blackmoon | a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe
Size

2.8MB
MD5

34a2e6ee244078eaccc848855b74cae0
SHA1

efebf2e9631a2de4f0214c109e5346a0e77d4845
SHA256

a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7
SHA512

31229a6657289b0790c29de8ddf7a1225321f52467cb01a34e4820cd3577f6d692a74bfcbeca8ef41ed2c4e7e0ab3111d43aac99337e0bd3c2ff6222de206568
SSDEEP

49152:tOMNT+hOy1U8EkTYN/KXeqpomFsE01zdBST1WT:oMNChj1U8MN/KXeOFs7OWT

Score

10^/10

blackmoon banker persistence privilege_escalation trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000235f1-3.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3724	MVVYMX.JBD

Loads dropped DLL 2 IoCs

pid	Process
3724	MVVYMX.JBD
3724	MVVYMX.JBD

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	MVVYMX.JBD
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	MVVYMX.JBD

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD
3724	MVVYMX.JBD

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1232	a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe
1232	a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe
3724	MVVYMX.JBD
3724	MVVYMX.JBD

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3724	1232	a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe	88
PID 1232 wrote to memory of 3724	1232	a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe	88
PID 1232 wrote to memory of 3724	1232	a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe	88
PID 3724 wrote to memory of 4356	3724	MVVYMX.JBD	89
PID 3724 wrote to memory of 4356	3724	MVVYMX.JBD	89
PID 3724 wrote to memory of 4356	3724	MVVYMX.JBD	89

C:\Users\Admin\AppData\Local\Temp\a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a92b3eac0add9d96cfe368f83f99d03f41638bbbbf433f3f7dc76c7c411707a7_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\MVVYMX.JBD
  "C:\Users\Admin\AppData\Local\Temp\MVVYMX.JBD"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVVYMX.JBD

Filesize
2.8MB

MD5
e4349f6f42a0c85dcc6cd27bc3d45566

SHA1
1ef46f4019f9c95db33e0550c6af2ea96824a4c8

SHA256
24c1eed5c770d6ba2b36f12e861c98e0c4414bf871e22d5b6d168fbd0976a6cf

SHA512
fc27795af2adafcd76be7e84aead8a21e36068b34acde09aea4666d400281cd2d94b0560518fe69588f964d9c1212084eb7190148135ff75bb9a92892239037e

Download Submit