blackmoon | 2aad7cc2d556bf6f1281cc4f045f62b26f33a56321c775351efff872b2930c5b

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a38c65812da22e5b7efd3e0346ea580N.exe
Size

69KB
MD5

6a38c65812da22e5b7efd3e0346ea580
SHA1

84999de5b65149622596be6ca845eaed2844eee0
SHA256

2aad7cc2d556bf6f1281cc4f045f62b26f33a56321c775351efff872b2930c5b
SHA512

fc706969dbd9dcf49ba9527e4cd14c7b4ed2714d8072318a7e6647fb2a4fecd245a7b2de03c17ac059cd2537952bccaa97bbc67184203c651b88aff9ec4f651a
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8an:T6DJrXAnHmgMJ+dOnFoutan

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/1956-55-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/1956-56-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/3096-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	6a38c65812da22e5b7efd3e0346ea580N.exe

Executes dropped EXE 1 IoCs

pid	Process
3096	Sysceamyqyhn.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1956-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023462-26.dat	upx
behavioral2/memory/1956-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1956-56-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3096-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a38c65812da22e5b7efd3e0346ea580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamyqyhn.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6a38c65812da22e5b7efd3e0346ea580N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe
3096	Sysceamyqyhn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 3096	1956	6a38c65812da22e5b7efd3e0346ea580N.exe	92
PID 1956 wrote to memory of 3096	1956	6a38c65812da22e5b7efd3e0346ea580N.exe	92
PID 1956 wrote to memory of 3096	1956	6a38c65812da22e5b7efd3e0346ea580N.exe	92

C:\Users\Admin\AppData\Local\Temp\6a38c65812da22e5b7efd3e0346ea580N.exe
"C:\Users\Admin\AppData\Local\Temp\6a38c65812da22e5b7efd3e0346ea580N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Sysceamyqyhn.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamyqyhn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
962aec77d80cfed1c63b1755c98c0ac4

SHA1
5066b1243a8580d7f5a7c981806570f9ac0b8f57

SHA256
0512e164a6915d1db717e96c0d85af3f7bc9b4bdcaa078a62997cc06361454f8

SHA512
b0743185619514586c84df48040f2f7a6a384d12a0ffc302e4cb4189cc31ad193f2523d8338d3bb314c83b708d05ee9f3659974498831a45483015c7ab0b35c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
cc4cedb5831d904176cb81a0be3e0131

SHA1
79c3a87e9a705c755d5b64592eedc5506f37b9ef

SHA256
8c2837dfa89fdc513d4ee7c30a9f352cdd27753b23bfb14d313d39563589c67b

SHA512
b7cb4b27076f3b1dccb4a054055477a1fed94fad3d5b8096c7bd7e986ab44d89b151030cbff2bf6f2fc7267e0001f5c810c09963b78fe348c35c1d15808c522b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
7c78ca6fd7f0f2c70479d57bddb85e2e

SHA1
93db6dcaf3504e249af7311c0fa3827f97be80a6

SHA256
5068530c2fa5642374b20f12bbd6673a438eee78940660d09200c18c84003164

SHA512
57b5fb33f01892b703f3e79bf2286527c8818bc4b53090ca58df27168225bb155b6f191b29fd094166473efdcb4b841c558be22a9a0cb5a0f80e4e5d6a8be3b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
e68a9d02309bf6c827000101eef3711b

SHA1
2efcc96ced2977b7c2133581f5152d64b9cb0aab

SHA256
01cd05904573dac01c88de3660067fa3bce3084ee07217613e97ffe2f202acb6

SHA512
a7d5416323248e12c07e57fa0bfd716bbf6f099df406e6800fc3bee9805f72ac504c0014be1f85bcf968043f6bce002a93f3b4b3cbe8c72eaf33366d2bc958ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
ff9d08b5c9278ef620e349f065c6382e

SHA1
01b35c4c1e7b26a1171417fc5c3cba3b5125ee42

SHA256
cb75438ed5fdd4fdb8b9040521f1b3354b105da86f2e73e2baedd3b5c6de7b3b

SHA512
600c1184af21e48428cd4ea6dbdf54305108fce3281205abc40613c3f47d5a18a9cbd37558bef3038d778706e00bfcbd262a0d811cad56d99fff319cd5b0c12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
81dc7719411c2c3beb4a2a4fffc3d588

SHA1
ecaa3c4b588bbb020c6e781e69750ac903af57da

SHA256
800a1a14c8c99939b8a7d93c514b707d7999dd6dbe4c1289510cb4cc1589ccce

SHA512
773e0e1486db9b52ac09c59ace578d0b60781dabe8f3a9feb40cd83e6abb3c214c9fec6d57a31e3421da40476921663b458465e228aa67ca1746d6d0782bc2a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
3c5dc912415a47385327dd5a402a82a2

SHA1
41dd9f3d26076532dbc39b94cfec63bd770920e3

SHA256
ced772bb6a6676f201755321650620b6aa9df18f3b9fc6fb374aee6b8561d4e9

SHA512
967ed6d6ee30ac77d195f1288141292e217be4270d81c983584f01a8de1562e8b997145c4bbff3187064c5b0cc8189ddec074495ffbcb44df263e462ca306460

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
af710c96736d27a7cca6dde46ad7531f

SHA1
89950ecc8d1074f1df81cdbf28dc6d85399940ef

SHA256
ef663ec35a472606a0f3b3527237b205c530d64a1a279ce922dfd581679cf1a9

SHA512
aa0769d4288bb0d629909a7df15e9e4a6b80d2af11e7edaa1ec15f1279091dd12c8a6b58bb77477e786cd06c6520006d1b7c364c641c30424cf0830732827a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamyqyhn.exe

Filesize
69KB

MD5
4fb518e939293816775dceace501ddd3

SHA1
26b10f44a43f0416e4cab5e1f75c93568b1a2fef

SHA256
a9eb9ee2bc26e3e0b677dca8243dfd3ccf0217e64cc7bd31fcd6b2ab4b4458c8

SHA512
90b9249128f82dcc44a6e71020693648b8481063cba070468f852184b9d3c6ae20fd8f6de85ea84abeb9cdce6f78bbbc8119709ed12636dc63ac6f6fcef4c3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
71B

MD5
04195e14d94db2e2602f3f4160c3732c

SHA1
ed5cd78003d11ee56784065d33633ac91b561632

SHA256
edc0844553698dcbc959406402865ba94bdbe9e49f1f2ff4a2c4450cf4d4e342

SHA512
dd6fc3491503fb6d84043bc0b13ad2ef17bf37160858e230304c19841efabf9bc56a55e7bb938bc8586a0d4fe4f7407647654a84d6f92c35c9436b636ef9359b

Download Submit
memory/1956-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1956-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1956-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3096-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download