Analysis Overview
SHA256
8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484
Threat Level: Known bad
The file 8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484 was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon family
UPX dump on OEP (original entry point)
Blackmoon, KrBanker
UPX dump on OEP (original entry point)
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
UPX packed file
Deletes itself
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 02:27
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 02:27
Reported
2024-06-06 02:30
Platform
win7-20240221-en
Max time kernel
148s
Max time network
119s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe |
| PID 2324 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe |
| PID 2324 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe |
| PID 2324 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe
"C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe"
C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
Files
memory/2324-0-0x0000000000400000-0x000000000047F000-memory.dmp
\Users\Admin\AppData\Local\Temp\Syslemjlpur.exe
| MD5 | 45b63a3dd97070a8265bbd4eb028e6c3 |
| SHA1 | 1282e558adc01e6160f3a0bf017e9f3bfc6196ec |
| SHA256 | d3dc441686d5aaf506910dbfb588ff14dbb39f300124d3cb03af693ee46e5d38 |
| SHA512 | 002e84a7efd48066a6fada1f2d4d108a2362cdf0bb6ca279e304ad80945312349a7de842910673dde1d86f9805573c05cc53daa2e3704fd2576b57f34a593f2c |
memory/2324-10-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2324-15-0x0000000003550000-0x00000000035CF000-memory.dmp
memory/2584-17-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | f0b19345292cdf6045d0fe3d16377185 |
| SHA1 | d4dce3873b31ead3a7d4a9936dc313e1cf867018 |
| SHA256 | c05b66788960be8eeda29104f31846c2161a025880873dddcb4b87c7b9216b34 |
| SHA512 | 2a0219c4ee524a4146c9a404a5d7aac35f394b5f184e45d82d5f7f1eeab07e9167cdb31fcf5c147c555a31d8558d7be3aa6e1aee0215c11036821af040d1b077 |
memory/2584-21-0x0000000000400000-0x000000000047F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 02:27
Reported
2024-06-06 02:30
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe |
| PID 1400 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe |
| PID 1400 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe | C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe
"C:\Users\Admin\AppData\Local\Temp\8c0eb32d1723a6dbd01c696dc81a9f308cf4f0c0d5d4a45b385b2f333e436484.exe"
C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1400-0-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Syslemgeqkf.exe
| MD5 | 3816e472b36345ae775046ee35022e99 |
| SHA1 | f02836d6dd2af7ba61487620cebf7593028c6bda |
| SHA256 | f82a807ba97226e95206fc49c274e0d662136bfe5d5e1be9a4ec0c7ea6f25a6b |
| SHA512 | 67801e4d5c972a4df752de0d0f737d74dbb0dae550a87704feb46e1bd7c49f6d578c90e192cb5242149d7d483511607729bc5b884b6f44c8ab5f9211ee229dab |
memory/1400-14-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | f0b19345292cdf6045d0fe3d16377185 |
| SHA1 | d4dce3873b31ead3a7d4a9936dc313e1cf867018 |
| SHA256 | c05b66788960be8eeda29104f31846c2161a025880873dddcb4b87c7b9216b34 |
| SHA512 | 2a0219c4ee524a4146c9a404a5d7aac35f394b5f184e45d82d5f7f1eeab07e9167cdb31fcf5c147c555a31d8558d7be3aa6e1aee0215c11036821af040d1b077 |
memory/5096-16-0x0000000000400000-0x000000000047F000-memory.dmp