blackmoon | e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe
Size

69KB
MD5

ff6212c0a3a97ba292503b0527d6de20
SHA1

592578884e585a4b46eb609061f6076525012f20
SHA256

e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7
SHA512

241f06157be6a54461431840974d5e658ede0204ce65b919db996f01558a5400d892bae095e1321ce35dc0dc7e694be2aec48f3fe2f7e44a869b7e7d6267c093
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a5:T6DJrXAnHmgMJ+dOnFouta5

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/3612-50-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/3612-49-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/2676-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	Sysceambdlff.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3612-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-26.dat	upx
behavioral2/memory/3612-50-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3612-49-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2676-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceambdlff.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe
2676	Sysceambdlff.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2676	3612	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe	96
PID 3612 wrote to memory of 2676	3612	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe	96
PID 3612 wrote to memory of 2676	3612	e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe	96

C:\Users\Admin\AppData\Local\Temp\e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe
"C:\Users\Admin\AppData\Local\Temp\e2047a9df925f44842bd69a434babfb5d3e358f09747d9debbede0a43e0f37b7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\Sysceambdlff.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceambdlff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
5d3b3786d52fae8fe23adeee81ff272e

SHA1
fc056866e138053fa3e8124683d9291da45cf095

SHA256
a67dd4e50c607e62e0cf985d1c2a61f3f6a8d6d9616232251879e262ba7573a4

SHA512
2000e8070469986252fbc88a343a448ae6ced505e5343262872d7642740750a1de7bc407bbec21f028db77746c82dcf69e82a27b6a1a621c145092c3c7dc4a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be30f5f0c71597c72c350697b24d2165

SHA1
6855fa3287a047c935a65e8b7de1ce84dcc972d9

SHA256
d8d73195e0d4a73f372eca302b61a7abb07a657810086224b63b49b35453ad43

SHA512
e738b92486e420c7a423a51f4ff1f5190114248695cc9beb91da883a0e79758ec0560f986b23dffbcb70ceae2ea045503aa8bf8f2ff1e1c397795d835cb9a071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
68b57deeb7862d684295fa5245d8e7b0

SHA1
fa50248fb0b68e0a120fbb768406e044d7034e8f

SHA256
e020c3f723299a7974fa9f07c25eca2e676e829af6f1b899fa9c998dfcaab0f1

SHA512
6c8c47a9cdfed240301ec35c72b9d3274fee967f31cfc63714c4112a30e62ed471eadb3962dd3ae64f156c043c38b275955c99eaf5fdbab4ff1554720c192363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b0d9aa302417e0c1efbbfe31b242f9d0

SHA1
aa9e5cdba2bf8a5432723b2bf38e8d731bf5e2b1

SHA256
6d96cb6993fef8b4067f48669dcb17f27a31982ebbcf21a6b9f3d33252671a18

SHA512
535e7bf510447ee5ef07c3c7faede6ab200ed02afd8e1a26cd5edfa4e530278f5f57bae92473d5b58c2a8b222e852c8ebd9c502680c9c64dafc470693434fd17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
99c9843e5575291adb8fbe0c656ee3ba

SHA1
210e490e764ac71ce44f40d6d51f2506129b5630

SHA256
535263ac2a92b458cb9357a3c08e9ad177bf810fae9cd41ea5c128e97d740854

SHA512
e14b5bcdc5ddb0e757ca024641b7d7d82e6685ed206077b183c3a3b86f0a6c3fa90b6244eab0f037ea1949dfe6bc5139b27f641cd84610e2b6429393a6bd8c4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
848be1b7a1d29767d7acc131cbd6b22f

SHA1
cde21436a19fb227b0b57d6140c26745b516d18a

SHA256
2a09f06985ba0c5530c37ee2bc1749bde17269b3d401cee0f9b3b49cd23dd564

SHA512
30ce480695c8e61a8f21f77c8b519c61027af71a98f37b1ac8f61c1b5ff4b8fb25018417d1174320b20d9b392d4b15f9f33e9029a334734c0a684a50c1d7c4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
2efe0538428aa1c91f763d90378ecb1e

SHA1
55fb1d9f7eb027e63401a5d7fdb396c2867e4c35

SHA256
938de499e4c19b1f4c69ff94417cf42905f6b0a0c98dc9e76265dcb164c38aa5

SHA512
74e59cf98449691af4928ddf31cb74c4ffbc75c17caafaebd45a758a3dc7e77275be2922c8ed95adee7cc2a53f16fd87d41d9b41fb010360610f0acd17a24d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
b6a39f94344127fd82d23065273a654b

SHA1
272af47ea9d1b8ae6ba6f694d5ba26ee7ac726b0

SHA256
f4e5dc2c4a73e233efdb35413b60e8feed08ea6d734db4a85af5b45da28069ed

SHA512
be59b57f6653dff8279d620287efa949a37bac69bc44d6093b6789507b27c9efc2d3a74eb74152c831576330e1e4320d4bc5504027a410758fcf4e10feae9c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceambdlff.exe

Filesize
69KB

MD5
e34f7fa846f85e70bb1e96c1fae7682a

SHA1
483a9f76b32fac9f7561c0f74c7319a5a6889fdd

SHA256
c6606c00caeb143444fba35a09c52f4c23747edef711bfb77d55f4d185da8128

SHA512
cc1866d0852e4b0219b2024d905ffa7f1e1488e1c50638156705ac9184a65dfc9d740309406a52408953f3788f32c9121166693eba4d3cb8c46451313be6a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
2876dda0fc985689b184e9c37169e3d5

SHA1
e71ebd56efefa088f19a7fae1bfd65b4be3708b7

SHA256
52a49709e177d2ded5ae486ba64d873f2ba4f197cba4608f478da3592d96d8e1

SHA512
0a2ac0ff95dfd96786af071bc07a800bbe82e9a3583aabc974876d486998b1328c8d315f10314a124aa5cd74aee83bed8d1ed03506b557b294d6a74aa3c6ac12

Download Submit
memory/2676-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3612-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3612-49-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3612-50-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download