Analysis Overview
SHA256
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca
Threat Level: Known bad
The file 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca was found to be: Known bad.
Malicious Activity Summary
Blackmoon, KrBanker
Blackmoon family
Detect Blackmoon payload
Checks computer location settings
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 19:33
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 19:33
Reported
2024-10-18 19:36
Platform
win7-20240903-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe |
| PID 2216 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe |
| PID 2216 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe |
| PID 2216 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
"C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"
C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
Files
memory/2216-0-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2216-7-0x0000000000400000-0x000000000046E000-memory.dmp
\Users\Admin\AppData\Local\Temp\Syslemnridt.exe
| MD5 | e73fa9495849bbffaeb0a8a20a225745 |
| SHA1 | dd564527ddbc7cc8cb3cf586670ab4a4b9d68a43 |
| SHA256 | b3c0b757a7aa4e15090905167b2cd595aa0e8c02ae81486fd85c7ea874926a5f |
| SHA512 | a8ce3b19f61ce0ca377cd69806b1ae4048b2902932f4c014ddb466de5edafa0c1d334ebfccf39011140ed071a9ad85e068551bc91b0a9556f28f99df70cfd375 |
memory/2216-11-0x0000000003290000-0x00000000032FE000-memory.dmp
memory/2828-17-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | fb8abda925a7cb9a18da9e549724471d |
| SHA1 | 0c21ff317ab37de37e6b1a395e2a84700cf57ba0 |
| SHA256 | cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0 |
| SHA512 | b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec |
memory/2828-21-0x0000000000400000-0x000000000046E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 19:33
Reported
2024-10-18 19:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3808 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe |
| PID 3808 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe |
| PID 3808 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe | C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
"C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"
C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i2.tietuku.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3808-0-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Syslemfjhdm.exe
| MD5 | b1561b8097825001868a411d13b246ac |
| SHA1 | e1200afabfe8e64a501a7fbadd841d69b7b86283 |
| SHA256 | 005021d5ceab9a1a70ba2da4ee5d03c2fd498915fc8abdd0008f0ec70fdb2384 |
| SHA512 | 1d8d5566f31a82fb45662c449f10e1c05d8da8665313ce553bb15610867e21b38965d9da3f20c11f1008dfabf4ea80f700d68abce9a146d16bf5d1231f82221a |
memory/3808-14-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpath.ini
| MD5 | fb8abda925a7cb9a18da9e549724471d |
| SHA1 | 0c21ff317ab37de37e6b1a395e2a84700cf57ba0 |
| SHA256 | cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0 |
| SHA512 | b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec |
memory/4948-16-0x0000000000400000-0x000000000046E000-memory.dmp