blackmoon | 6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
Size

429KB
MD5

7647dc0130941bff01215752980e4536
SHA1

5d04ca1147c9ab021c7da8dfe0e5d3cfdc20a044
SHA256

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766
SHA512

e6aaa93ebe92ffcc07fbc80334b70e666b99b105d1788bae19f23aac97612e0a04bfbf26a3b0730381d36cc92e82ed3f1845b2251ef7717228c549fcf28e03ba
SSDEEP

6144:MelnyUqrd8IudLvfOtd3BAgxatWX3RWyC:MWyUadkTCd3BAvWX3RWyC

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Syslemqtkwj.exe	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe

Deletes itself 1 IoCs

Processes:

Syslemqtkwj.exe

pid process

1812 Syslemqtkwj.exe
Executes dropped EXE 1 IoCs

Processes:

Syslemqtkwj.exe

pid process

1812 Syslemqtkwj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1812	Syslemqtkwj.exe

pid	process
1812	Syslemqtkwj.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exeSyslemqtkwj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syslemqtkwj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exeSyslemqtkwj.exe

pid	process
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe
1812	Syslemqtkwj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe

description	pid	process	target process
PID 3372 wrote to memory of 1812	3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe	Syslemqtkwj.exe
PID 3372 wrote to memory of 1812	3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe	Syslemqtkwj.exe
PID 3372 wrote to memory of 1812	3372	6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe	Syslemqtkwj.exe

C:\Users\Admin\AppData\Local\Temp\6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe
"C:\Users\Admin\AppData\Local\Temp\6355dc0b8703d2e902ffd0e0050dce1358ed31c207a573717998524bcc058766.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\Syslemqtkwj.exe
"C:\Users\Admin\AppData\Local\Temp\Syslemqtkwj.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
ff107ae20d7a89c8b8fba51355ba9c91

SHA1
4e4a238998e146727e8983350e0087cd9bcd0cdc

SHA256
dfe9dc0a3cb671b0f773a085cf0e6b6526264e3cbbdf92ace71843f2d210f900

SHA512
b0e5e70deb133390c877ae2431dc85cf433ea68422757a6a4d2172a9ed8760b6b313e8ba639f325984eea53fd2f7b18a43d6ebcb45839448eb343ed04e1be02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
de4cc294fa5c8a81f7ec5b403d768956

SHA1
fa9165d715bff4574332ee257ca5c9dcbbc79886

SHA256
f426e89a8df9b9095a3a1d141b18fa643afc812e724b6fc58f1fc20446618a27

SHA512
8bf6731f8735e31d108de74e1c9449a0bfb41a69c307721d86db96b087b10838b5bbec16259cf5a64d9ba05d76a02fd7cb0125089409e8a4b1e163325671f29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
9e93c2f42249ee74c71f9720256177c7

SHA1
a0f1066821b2710ae121f1bb75db3f0a4cd73516

SHA256
d363f811b9e47f0436896a4c6b77ab9730b01052d42db3a464d18996ba2ebbdd

SHA512
e4db584cade9a5b57c1cf430a17c1cff1d4d3b758bced7cdef3801855b651fd14bf61050f2d26c83f0da3a35de81649e23ef35bd643399cd68c19584e7d63244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
4a4289be5a9d33c9b9307fefda380274

SHA1
de0282b54cd32abbc80e31607f2bad4c359da609

SHA256
83db61db2ab389758218201713ecfbd64b20bae221be4fafcd5e000907787882

SHA512
339ae41d467cfc74e3b49c248922c18e4418b5abb09043dfae50c0da58fcbac3de2a185cfe0e9f85ed2fbd99dc6f7a5d8d45a1b18b86e62c29bc49497d392c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
724489c569ec5ed3b0261b02262fa52c

SHA1
d01500ecba03cd57c4d01a1964564b3865c0ef0c

SHA256
f87c8787ccc485efe81f834044c4de4e9298f4204fc24e744a635b0edc4e94f3

SHA512
1f3efd428ac95a28696d0157de2bbe1e2cdec0d02b85dab5fe57d39c845e8676d4005ab9c66f1da23d21f934404f755b1653bc06a804d2a202344bef6517a096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
97e839a284fad90bc8b01884ec684a39

SHA1
9ce3bf6cc992972035711eea4f44b4fb52c2b9f1

SHA256
48210105ed2e73d26bba80a61b28c3412afd0ec3916618e8fea2d1ff43188ed6

SHA512
a305bb34253e83647f561ecd732f8f80c9721bde75f692e8abf6349064173697bcdfb0828590ed09ee2bafc60707769157affbe8b583374c333d58f7623cec28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
1cae220807f8ac2a2511f6614fe1f3a1

SHA1
8cc74ed23316ba062d13cef3650d671a131c1de2

SHA256
c33de35b2bd6be3df1c9b5431d3057532c9b303cd4d448aec242c36efbc28a00

SHA512
4b1792d6f3399e4ad4f0443a09b45956862c7f36000775566dd373f83dde1713de6082bee0d9fb2afa4059be41dd5ba9596da6e4258a7e9b2a1fb18471487a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
3bcd0bd83a2dee95b3b205083ad393d1

SHA1
d7fa26523892e4375a29c8a675a5f46732e08b0b

SHA256
a7014a5275250210e4229dae9a354127f57f86d9f18e079ef3f70d5eb31b4ad2

SHA512
a19e5d18e2e19a1a3ba0443c2702b5b2647c3a952c7d1dd1ed460287a98a99ab9d0b525094f513833dacf53e3c9ae6c5b7efe409718df6fa8f31f1eb6c7f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syslemqtkwj.exe

Filesize
429KB

MD5
c3daaa2a4bf6fcb4b34497a18fd95b3e

SHA1
31dbd274f4fc462356bf702fbc09f3fc7fa1995b

SHA256
7a1f86b37d3e757f971b14e332d3ae55db4a4d2d7c3be3a5040ee59c8b676f6e

SHA512
45cc514d28f57f35da8e53f886d8fbfadf7390081be9c23078ccee831b966d219a455aadace034f86e143fcc88cfe8bf258eb5d076ebce707a3068adff17047c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
77117532f746d7c500dd1c84a7f90ba1

SHA1
efa9051a498efd1f7adc64ea0638057a73e7af66

SHA256
3436cdafdf717bd1d8d26ff6cca290212bfc2f7bbf7ec7db11e5891c7facf3eb

SHA512
cd091dc6fad8fba94c872b422bef65a6c54cf641cde961946bf59d9bdcecde609f4453951fa7d1f2e4332c8783671bce61842767855cad87fb2276565e36988e

Download Submit