blackmoon | 0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
Size

432KB
MD5

c9180c88cd835f8a3f1d45f85fdf9c30
SHA1

9da1b8cedc9b6f95bf4d660e917c1df04c73c420
SHA256

0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210
SHA512

44ea63f82a8e384b5739ba93255f2807c41a06673556df640f7abdb175affe7fcddd1bf43e2d7b1590efe20552611e38b2795b364accfdd9b91aa85e7a2c795d
SSDEEP

3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUB:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+o

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9c-8.dat	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe

Deletes itself 1 IoCs

pid	Process
2148	Systemvjtho.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	Systemvjtho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Systemvjtho.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe
2148	Systemvjtho.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2148	3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe	86
PID 3164 wrote to memory of 2148	3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe	86
PID 3164 wrote to memory of 2148	3164	0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe	86

C:\Users\Admin\AppData\Local\Temp\0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe
"C:\Users\Admin\AppData\Local\Temp\0ee7d4e963d87c5ada609b350f9c3d29b0d0b9574fd305ca9a92fa23787c6210N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\Systemvjtho.exe
  "C:\Users\Admin\AppData\Local\Temp\Systemvjtho.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systemvjtho.exe

Filesize
432KB

MD5
ceb4472ac5977c22645b0b47eaa7f125

SHA1
ee4f50b94db292b652ee9f0737d402f6435ee49a

SHA256
5c55cf2cd1f244618df95e46f3ab28812574c1e8199a5ce91e84cc1d95ba8979

SHA512
bd11dea2794acea4fe3dffc8f8b68d52a57bcc15d9eed7e127e6b05f745fbbe64a0a0dafe3adeed2aa6915321c2db345dacae20d5e725ef6df2fd4f019331928

Download Submit
C:\Users\Admin\AppData\Local\Temp\path.ini

Filesize
103B

MD5
22a733e8132324973384d79499b32ff8

SHA1
87e6159bbcbe12706181c7fb712da44f25c4b3ee

SHA256
ef968090a6d5da4e5343242a66af7997265964d3d0314e5b15717f31997637b8

SHA512
b8f1a0a6e90c55db85c5e0d5f5f181de14f052dad1d99a886ab0fee37439991c0f2ff4c30b16318ec694757323aeace133e24c62ecb5a498a73840db69323e08

Download Submit