Malware Analysis Report

2024-11-16 13:51

Sample ID 240620-e8fxyaygrc
Target e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb
SHA256 e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb
Tags
blackmoon banker trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb

Threat Level: Known bad

The file e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan upx

Detect Blackmoon payload

Blackmoon, KrBanker

UPX dump on OEP (original entry point)

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:36

Reported

2024-06-20 04:39

Platform

win7-20240221-en

Max time kernel

118s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NOesjXLyD.exe N/A
N/A N/A C:\Program Files (x86)\NOesjXLyD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NOesjXLyD.exe C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A
File opened for modification C:\Program Files (x86)\NOesjXLyD.exe C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\NOesjXLyD.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\NOesjXLyD.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\NOesjXLyD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2220 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1280 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1280 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1280 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2252 wrote to memory of 2576 N/A C:\Program Files (x86)\NOesjXLyD.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2252 wrote to memory of 2576 N/A C:\Program Files (x86)\NOesjXLyD.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2252 wrote to memory of 2576 N/A C:\Program Files (x86)\NOesjXLyD.exe C:\Program Files (x86)\NOesjXLyD.exe
PID 2252 wrote to memory of 2576 N/A C:\Program Files (x86)\NOesjXLyD.exe C:\Program Files (x86)\NOesjXLyD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe

"C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe"

C:\Program Files (x86)\NOesjXLyD.exe

-v7e84g C:\Program Files (x86)\\NOesjXLyD.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\NOesjXLyD.exe

edfg4

Network

Country Destination Domain Proto
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp

Files

memory/2220-0-0x0000000000270000-0x000000000029F000-memory.dmp

\Program Files (x86)\NOesjXLyD.exe

MD5 f22939ce61308c6b66e0e605bed242d9
SHA1 c73be09b2c2b56f6a7948660452c644c3c61f8a0
SHA256 e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb
SHA512 9dfae3f95d0380bd08204e655781a4ef7af2e393f5dc2d71ac51777b8c40a54c11fa3a6392f97043958e45863fd33473af79363157dbed31e6a6b4a247c94bf6

memory/2220-7-0x0000000000270000-0x000000000029F000-memory.dmp

memory/2220-6-0x0000000000400000-0x00000000004388F2-memory.dmp

memory/2252-8-0x0000000000320000-0x000000000034F000-memory.dmp

memory/2252-11-0x0000000000320000-0x000000000034F000-memory.dmp

memory/2576-12-0x0000000000240000-0x000000000024B000-memory.dmp

memory/2576-13-0x00000000002D0000-0x00000000002DB000-memory.dmp

memory/2576-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:36

Reported

2024-06-20 04:39

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NOesjXLyD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NOesjXLyD.exe C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A
File opened for modification C:\Program Files (x86)\NOesjXLyD.exe C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe

"C:\Users\Admin\AppData\Local\Temp\e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb.exe"

C:\Program Files (x86)\NOesjXLyD.exe

-v7e84g C:\Program Files (x86)\\NOesjXLyD.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
US 52.111.227.14:443 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp
HK 43.242.202.46:8268 tcp

Files

memory/4220-0-0x0000000002130000-0x000000000215F000-memory.dmp

C:\Program Files (x86)\NOesjXLyD.exe

MD5 f22939ce61308c6b66e0e605bed242d9
SHA1 c73be09b2c2b56f6a7948660452c644c3c61f8a0
SHA256 e433263dc9392afab1d2e5113a21078c70c2642af4cec51d493e57ce6796ddfb
SHA512 9dfae3f95d0380bd08204e655781a4ef7af2e393f5dc2d71ac51777b8c40a54c11fa3a6392f97043958e45863fd33473af79363157dbed31e6a6b4a247c94bf6

memory/4220-5-0x0000000000400000-0x00000000004388F2-memory.dmp

memory/4220-6-0x0000000002130000-0x000000000215F000-memory.dmp

memory/1948-7-0x0000000002140000-0x000000000216F000-memory.dmp

memory/1948-8-0x0000000000620000-0x000000000062B000-memory.dmp

memory/1948-9-0x0000000000620000-0x000000000062B000-memory.dmp

memory/1948-10-0x0000000002140000-0x000000000216F000-memory.dmp

memory/1948-11-0x0000000000620000-0x000000000062B000-memory.dmp