blackmoon | 07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
Size

407KB
MD5

fdc869aeb52b9265e66d31245ab9f430
SHA1

0e6577954b7319b9b178a2f4ce2cf9b897864830
SHA256

07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2
SHA512

a675b211b0b78cc2743625d10eeece285bd11677874a7aac43dfaadf29770c37565b041d4dee876ed8cc93c7ba1e6c0f8e84304b0d4a2b90f623631151072594
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCW:K5/Q58drihGiLhmGNiZsx0B/zIkenCW

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/3148-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/files/0x0007000000023cc6-26.dat	family_blackmoon
behavioral2/memory/3148-55-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/5012-70-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	Sysceamnfsak.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3148-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-26.dat	upx
behavioral2/memory/3148-55-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5012-70-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamnfsak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe
5012	Sysceamnfsak.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 5012	3148	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	83
PID 3148 wrote to memory of 5012	3148	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	83
PID 3148 wrote to memory of 5012	3148	07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe	83

C:\Users\Admin\AppData\Local\Temp\07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe
"C:\Users\Admin\AppData\Local\Temp\07d86214624da3c6c4950007aaa0c6478a832e4d6e6448ac47193ffea95f67f2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\Sysceamnfsak.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamnfsak.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
ad981bda8550a85e82b3dd1f52e39270

SHA1
f2eaf4b5fb6016291adc88b970d217c69af43e5f

SHA256
77e4fcc15b6f1918c654e729f6f1c8fd400b70f7833eb1ef004ab7ad35a2c07f

SHA512
a2b6de329f2e86d767e6fe6cf44adef9967ae9d8011f9bbb0be8c9b5b98c98acca2d7c42491b618ade7da25a8067aaaa58510ffd4b6205dcac57ef2c6ae4acf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
d80a5fd04121759597a061a4497bae08

SHA1
1c54ab2c23f568ed21f33c683e8f9c6366d9a86b

SHA256
1221d49fd40c3c58089a3988b96be848de8327bda9fe19fb4e4c715c31337c68

SHA512
dca4ef77afc48d1a49b60bdc82aee16bf93228c957b47d6406f9330a380d84b68476ce4aca5a23b24461033e281620af5d1a3a90741dfb64d18b61a92649bcaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
0b390b5dcbcf332209102b7a4a1f1133

SHA1
a8a50269831beb22ecf11ff8ed6edea4ed1f3f30

SHA256
6f7fa6bed9d499a8bc66d77ed47c56514d7d0ea3b3bc1064317a70145b853aa5

SHA512
652e13da5b5a440119f08ea7b3240dd98543c402b1ed14205add887321a9452b32ec119430a5616b5e63b23ca09c15eafc025aad0becc09505ba16ea365744e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
351c64aa4fa9a3076d0e7cc7e0fb1bbb

SHA1
add3dc6ba57c2649d37ab62b89c3391335bd2950

SHA256
0d89a7ea531720f4c1dad8af24e85e5a2d1c135f8604eaa17f546f4ada57d97f

SHA512
6a01004de1536631bf5ec45a1f186f40eb03a10cae0d1e9117dbeec86d554682f6a9fc84daf31c2e70956338c1414cdcbdc423f62cc0d40006f7a78ac31e49a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
f6c09312978b616be49b4252e2a71188

SHA1
e05f60efd6cce447e4d0c1822f81a5ac70f1898d

SHA256
adcce4fe0a04ca79141f7a03c9d6ed286557a8745d47999b0adef871c97448b3

SHA512
4619db806986f847673adb9fad6aa72a0c29643483bf9434c6f60cb3aca4b5025e3299b3ca8bf7522aa54a6a2f24f28c28eaa5d685e84bc44c5c49c3cbbd0f8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
53b67eafea4e46cea173c2943b411f95

SHA1
db91d5888e1a0650b89e2ea9328e4a43e7af67d5

SHA256
ae26936ce68274949082a0f9674837208b539102f0797a958da6a4d70042e17b

SHA512
1d33925f1da84e4f211918aab8e6d60b2e072be2f68669847fe59cdc8cd1d055f02c3b68bf0c466c37efdad2975952f94303267e4b6368fe80fcb0b67225363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnfsak.exe

Filesize
408KB

MD5
ad91d724ab6f29b894b6959bab50fc67

SHA1
842bbf202df80372a5b5d4ec36813dc2e038e958

SHA256
9d8a7c5bdb0b219dc366c9f8e28b67641a9e996295ea84438d980240578d4c3f

SHA512
667298fffad2615c15696e27b2be4a7fd3eaea92963e51af16914fb15e1ef85f428121f41cbc179f7cd2e747fea188e12f97250e6519f66721dce99003b4ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
74cd22751849e75d04904ad5da4b8c69

SHA1
44125cd313d382338c2574d7241425b6a8ecc855

SHA256
acb3272b715a075fac0f3054beecf55ba28babcfcee1b977af0a0c080402de50

SHA512
7a08eb9439fd71c8136c003c3301dd5cf207cac7843787f12ff838668b4c32a1af443c92ee6e29c3342b72829a214b02ad0f7298f6d0947f97c09349668a3748

Download Submit
memory/3148-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3148-55-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5012-70-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download