blackmoon | 08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Size

407KB
MD5

ea674bd1692f4fb8a0cd801bcef0d469
SHA1

f422c27a1ab1c73d1eb426169eb858ead0184019
SHA256

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a
SHA512

5ff2f47a7d23f6dfe38e79371c22fd2e0571a9a56dab5e87c9a79c4176840f6e6026264446768206ae7bd684fb8931cd86778c4592d3c9feebfbe31ca8cbc4ea
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCU:K5/Q58drihGiLhmGNiZsx0B/zIkenCU

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4284-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\Sysceamgkyex.exe	family_blackmoon
behavioral2/memory/2284-59-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4284-58-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4284-66-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/2284-74-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Executes dropped EXE 1 IoCs

Processes:

Sysceamgkyex.exe

pid process

2284 Sysceamgkyex.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4284-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Sysceamgkyex.exe	upx
behavioral2/memory/2284-59-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4284-58-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4284-66-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2284-74-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exeSysceamgkyex.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamgkyex.exe

Modifies registry class 1 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sysceamgkyex.exe

pid	process
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe
2284	Sysceamgkyex.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	pid	process	target process
PID 4284 wrote to memory of 2284	4284	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	Sysceamgkyex.exe
PID 4284 wrote to memory of 2284	4284	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	Sysceamgkyex.exe
PID 4284 wrote to memory of 2284	4284	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	Sysceamgkyex.exe

C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
"C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\Sysceamgkyex.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamgkyex.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
5a4c0fd5d1eba994934539e997d0c905

SHA1
be11fecbbbb4f1a743b147267186220c635fc99c

SHA256
1ab20cdd5171ca71b45820d3007362656a4688ad3e24a307aa21efcf1e19c4d6

SHA512
a48f8b011fe1da57723efaeeb2fee18527a419fd94efa3868c9878a7c0e2a044c555841294626af26fef26b40fe61cdab2eacf32ea9e9d42bf9408499267d6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
46f7b237bbb75ef043afad3d23908529

SHA1
d5499c1a4f2a6dd24eb24514a213013718034141

SHA256
a10541ed19a2ab59d094527e04de33f0eb5ace547d65287c300745d1b6b31dd2

SHA512
0d84281bc79bbfd2e81f001227c8eeac24e33806e66e2589050420b2694b67aa3170d0a9aa26d075e8b6a24f22808a66fc4b919b3af4a8ce745e046fe7a1f77e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
fb5feb48eafcb383086dca8aca4025f6

SHA1
97084d331e2e419a59dc39d5c7ed598e1ebb79f2

SHA256
6a6960a25637c3b8482de1c3b478252202d8e9b46d51e175d4b8ec1e43b616d6

SHA512
c8614c044cbc3fd462849253acf982fe8309b46ed38d9e84c3995faf4c977f50d5793a4d5cc3fddce5dd13210b142d71015af47a156933289d32e8084a0c29d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
51b582cffbb0ab89d0c4cdac41be7b76

SHA1
de56d032cbf16f55677549b33cc80730d272dc92

SHA256
161344cf170eda7e9172e385e5128c8ee88de0d9b677f46476ef07b2a6a3b952

SHA512
41da6ef7d9fd74b375b414e6109cf683a8ebb9191dd15849d728d9ffcd301f33b557265c19260033dcf36443eb0b7167c4475db0b9a8bc4c0a3b50a892fb97aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
6811b0a254044453477607833168502a

SHA1
06e5a637f742514ea8e42f571ae125017dcd5680

SHA256
fb39255615dfaf487a9a5746528e7b6358cb7d244060a11c8f55231d05140c6c

SHA512
606dc8bf745bfa4715bc792f3679a843036265437d8b77d60a62ef022846a419e8351e405899d160d7a2f1b0d4bddb7a7205b6d85b3cecaa4a4b012f3a53a3ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
8e5a37a2eef770f07c26b80eda3cab57

SHA1
e811a2c22161d75f424e6dce2c8ec142f9bb31b7

SHA256
4d98fa8a26f37964187b3de0323bbb25ae17502079a6bf52d043cd9254b423ef

SHA512
17cdc407606ca85aa207517f926b2027922804e58e9b4c4431398d8690c4c490531da0bfc939bac3bbc397caa7ffbf55ecdcb95f4b4f967875ae6cae066085c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
1974d4dfe6b2c30dc7d9aca3428c6023

SHA1
639fe1f6b8d8f43afdd5f2a25ea5ba86e1013e3e

SHA256
afb227ca429534af68daed2a19669028fc5e2eb1504073296f0e7499a16c285a

SHA512
6e4978fa82900d983558632d06dd843cdb3de702e30651f8c195d372ccc2111846f972f848266eba089cf651d646d2f5e7f86437267ee7f6996e66512babe3cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
b8c84a14b60007188d9566bd69668229

SHA1
bacb977d21e883eb3fb899482484b87ac973e9c2

SHA256
df8c357d4df1856b190e794f480a75e7269f6986c2bf0f4a6e3d224d4049ad13

SHA512
af6672b1850d60db450f05cbc1708336a056a0e3256adf7018156198e1b92fe4b4ac34038175e5f2933eb8172f328d50c77030ecd2ec37b6e768f7e2089dc822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamgkyex.exe

Filesize
407KB

MD5
dbbee4f1f190dcdbf0780cc5c07a6849

SHA1
230be3c8a7a542412cd7ea47835e7fd981169d78

SHA256
ec630b3d61df0a9c3195570dd8a9ef50579f3ff1db2adc9de14612e1f08a1cd8

SHA512
c68289a267ac15107863b43829744d08b3042c6d7a1e28a8018b3fc3e91e20b9dfe53ff94b984be7ca46af6e92c506996aa0fe9195704b18f796bf68eaff6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
cc98b9dbfcbd0dc77cc761187366936c

SHA1
d53cb8343edec65b0477f6259bfedef7c5a058cc

SHA256
aa96018c74edf48e6f350ce38ef988cf8b511dc5e49263d3ba08f318bdcd0189

SHA512
d695bd348fac90e7f69d9aa144cba9d2b7f1bc513275b5e5d04e6dd98be27cedf6890fcad3d69a9b86c9d490838fbeab8ec6bf22dd9323cb763eab70ac33eadb

Download Submit
memory/2284-59-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2284-74-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4284-66-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4284-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4284-58-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download