blackmoon | 8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
Size

413KB
MD5

467b894668c0aa3b8133bb5a0827cedb
SHA1

6b4c531610b6fa97128b496b9682d32050e1f318
SHA256

8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e
SHA512

ebcf168946cf450959ac6b686f25212ee28bef55a6c16cf5e6002c35f7c20ed9a0e0c8829ba7914d59aa3158069ff22b812a904d4a1ba0ede113f40d61712093
SSDEEP

12288:g5/Q58drihGiLhmGNiZsx0B/zPkeWIoSBJ:g5/Q584hGiLhmGLx0B/zPkeWWJ

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/848-0-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral2/files/0x0007000000023ca8-28.dat	family_blackmoon
behavioral2/memory/848-57-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon
behavioral2/memory/2892-72-0x0000000000400000-0x000000000046A000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	Sysceamkwvcz.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/848-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-28.dat	upx
behavioral2/memory/848-57-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2892-72-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamkwvcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe
2892	Sysceamkwvcz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2892	848	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	82
PID 848 wrote to memory of 2892	848	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	82
PID 848 wrote to memory of 2892	848	8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe	82

C:\Users\Admin\AppData\Local\Temp\8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe
"C:\Users\Admin\AppData\Local\Temp\8ca47a2cc559d5a3939693e31dd030c21a1ad927ea7c8a52bfad26845388739e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\Sysceamkwvcz.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamkwvcz.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
51f33970f59e88766187748320cde182

SHA1
53c51c502d3476b4821dfb4970b2382c7ed516fb

SHA256
7c7be6844f348eeaab737342e83d19da63930260cc975b8199c24401a6f0e314

SHA512
2a5789ab703ae4f6aeeb43c30dac1898cd3a12f95854cbe191603b97cbc0b95c2a49706e95fe7edd171853db64e74d4f737ed8367ca6389ac515cb87eaadf9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
40ef7172c82a5cbfb136fb1b72b3b852

SHA1
309fdd6555d2a80a7341a3fa8a1fbf1da135141c

SHA256
b9635999d72268d5a035967c93ab61d16b6a10daf22b4882e7721ab5e86d0f0d

SHA512
eb33505b9582d11382afc87e3c545a305f22620e21088279a5ddc680541becd032bbcbd5793540856f58a649369eb27d9724ad4667761337dce502c0f38bd752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
243950cd06158e5d8bccf3a889dbcedd

SHA1
18171b9f5478aa5b2743fe784d3e320c3e2e1b6f

SHA256
991fd242fdbede0c1d6e5ae6de3fe005d67e2e22645c6aff169166ac1f498aef

SHA512
31c327da38057275d9d37453cefa1493f3a6de63f1611eb330fb449b410ed12acb219931cb3ca3dbf993a80be920b24a5eb91e51abcc6d78d2607be7053499be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
15f5cb6876eba73093ef95132c888dfb

SHA1
4c00d68fc2dc97959b753321f03a225c376bb2e0

SHA256
322fe07a5f2eb51f79dabb28a2ca0d2a94be0f77db9da4369f3019375e4dd657

SHA512
29d0ca780fabaa7160747254816bac958c2b2f6db078b41766e5e7747a979271be57356e48857f8ffc2fa5e94e7f4287445a9fd126006178cb8a7b188ec2cfd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
37589dfc1b0a8a9183008f509bf7180e

SHA1
71e4250b87ca90fe538a2d377e655cfb9aaa128d

SHA256
b4cc94d7f5407c2e52fcbd7f5b6ce2fadfa2fcb156979c531fab373d509df9df

SHA512
add10f8a6574b40bfeacec2fcd50f7eb35969fcaa4cbdb34db78ac0bc16a4cc174422d6b36aed2aa1ef04a74e7406f0a1f892930f95442ffb5e350905dbb0ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
fd29b25307d6a0c0c661079e6b9345bb

SHA1
15c6f3f62bfb4472e1beec4533fc4e68e544ea09

SHA256
d47046781c0e8d807d7170cbb4ff735309ce9b08fcc649c24c39d75793424c98

SHA512
d83952af20fa1fce92022501a554acc039485a08e990224813e8353ca80ffd640e6f13218464d17ae817075a142b8c52632b46ce0601fdb27d5801416fa2c9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamkwvcz.exe

Filesize
413KB

MD5
b93c110093731bd70410dfdb57235eb2

SHA1
bfb07f7a79f237501c7461bf60186f963a846074

SHA256
72a9ad6233c9f05b3d38e186575710ad5df9e03d8103b1714e3ad4e8b794f689

SHA512
5c6d984d4256eb8b18e65392aaec18cd96b52a485ef1047e7cf576f972a94e4d15d6507935c7d726f88b296d50db01102a65bebd8d0efe33652aeeab141a2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
f0baf5a6a8c38f8e8eb1883e5ddc4df2

SHA1
7dc01779b7a72386dff063a213efe7a4aaeff1df

SHA256
59062d4aa0efb6265bc0d7164fa6934e17d5154f1aad49d726b0bcd7b4391e7a

SHA512
1cfa8798f6510047523eecf6d5b34143aa6c6102054c8bdd0f61efa10a65c37e57904d774e48a394553147a6f3a9a046f886dc6d879789b08cccc40cac61290b

Download Submit
memory/848-57-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/848-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2892-72-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download