49a61fe8367ebfc9fd3fad05f8004e59f9d24ff05b315

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6587029943965823795..\四方平台-卡商端.exe

Filesize
940KB

MD5
e601bab2e205d4e4e40c25b5b32e9a5e

SHA1
06f2ac99ca3bc4d7117bc3c3373eea8ec5794ae7

SHA256
888d7e39d10668a0eb5e0ab93e8799f813ee7f011cb2888be3d3c3bcc2279023

SHA512
c954d1d186a4e0ffcf5f2a45565aa05d432febfa63e5e55f9af0958aa8a5f8bd35cc68c5f7bf66a65d13f6f7596f35cec4c92e87ef1cc19377125d16f9c87c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7138543200642989446.tmp

Filesize
960KB

MD5
cae082813336b3820009bc9944c0ebed

SHA1
5a2a3870ca0a5c18ba0aea8e8629d5a2812ed305

SHA256
ac19e6e0a84838d4664568f6ade79b05050266efbd6850816681e0b9c76863c5

SHA512
8653f9d9457c6471b71841761788c3b5db84e145c91ba23485a0ba96694994250fe80b20e54584bc6f7da2db5a31ca07186e4f04d19b34208730829dcc67232d

Download Submit
memory/1320-33-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5048-101-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-98-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-38-0x0000000004C80000-0x0000000004D9A000-memory.dmp

Filesize
1.1MB

Download
memory/5048-39-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/5048-65-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-75-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-79-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-73-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-71-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-69-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-67-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-63-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-61-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-59-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-57-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-55-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-53-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-32-0x0000000004DB0000-0x0000000004ECA000-memory.dmp

Filesize
1.1MB

Download
memory/5048-99-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-37-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/5048-95-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-93-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-91-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-90-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-87-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-85-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-83-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-81-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-77-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-51-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-49-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-47-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-45-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-43-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-41-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-40-0x0000000004C80000-0x0000000004D93000-memory.dmp

Filesize
1.1MB

Download
memory/5048-4867-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/5048-4868-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/5048-4869-0x0000000005620000-0x0000000005676000-memory.dmp

Filesize
344KB

Download
memory/5048-4870-0x00000000068C0000-0x00000000069FA000-memory.dmp

Filesize
1.2MB

Download