blackmoon | 812241ef6c9649f97b0635692a1844ddb9be6fa2e16dde57888c40bb5ca8e501

General

Target

dnf千珏辅助v5.12/千珏5.12破解版.exe
Size

1.4MB
MD5

ef9f66ff2fcea551cfc5f29169bfb30d
SHA1

34a40e865239648e3f58dee8d88c4726ca9c152b
SHA256

17a507ceffc7000806a8dd2e636e74f1864c830e2c6e39646d2cd6be125f3604
SHA512

74204f819ccdeebaa0653311accf1a4881213dda736c54078c11a83774bf14ffcf1a965757da8669a692c854f3b30521db9f2f648e0158a6614399f03f5de3dc
SSDEEP

24576:9ZPpclG45Vocf/7mjYY1G4uv/iorfWtRGR06qZ0V3gQznmPrSd+nKbtk+64WV:elG4jocHkMCorfgkR06qZc3gQzmPrS4d

Score

10^/10

blackmoon banker discovery exploit trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122b8-3.dat	family_blackmoon

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2796	takeown.exe
2628	icacls.exe

Executes dropped EXE 2 IoCs

pid	Process
668	千珏05-10A破解版.exe
2396	001.exe

Loads dropped DLL 3 IoCs

pid	Process
2180	千珏5.12破解版.exe
2180	千珏5.12破解版.exe
2180	千珏5.12破解版.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2796	takeown.exe
2628	icacls.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/668-18-0x0000000002270000-0x000000000243D000-memory.dmp	vmprotect
behavioral1/memory/668-16-0x0000000002270000-0x000000000243D000-memory.dmp	vmprotect
behavioral1/memory/668-19-0x0000000002270000-0x000000000243D000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\linkinfo.dll	001.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
668	千珏05-10A破解版.exe
2396	001.exe
2396	001.exe
2396	001.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2796	takeown.exe
Token: SeDebugPrivilege	2396	001.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
668	千珏05-10A破解版.exe
668	千珏05-10A破解版.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 668	2180	千珏5.12破解版.exe	28
PID 2180 wrote to memory of 668	2180	千珏5.12破解版.exe	28
PID 2180 wrote to memory of 668	2180	千珏5.12破解版.exe	28
PID 2180 wrote to memory of 668	2180	千珏5.12破解版.exe	28
PID 2180 wrote to memory of 2396	2180	千珏5.12破解版.exe	29
PID 2180 wrote to memory of 2396	2180	千珏5.12破解版.exe	29
PID 2180 wrote to memory of 2396	2180	千珏5.12破解版.exe	29
PID 2180 wrote to memory of 2396	2180	千珏5.12破解版.exe	29
PID 2396 wrote to memory of 1028	2396	001.exe	30
PID 2396 wrote to memory of 1028	2396	001.exe	30
PID 2396 wrote to memory of 1028	2396	001.exe	30
PID 2396 wrote to memory of 1028	2396	001.exe	30
PID 1028 wrote to memory of 2796	1028	cmd.exe	32
PID 1028 wrote to memory of 2796	1028	cmd.exe	32
PID 1028 wrote to memory of 2796	1028	cmd.exe	32
PID 1028 wrote to memory of 2796	1028	cmd.exe	32
PID 1028 wrote to memory of 2628	1028	cmd.exe	35
PID 1028 wrote to memory of 2628	1028	cmd.exe	35
PID 1028 wrote to memory of 2628	1028	cmd.exe	35
PID 1028 wrote to memory of 2628	1028	cmd.exe	35
PID 2396 wrote to memory of 2680	2396	001.exe	36
PID 2396 wrote to memory of 2680	2396	001.exe	36
PID 2396 wrote to memory of 2680	2396	001.exe	36
PID 2396 wrote to memory of 2680	2396	001.exe	36

C:\Users\Admin\AppData\Local\Temp\dnf千珏辅助v5.12\千珏5.12破解版.exe
"C:\Users\Admin\AppData\Local\Temp\dnf千珏辅助v5.12\千珏5.12破解版.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\千珏05-10A破解版.exe
  "C:\Users\Admin\AppData\Local\Temp\千珏05-10A破解版.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Users\Admin\AppData\Local\Temp\001.exe
  "C:\Users\Admin\AppData\Local\Temp\001.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f "C:\Windows\SysWOW64" /r /d y && icacls "C:\Windows\SysWOW64" /grant administrators:F /t
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\SysWOW64" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\SysWOW64" /grant administrators:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
    3⤵
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001.exe

Filesize
42KB

MD5
bb79ebf3e0fd5981bb68b15886e09233

SHA1
ec9923e51740ae1196efacf592379e56d6e16820

SHA256
32e46989c60e4aace09e6031dfdbe273fa7a7e9c875022a290461c3ef153dcba

SHA512
632cd1d2c90e5eff666bc3cf19a0fa0cf7ef559b6121814af983dfddb3f0d4812f6d5ee6b2de7cac58d72a50f4fbc66c47f1c813ccd72d3ce9b79e202d16a979

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat

Filesize
124B

MD5
e8be3e3b1e361fdfda9ae8ca8375ea4f

SHA1
f346097a67bb97c1bb93bcc44a568887374d4b37

SHA256
cb0f6202b7db68a72516c4841d3b26ccf00900880765bc1f37b168c0338c07e6

SHA512
067a73e450e6e5d49c8f8adb40df1975ebd4ba0eb6d911283e5dcd2d4a0bf40759fa39aa8a79fcff8c6f81e7d3ff4c9226c21266dea96190c053cada42060ca1

Download Submit
\Users\Admin\AppData\Local\Temp\千珏05-10A破解版.exe

Filesize
2.0MB

MD5
b43ed4e982d8c47fa31dbc66488806f3

SHA1
982d56cf97ab2348c3b6118ba618ad5000c1a361

SHA256
004d894cb015bdb0560b1c77b985e7a072f84f7e0f3c68564ebd24b1cde1ed46

SHA512
b4b2c6a1a2af2f195494a9248ec13b5ce30941bc51f965ee9d88150c4289acfdc9683503c8b2d26502efe07ccd4bc7c16a0e6dc6ae3899d93c10b9fb870b9ff8

Download Submit
memory/668-18-0x0000000002270000-0x000000000243D000-memory.dmp

Filesize
1.8MB

Download
memory/668-16-0x0000000002270000-0x000000000243D000-memory.dmp

Filesize
1.8MB

Download
memory/668-19-0x0000000002270000-0x000000000243D000-memory.dmp

Filesize
1.8MB

Download
memory/668-25-0x0000000002270000-0x000000000243D000-memory.dmp

Filesize
1.8MB

Download
memory/2180-0-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/2396-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing