blackmoon | e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa

Analysis

max time kernel
142s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0754128f1fd32781886c3d9e7dc138.exe
Size

475KB
MD5

1f0754128f1fd32781886c3d9e7dc138
SHA1

91170c5fd52ea3b5aa77c4b746d0781b3b195a6d
SHA256

e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa
SHA512

38ec7ead85e45b82c02420da71f0bed58fc199f658f9b2fb7f0a164f5a26dc4ed9e5de7084e7380a3dcc9bfd3be214fbebb3cfb2a316b1d37cee1acbd4116afa
SSDEEP

12288:EfqiJSvtZDd4YQp7T8BPZ0T9XG1rVBbtpIwaDoS8:GqiWfvQpX8T0h2r/b/IDK

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1328-658-0x0000000000400000-0x00000000004C4000-memory.dmp	family_blackmoon
behavioral1/memory/1328-660-0x0000000000400000-0x00000000004C4000-memory.dmp	family_blackmoon

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1328-0-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1328-658-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1328-660-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2276 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2976 1328 WerFault.exe 1f0754128f1fd32781886c3d9e7dc138.exe

pid	process
2276	sc.exe

pid	pid_target	process	target process
2976	1328	WerFault.exe	1f0754128f1fd32781886c3d9e7dc138.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1f0754128f1fd32781886c3d9e7dc138.execmd.exenet.execmd.exenet.exeDllHost.exenet1.exerundll32.exenet1.execmd.exenet.exenet1.exerundll32.exenet1.exesc.exenet1.execmd.execmd.exenet.execmd.exenet.execmd.exenet.exenet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f0754128f1fd32781886c3d9e7dc138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Appearance\Schemes	rundll32.exe

Runs net.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1f0754128f1fd32781886c3d9e7dc138.exe

pid process

1328 1f0754128f1fd32781886c3d9e7dc138.exe

pid	process
1328	1f0754128f1fd32781886c3d9e7dc138.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f0754128f1fd32781886c3d9e7dc138.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1328 wrote to memory of 2316	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2316	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2316	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2316	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 2316 wrote to memory of 2276	2316	cmd.exe	sc.exe
PID 2316 wrote to memory of 2276	2316	cmd.exe	sc.exe
PID 2316 wrote to memory of 2276	2316	cmd.exe	sc.exe
PID 2316 wrote to memory of 2276	2316	cmd.exe	sc.exe
PID 1328 wrote to memory of 1180	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1180	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1180	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1180	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1180 wrote to memory of 2180	1180	cmd.exe	net.exe
PID 1180 wrote to memory of 2180	1180	cmd.exe	net.exe
PID 1180 wrote to memory of 2180	1180	cmd.exe	net.exe
PID 1180 wrote to memory of 2180	1180	cmd.exe	net.exe
PID 2180 wrote to memory of 1928	2180	net.exe	net1.exe
PID 2180 wrote to memory of 1928	2180	net.exe	net1.exe
PID 2180 wrote to memory of 1928	2180	net.exe	net1.exe
PID 2180 wrote to memory of 1928	2180	net.exe	net1.exe
PID 1328 wrote to memory of 2884	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2884	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2884	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2884	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 2884 wrote to memory of 2916	2884	cmd.exe	net.exe
PID 2884 wrote to memory of 2916	2884	cmd.exe	net.exe
PID 2884 wrote to memory of 2916	2884	cmd.exe	net.exe
PID 2884 wrote to memory of 2916	2884	cmd.exe	net.exe
PID 2916 wrote to memory of 2920	2916	net.exe	net1.exe
PID 2916 wrote to memory of 2920	2916	net.exe	net1.exe
PID 2916 wrote to memory of 2920	2916	net.exe	net1.exe
PID 2916 wrote to memory of 2920	2916	net.exe	net1.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2668	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe
PID 1328 wrote to memory of 2788	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2788	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2788	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 2788	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 2788 wrote to memory of 1928	2788	cmd.exe	net.exe
PID 2788 wrote to memory of 1928	2788	cmd.exe	net.exe
PID 2788 wrote to memory of 1928	2788	cmd.exe	net.exe
PID 2788 wrote to memory of 1928	2788	cmd.exe	net.exe
PID 1928 wrote to memory of 2880	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2880	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2880	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2880	1928	net.exe	net1.exe
PID 1328 wrote to memory of 1020	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1020	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1020	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1328 wrote to memory of 1020	1328	1f0754128f1fd32781886c3d9e7dc138.exe	cmd.exe
PID 1020 wrote to memory of 1712	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 1712	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 1712	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 1712	1020	cmd.exe	net.exe
PID 1712 wrote to memory of 2408	1712	net.exe	net1.exe
PID 1712 wrote to memory of 2408	1712	net.exe	net1.exe
PID 1712 wrote to memory of 2408	1712	net.exe	net1.exe
PID 1712 wrote to memory of 2408	1712	net.exe	net1.exe
PID 1328 wrote to memory of 2596	1328	1f0754128f1fd32781886c3d9e7dc138.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1f0754128f1fd32781886c3d9e7dc138.exe
"C:\Users\Admin\AppData\Local\Temp\1f0754128f1fd32781886c3d9e7dc138.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 256
  2⤵
  - Program crash
  PID:2976

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1040

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
79c80670a1f627e86c477f22bd2401a0

SHA1
bff9611be80b049401721d51c89f6ab36436ecec

SHA256
efba6b2855bd351e2d47ca88a3b0e5c664146375262f0fb38f6eefb0809d7eaa

SHA512
8afa82b401b1f35433f3187d13b46bd8638884de5f11f7a8b207e304290a077d45511faf5c0bc15025995c797537ad5c67b4b1683ef0ebc43e20d03834be20ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
159bd6a587f370f16522b2a6f690bcc3

SHA1
c07d14fc439997e2f65b982c0702a985b36b9cf8

SHA256
9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993

SHA512
a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
05471356f0ea1c0f5f5b8deb29c3ebd1

SHA1
12b14b737d1e0f76ca2494fb7a6841e5792a0504

SHA256
cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7

SHA512
942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
7c048eaacd1820ac933dccc0b872fa05

SHA1
955999eb7463f7e4031d551e24fbd1e1fb812197

SHA256
614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be

SHA512
09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b65aeb1b3da0b96313cc6e10dde4afe0

SHA1
34039989280d6d5a45793deaab79665c79b74b8d

SHA256
0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c

SHA512
be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea

Download Submit
memory/1328-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1328-658-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1328-660-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download