blackmoon | 8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e

Analysis

max time kernel
149s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
Size

413KB
MD5

467b894668c0aa3b8133bb5a0827cedb
SHA1

6b4c531610b6fa97128b496b9682d32050e1f318
SHA256

8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e
SHA512

ebcf168946cf450959ac6b686f25212ee28bef55a6c16cf5e6002c35f7c20ed9a0e0c8829ba7914d59aa3158069ff22b812a904d4a1ba0ede113f40d61712093
SSDEEP

12288:g5/Q58drihGiLhmGNiZsx0B/zPkeWIoSBJ:g5/Q584hGiLhmGLx0B/zPkeWWJ

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral1/memory/1204-0-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral1/memory/1204-29-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral1/files/0x000d000000018683-42.dat	family_blackmoon
behavioral1/memory/3020-46-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral1/memory/1204-44-0x0000000003F90000-0x0000000003FFA000-memory.dmp	family_blackmoon
behavioral1/memory/1204-61-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral1/memory/3020-69-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
3020	Sysceammopeo.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1204-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-29-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/files/0x000d000000018683-42.dat	upx
behavioral1/memory/3020-46-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-61-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3020-69-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceammopeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe
3020	Sysceammopeo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3020	1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	31
PID 1204 wrote to memory of 3020	1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	31
PID 1204 wrote to memory of 3020	1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	31
PID 1204 wrote to memory of 3020	1204	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	31

C:\Users\Admin\AppData\Local\Temp\8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
"C:\Users\Admin\AppData\Local\Temp\8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Sysceammopeo.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceammopeo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
51f33970f59e88766187748320cde182

SHA1
53c51c502d3476b4821dfb4970b2382c7ed516fb

SHA256
7c7be6844f348eeaab737342e83d19da63930260cc975b8199c24401a6f0e314

SHA512
2a5789ab703ae4f6aeeb43c30dac1898cd3a12f95854cbe191603b97cbc0b95c2a49706e95fe7edd171853db64e74d4f737ed8367ca6389ac515cb87eaadf9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
40ef7172c82a5cbfb136fb1b72b3b852

SHA1
309fdd6555d2a80a7341a3fa8a1fbf1da135141c

SHA256
b9635999d72268d5a035967c93ab61d16b6a10daf22b4882e7721ab5e86d0f0d

SHA512
eb33505b9582d11382afc87e3c545a305f22620e21088279a5ddc680541becd032bbcbd5793540856f58a649369eb27d9724ad4667761337dce502c0f38bd752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
49fba1f5989a77e45ca075d7de363b5a

SHA1
067c36c792dbe608e218e439bff55f5efff4f5c6

SHA256
0f90f471c0eb6b4c7a54028f83e93e85560b1d53e837ab938e34dfbf5c124202

SHA512
db8ad5c2e85c7f7e698c54d9a0c0bfd4527554c4c0d4a8eb377fae0bcf470cf7efd77b70611c263ff2783dcc382a002fdeb0b116861144ce69cd838c25d78fcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
a824af55135395655119a5400f3e4e19

SHA1
15d7d4ba44ad064a9048f985878ff6f021d21712

SHA256
4f663342141a5fea086336050e670335c3fe4456a0fc05834b8c43baf06e1642

SHA512
ec42c1087c18fd4a92d0f6081cc52f9b55889aa98d7b38234931bc0ca52508198bcced62bb35b5aed331ddfcd3e1ab4631375ad381480ea4727287607c992440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
097d5d688d48d008ca6dac1c605d2878

SHA1
892357dcddf8f02a98958e0fc5ebcdc9a6282b49

SHA256
3d7688e05f1b36e1fc3836e91b93c251a2d6e51429b37304d4219dcc62e3d7bc

SHA512
e85271966b62cffde6564cda454951892d3af0bcb39e4d0b9e80efc2d2b250a243430ff845b6539ea162651d3beecdcbb174118c00cf41da432796a55500a89f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
4ef967dd310930c7893d17b81c6c47c4

SHA1
0218f2c70763ad248da7bb82d43995b0beb7d941

SHA256
07f29e6bcfd31f5912d9bccc0589935aedeaecda54af2b0a49f81cd4a32e4e13

SHA512
8dca8890015a674b69be81c1bf06737b0f661996b9185fe56c7c1572e4c9465f58406bd67877de9bdce020a50b4a90cad06f209b65726b0329ac6d0be6ee5845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
a579407f256606b1f89e23428ce93ae6

SHA1
4a975338470e25b29b02d06cac29c2c91a1f6848

SHA256
cad86a8336cbed2ea718823d52c45b928300cf8e79a6382f313a5f96de7c50f7

SHA512
7fd03a23d08062879181b0563c9e91f5b22728c54f0e1bc1e6520b31c4ad21fc0bab931f8db64ac84f71897ab32f35fa03102bcdb740ff57aec7e55876a7426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceammopeo.exe

Filesize
413KB

MD5
bbacc641adbed01a93ec4c5d3ba72d5a

SHA1
5bbc4167dc85cf085756af5247e14d5fb5274364

SHA256
1b9b504e4f9b65619ae933a3302d248748f7c817d5b5269a784f3dbc20987140

SHA512
f97f1557fd7721c386ab7f6b31c89a00877ac68916e43eb1be56cc8a006a600cb61801c229c3c068b0a6a1b26788d34a4299785a9dc02f734b13ccdb557f9c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
f0baf5a6a8c38f8e8eb1883e5ddc4df2

SHA1
7dc01779b7a72386dff063a213efe7a4aaeff1df

SHA256
59062d4aa0efb6265bc0d7164fa6934e17d5154f1aad49d726b0bcd7b4391e7a

SHA512
1cfa8798f6510047523eecf6d5b34143aa6c6102054c8bdd0f61efa10a65c37e57904d774e48a394553147a6f3a9a046f886dc6d879789b08cccc40cac61290b

Download Submit
memory/1204-45-0x0000000003F90000-0x0000000003FFA000-memory.dmp

Filesize
424KB

Download
memory/1204-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-44-0x0000000003F90000-0x0000000003FFA000-memory.dmp

Filesize
424KB

Download
memory/1204-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-29-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3020-46-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3020-69-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download