blackmoon | c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe
Size

69KB
MD5

edb9a65619a546dd5a1b6575fbdc8c4a
SHA1

ce51a59dd2a56d26fbc39fd49e8466dab85a60c9
SHA256

c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4
SHA512

39e37f58d7762bd1d7904068d1c7ca675e7f1652fda9d3dfefcb5a66a83b7f8d70dac3d6bef23c140f4d7eebed639f42ec23d3cb581c8e885c4244ae0ea5626b
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8aV:T6DJrXAnHmgMJ+dOnFoutaV

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3504-55-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/2456-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe

Executes dropped EXE 1 IoCs

pid	Process
2456	Sysceamudvud.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3504-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-26.dat	upx
behavioral2/memory/3504-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2456-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamudvud.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe
2456	Sysceamudvud.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2456	3504	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe	95
PID 3504 wrote to memory of 2456	3504	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe	95
PID 3504 wrote to memory of 2456	3504	c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe	95

C:\Users\Admin\AppData\Local\Temp\c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe
"C:\Users\Admin\AppData\Local\Temp\c961b2e6f55bb61679b05fc2f7682b9b9dc38a8ebed6d13a765b5616c02537a4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\Sysceamudvud.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamudvud.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
1758359ee32157906c71c777f2a26f56

SHA1
415d075034075e23cc1cc2e759052cd3cc242add

SHA256
0de8c9b3cf9395f790491a47bdd7c5e1b68f71734b19f53021dd06f57c271c9d

SHA512
b3ac4dde2bb5e36001adb938ee7441faa3e5b9f4c6583794b5b9c1faef3ebc51bb35e1f553792364b2ce38f78b0efc45d4f45e891bb2a8ade3e465310f721b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
c14edec7dda5ee9da53cbf72aa9c7090

SHA1
0983ebea8bab164f27092dc206becf1eab1c4d3c

SHA256
51227d73473e010b87c803e6683e7e1c32d8534b59ee693435aff2b743f649c8

SHA512
25fcc418d98dee89803fd75f20393d80705dc5c5fbd31f7837bcec489d2065b538f9c9fd9dfeca5850a7b24a53d72ec8b7c251c7342c359ec97048abb88c1a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
57ac591f2b1590c584bb650cc414b8f0

SHA1
6ca4ce6a317c4c9b602e2782070dd4ec4c9a0481

SHA256
ceefa7cdbdb6c6c31edfdbfaee528ab713304d9218a59be395e327d38491acdd

SHA512
daefef78cbaab6f4474c5f84e9bf38da43f97baa164e23572f22f5cbca61f5cca6e3b3c5fe373e508138fd5abeccdf77598223df728af1f2523a5faa4b45f29a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
717fa0328e43fff9534bf5bca36b224c

SHA1
11cf8c63ff76aa5f88a511c186d1b88aeec22a6d

SHA256
60af9de0d396f589db5d24a16ed6bb212397a436badf131bf6046ae7e3b7fd1e

SHA512
be78377f416af49bb0282eaadd5072bbff73a58324615d1f12dc6ac1fa0e7fed092e25569dfbb1cf2518d9f6c97d1632b9c1753cbdac3b1201191cc8032aab1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
36a15d1560d7c28fca6a375c4ef77535

SHA1
e473a842511f19688e749a298519db91fca36108

SHA256
2f1b817f1c7782578b574a704fb09a2ca58457013be8bc45589740a4ec6eac26

SHA512
98f975b3007af6956ddc98111eb72d72a2af0b775ae1853879eb807a4843b68c3f4e172ca1c46da456653b540b4ce961dfade2901f6982bcf4d59637a20e025d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
47de30b3ad1459f21caabc391febde4a

SHA1
aebc5da2136ffc6ac8f0cc64f648b082239a4c13

SHA256
615d9a9107f30d4ab9f08ec3271dab2d3642f77e7263e4f882b1e13853a55304

SHA512
5a150edfdf63e210a8ef2a071066da51c5131fe819dd1ce53ce0d90d9a033b0422b445ac75d9b2df573d5e147e690dd2265bc7fe26b7baf6a71d4e5ab0bc4e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
5b79746c3ecfb53e9bdc64e877a3dcd2

SHA1
9c3f8b99b7eedf4b86b2638a302c4aff60251264

SHA256
666114904bfe3cfde957d20be6f7b2285f9a732adf838508d1a01a12495a05da

SHA512
174b5b91db0315f80f5b98a632b01735f914a6097340e4612641f76062058e37efd4369a8b3196d2c10d54ef185c850872ba2d116f6e99e532cc86c9cfb7fde4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
5df4e5e453a698a73395f0673e8fc0a2

SHA1
5a808611f24946b396febfb264726985af1a61f1

SHA256
bc061a48befcf8fae26e3593cbb95de82b820e3f415d0d1e21f8d1dfcfe6e486

SHA512
a65627c700f6bfbed9d2bb61917e52205f2b606de797f1de0961a2d448a22f5ee867b781ba54c65232c2af65efa6548378f1b0bd9f5b6af2b3d3882a6da4615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamudvud.exe

Filesize
69KB

MD5
5ce2bad1ea943c22bf2accb3a58470e8

SHA1
98a40ffbebe33b3ef1db970a1ac145597acbf4b7

SHA256
fd35fbf3b4dc33b43fc1335b5d6f41a3a6c16eaa891cad0eab73d0d3a5c1c11d

SHA512
e48ac3581f27c61f9a7e30c9cfe3be658f8fb6bcb3475782ee4c0c6ee5fb2a48eb54f78c304b6c05e4ef376fdf8462a88b36d079e443d8c5ea26612e636c3eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
23863436538ebf51887e1fd6d54ee669

SHA1
d925b20733ebf325889344aa2e92c22cf55044c4

SHA256
dffb65af755b14d6dcc35fe6d06b618693940b35d8b088a3901b78fa9aee7bdf

SHA512
22bef0564469efaeb1b7aebc0c5d9761ea2b7ae9e1589745875fcdcdf8abfc8f8206413762ceac0a50755b3176597d53ff429d4e7fe2769d901cf75e730f5368

Download Submit
memory/2456-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3504-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3504-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download