blackmoon | 08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
Size

407KB
MD5

ea674bd1692f4fb8a0cd801bcef0d469
SHA1

f422c27a1ab1c73d1eb426169eb858ead0184019
SHA256

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a
SHA512

5ff2f47a7d23f6dfe38e79371c22fd2e0571a9a56dab5e87c9a79c4176840f6e6026264446768206ae7bd684fb8931cd86778c4592d3c9feebfbe31ca8cbc4ea
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCU:K5/Q58drihGiLhmGNiZsx0B/zIkenCU

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1440-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/files/0x0007000000023cc9-26.dat	family_blackmoon
behavioral2/memory/1440-49-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/1440-63-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/2336-71-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Executes dropped EXE 1 IoCs

Processes:

Sysceamtveoi.exe

pid	Process
2336	Sysceamtveoi.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1440-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-26.dat	upx
behavioral2/memory/1440-49-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1440-63-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2336-71-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Sysceamtveoi.exe08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamtveoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Modifies registry class 1 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sysceamtveoi.exe

pid	Process
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe
2336	Sysceamtveoi.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe

description	pid	Process	procid_target
PID 1440 wrote to memory of 2336	1440	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	96
PID 1440 wrote to memory of 2336	1440	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	96
PID 1440 wrote to memory of 2336	1440	08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe	96

C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe
"C:\Users\Admin\AppData\Local\Temp\08659f2cc61c104f9eb6289bd07ae1a75bfce2425094026e0767f224805b976a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\Sysceamtveoi.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamtveoi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
5a4c0fd5d1eba994934539e997d0c905

SHA1
be11fecbbbb4f1a743b147267186220c635fc99c

SHA256
1ab20cdd5171ca71b45820d3007362656a4688ad3e24a307aa21efcf1e19c4d6

SHA512
a48f8b011fe1da57723efaeeb2fee18527a419fd94efa3868c9878a7c0e2a044c555841294626af26fef26b40fe61cdab2eacf32ea9e9d42bf9408499267d6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
46f7b237bbb75ef043afad3d23908529

SHA1
d5499c1a4f2a6dd24eb24514a213013718034141

SHA256
a10541ed19a2ab59d094527e04de33f0eb5ace547d65287c300745d1b6b31dd2

SHA512
0d84281bc79bbfd2e81f001227c8eeac24e33806e66e2589050420b2694b67aa3170d0a9aa26d075e8b6a24f22808a66fc4b919b3af4a8ce745e046fe7a1f77e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
fb5feb48eafcb383086dca8aca4025f6

SHA1
97084d331e2e419a59dc39d5c7ed598e1ebb79f2

SHA256
6a6960a25637c3b8482de1c3b478252202d8e9b46d51e175d4b8ec1e43b616d6

SHA512
c8614c044cbc3fd462849253acf982fe8309b46ed38d9e84c3995faf4c977f50d5793a4d5cc3fddce5dd13210b142d71015af47a156933289d32e8084a0c29d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
51b582cffbb0ab89d0c4cdac41be7b76

SHA1
de56d032cbf16f55677549b33cc80730d272dc92

SHA256
161344cf170eda7e9172e385e5128c8ee88de0d9b677f46476ef07b2a6a3b952

SHA512
41da6ef7d9fd74b375b414e6109cf683a8ebb9191dd15849d728d9ffcd301f33b557265c19260033dcf36443eb0b7167c4475db0b9a8bc4c0a3b50a892fb97aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
96f9201c9fa6ae9c5ba16407f584034f

SHA1
26fddafd61a209fc4a4888f28f3b29a745ad8920

SHA256
2401a565b3fe7df9d06960e53a8ad1514938e41a2657d870e4c3104c04a04d30

SHA512
479f4804fae19a9dafd0f264fa0cd2b75142140fe31600137883c4f79db69cfcbe38ceaa263a4ad111e280d4a4b44784f8b16ddb9d2f7c5622f4f9b246fd92e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
00939105ae5cb81c4539377de5b9cf03

SHA1
b607ce2cb9c4438fc6f3a86a544390887da41bb7

SHA256
9e0531f682908fdb6460c28f23e14307e2b0564d3f3cf3588b9aa1d4358052d8

SHA512
2ed63541eb7c1de975fd1af819d7ccb2d55bb1daf70f75c2ab8a9ff46a38cf5cc138643ccbceb4d59e1583900c75cc8ec8df741740728bccc0171ffae46baef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
a7980743ce1937a93bd54475bbf57d2c

SHA1
10989ce2ecb8c7a613b976c751ec0e5898c4fb9c

SHA256
5aaae7ba232f12ce654a96ae83083d9a71aae9072be3ba982d9f599297dc1174

SHA512
8c30bbc7c510c9fafa80e47ab5551606d0fb30f441f37b962e32509a0768a0813e1f6180a42a1269487929804beb91dcc3df99c65acffc960a56eef149904c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
937d5fc29281bf96cea018b27e9f2a70

SHA1
52be3a4168fbc827c0d8425226c383a65ab252d0

SHA256
27c5adb8b936338711733a724b5e45d22dbfface9752fad178df988d3619e7a4

SHA512
48308195838002045d82c6087ba9983db6afa4fc04f0adba032e5f2cdcf480b6a2cd801e6272d20a5f088a6cef53d27b14100baff096b6e6df171d67f6407cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamtveoi.exe

Filesize
407KB

MD5
b9f772631f4d426d96372eda8a610433

SHA1
ee6724925c940d677fca8c9979b14924d16f2b0a

SHA256
f72210e0767d3440835fa9ddcba374adddaf93478614ae523e2052aa77cc80b5

SHA512
4ee6b16dd7a189ae8afc4305cef8a83dc649774b37f6224cdf1cf20fe614ba935b0416169769798466a575900263f3cc51db2e0ec487f927a2185ced9e1e38cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
cc98b9dbfcbd0dc77cc761187366936c

SHA1
d53cb8343edec65b0477f6259bfedef7c5a058cc

SHA256
aa96018c74edf48e6f350ce38ef988cf8b511dc5e49263d3ba08f318bdcd0189

SHA512
d695bd348fac90e7f69d9aa144cba9d2b7f1bc513275b5e5d04e6dd98be27cedf6890fcad3d69a9b86c9d490838fbeab8ec6bf22dd9323cb763eab70ac33eadb

Download Submit
memory/1440-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1440-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1440-49-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2336-71-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download