blackmoon | 7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe
Size

69KB
MD5

76870c07bc94ec595e48cb53ae2238b7
SHA1

646a5e243b89e2147fdcf7a9c8cd9819bc555d1b
SHA256

7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670
SHA512

83797fa56eb0c8b4ff3022ad088c2d9ee65337b40d73ead8d50a349f34bba49fc9273ef1968c080d65bda4bb72416c97af8347fae2a316cc8a7373d78941b325
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8aq:T6DJrXAnHmgMJ+dOnFoutaq

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1728-28-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/1728-56-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2720-64-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2720	Sysceamazyeu.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe
1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1728-28-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x0005000000019581-36.dat	upx
behavioral1/memory/1728-56-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2720-64-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamazyeu.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe
2720	Sysceamazyeu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2720	1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe	32
PID 1728 wrote to memory of 2720	1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe	32
PID 1728 wrote to memory of 2720	1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe	32
PID 1728 wrote to memory of 2720	1728	7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe	32

C:\Users\Admin\AppData\Local\Temp\7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe
"C:\Users\Admin\AppData\Local\Temp\7cb876b509b09048969e815f642ee47ffb5674be6894fd54859dc037d44a8670.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\Sysceamazyeu.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamazyeu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
01d2024d46260d8d34e004f31938029e

SHA1
c861442f92ff8ba35b43ba815e0f29a797ccf2bf

SHA256
36083c2ada9c24939d94c1c8a5f2d9cb1b55f38db092b416ef90d4df3ef43db4

SHA512
d3946f1df466f9b46f75a1c8510e49f3cb0cd970a98b5f517001d7fc6441857414a59f35b912e5eec13059258b8a00945fe0dbe2153c2f8e2a5270a3fc135342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
d25bb45271ef5aa6f701e0e2ea24fc55

SHA1
34b5a07b41318b97197fc55f29be3c48846217c1

SHA256
ab8bef536e2149e2c24eb41b8f60ef441aded676d31747e1484048e851215dde

SHA512
dfb48aac208609b431c5052973ecabda8ba96d609037fa1a1ab90a634cf20d3b870d647e8a78a5956075486af225972b96cc004ecdba2caa1ae80558eb7bd5cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
dfb350249cfa43f47051e6983d8d6a6e

SHA1
b8cb477c9cb691efe8cc5f2698d9c0452498d91b

SHA256
741208e7df88d090b15d70a8301f1dbf8a6c88243393111551e433361ffb4160

SHA512
73363b418bebe92a0c9f5f026455e09bf2a8f0b89d28f9441e70f60fad6c9e577fa9d4c7c5c402bd583ca612490d87c7b6e03fe4f60ab651435d8b27676b04bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
421d23f4453b621f027d8c81b9f41d55

SHA1
a95038b160dfa3d5108c9b7953b549b3e73b0af2

SHA256
215141e0f68188ed974ae8feb678cd97ea47d4d7b485b10295bb0a759ffd26d4

SHA512
e40275cb6e61df7b78021d17affea04772e74bc8c244ceeed0723c9a607a9a6f2539c74923c9a5ce4371a97e09b9682663af4d29353c217563d1f1bd431065d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
e4c1521ea19e957bb4339806669b1194

SHA1
cd162a5300468bbdfa509f470e71cad844c73406

SHA256
19c9d2c30d2399b5f662d5e7dc2d8cd723b24b19febc2935b3291a704268161c

SHA512
7a5708aa80a4ab01ec676f57840d781fd0e6c33475b8823572dcc2b09af709ab51a811e3b36bb302162c2136ab54a5d8db1cf1468bb6d6e4752c9a413eec442e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
1282fbf444a8dc6aed112f1b9cf311c2

SHA1
3d0a2ba7a2dc5e0b0b43d7c7281ac580158d57f1

SHA256
a0647e84fa55a1e64b3eabfb164bfd88e71cbc7f4b155daac001db646c87cb7b

SHA512
c1a346ee2603ffc14c1f4e1375c2e84fdb47525fd251cfe3b3f8341439a14d78cca6b896d504791492df4c3bc031e39b4585fd1455e989b5456b34bf31fe4dd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
2c2141ebef15b8e82a0f5afc51ac556f

SHA1
b31fd5683de926b90ce8fe2a471ea93c797a8c82

SHA256
60806b326ed1f38a4d2f18c0ec0787edc890222b5248c66f340aa9fdaad35c30

SHA512
46189b58cf8f8cdbdd5b68a4511d5820f607edb04f3a024ccbc39d5a8d374d7f7602a5f96261d33b9edd4420e2237ac46359e53c77dc49331e76e2ff499968ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
25a4caef039dba25f405c843352f81cf

SHA1
6f57a47362aae727daba33835fadc5e65998572b

SHA256
c87e5776a8e3635c90750afeb04798dcb5cb952afea2be6ac4ad1a8e611cc7da

SHA512
9aee0016b600a04bd904fe020172527c86ba7a8d2e9be1a8f18b9cd116f81c77fd6b7cd25f58cb02255f5a1600ccbbb84b1e4c74a3727df4ffc53e25290d9251

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F05.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamazyeu.exe

Filesize
69KB

MD5
d1c3588f961618bed92050b65e661045

SHA1
45bfb86eab30ab3926b6b4293d1e5642691eeb45

SHA256
002625cb70d30dce8622e18dbebf7a14bafa635b24a145dcb4abaafb4622fbb9

SHA512
4b90fecd115077eea666df8cf68f2be7970eb30fc5b1f8cae02b1140e6715e5acb08a29b927be29b212933c1b1c7154c2fcb56bfd6e718df280bf82e6b5c1edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
2da8150716a6475b88fb878ac12f8dd4

SHA1
e5fad70f0b7a3ffc060dff9b9beb13ceb5aef350

SHA256
2a82f5d226f259534331cbbbac9383a976de1c7a624201761b2c3cc703e457ba

SHA512
7763a609e59dd95ab010d42e2d78ae705c08e35606d32377941390dcf45a48037fb06075a8fba3dd16157a14e710379653fbdc7311e5c68c5981f4f5e5e203fd

Download Submit
memory/1728-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1728-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1728-28-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2720-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download