blackmoon | 58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
Size

408KB
MD5

1d9e4bc56c15d5a5e4c8649a1c5dbf19
SHA1

d49a7dccc32e95b83bf8e32261c305e67a82f668
SHA256

58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e
SHA512

9ca27f6eb510f51fe58ba6bbb74ed44a057841bed1a21af1e2b993686029c1b17f15a38616c38fd63871c34aba25afcff11ee77167ad0ec863c9a5617e8834fd
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCG:K5/Q58drihGiLhmGNiZsx0B/zIkenCG

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral2/memory/1280-0-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/files/0x0008000000023bbb-28.dat	family_blackmoon
behavioral2/memory/1280-51-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/1280-65-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4248-73-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe

Executes dropped EXE 1 IoCs

pid	Process
4248	Sysceamsoomw.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1280-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/files/0x0008000000023bbb-28.dat	upx
behavioral2/memory/1280-51-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1280-65-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4248-73-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamsoomw.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe
4248	Sysceamsoomw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4248	1280	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	86
PID 1280 wrote to memory of 4248	1280	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	86
PID 1280 wrote to memory of 4248	1280	58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe	86

C:\Users\Admin\AppData\Local\Temp\58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe
"C:\Users\Admin\AppData\Local\Temp\58073c2455e4ddc230a68309ecb830991596572ce76afc715b229c75ed37a10e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\Sysceamsoomw.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamsoomw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
1481b440f61611536ebbe84a4ac06703

SHA1
674f6b384ea4fa5af95515a0f832221d7b490e0a

SHA256
c69c1027ba057d95a9063aa61e55c8c95456fc04c703e2994f839d550be383a7

SHA512
6d01b4c1beb56165fd7ff0bb56d02fb9777b367b2a6b34fcd1e8b2a4eacfbb66e8f7880482d435ef1a7db0658cd88f9a2ef9fac099238ba109303e286709c189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
9caf7a3f2e9656525e95e3b84282ccef

SHA1
4a1f2a4ab3c0618811a4ea98256247710449a105

SHA256
2b775f163168fb6fb5ed11f9f105471ae96b0c9a01bad98e28ddc9b74371fa97

SHA512
dcf4979e058e8481a2bd25210e601dc7f7dd6c19adbffebb4217bf95909c34a84988cbc9fe648a5381428b7609a01baad8c7e920dfda7835e663d658a73d773e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
b5f07da0c85c2974f7f4aacf4e7e8ed3

SHA1
47f94874fc9cfcb224c382058d51ac083f3f56a1

SHA256
aa39f84f77a8c354dfc742914351fa5eaffc591e5f98615265ddc001125f0e2f

SHA512
1971cf9f25e81d126606ab33ed9a27857cee2a47396654bb8f0c9d780fbb209742ec87c45e6efb37d3095afa67e50ac23e2ae7066a417945f92da43807b31143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
5b5533ddecafdf4ef445a2b3f739729d

SHA1
3990e39b3605b20fa7aed18d1175f9f2d6790fa0

SHA256
8526258f10c3e3af4db5388c1123826ff70d9cd83e32f6f2e04804a7337e28f8

SHA512
f4864eec33285b06445c0640f62a0261231a7cb4e9241ee00d81f0f8bbfc7040ab000d23fe0472ec17506e03c98911545bfac44fd45eb6d05d15ed176a5c7daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
26166e98d052cb29e66a9e8cc08e8417

SHA1
e09a3b25119325c494bc81363df98d43666241a6

SHA256
e86b183b3f36dc3ac87e8e69b63ee397ed7da785d29921ee87f02fe73089fc5d

SHA512
2aca6cdd8b7098a5a027d41f05853bbdbd62440cc6f85a59c3ab71ad49fbf36c4e032206ee9a0318ba9164fef941bcaefd5665b07721800211ff0c6002c366a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
7d720be340f3f8bd930433a09f61d660

SHA1
cf7b31327c8f50840d9cf4f6f950b004110422a9

SHA256
01466f9643e74f34762473b1ae2e6d4920127a2f24adf0135dfba3997dae5baa

SHA512
72d95d535f21fef0493d7f5948ab3ce91617ebf923ed1ebf99d9dc0f2367793e5c4de4b8b992652f2d1897a937b6e432bd7fc784b8957a9bbfdb5027fcc8f053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
7422e889f820234980081f327202ca3a

SHA1
870f9220ebeb3bfa94ce607a29a1ca0c59e6dcfb

SHA256
633b7974355875685600f9c80f56ea1c48125a14fa443cb2ac9c586a1aa95ecf

SHA512
afbf0b21d53bc07d236c1b712f4c6f989fc4385379381c5ff300ebbc28dcbfb1fa4a984fe8586c7206e0d86fd97978f6e2603131603ae8fc679263ccc7bb8cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
24b6ac32e894ac2a25d5e6aa5e2fe46b

SHA1
0783993311ac06910afe4e5d6d888a849cc91e04

SHA256
cf924305e64815903e717f0c63f7ed0af05dbcf124e830858d1f033352adface

SHA512
73c346d6dceb7268cbfea444d7f52099539b2d9026671ba3ebdf53b40a35e281073d1189660a822ed20f446b3909ab6a64e72e4bfb6a66502f5a5c9677316c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamsoomw.exe

Filesize
408KB

MD5
461b6cee51acb88dbf9d65975f7c10c4

SHA1
c1977454feff406c5942bb22e054dd7183e4a5b3

SHA256
1a708cbadec6689b49e67f6e906c22d15546f1688474e5fafb5d58f8b4d8f246

SHA512
57e49ff49cc94d0db97188e9cc3505c562602c1f1315ad0dc722453b96c6974ae32c69fa34d60027962aac1269200a78d34342b6bb4574ec989f13bc19984bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
e7a9fb06912b813ced3a5267c0cb0aa7

SHA1
901ceb47a6c80271faebc4f356f725d5b80f2d36

SHA256
ef8bc7fe2cac4fc2a798977b1c4e5e88c09023c1e23f37b85c126a32a238b96f

SHA512
957cae831856084a46dd7a24dc560ffd996f5393bbf8eab86f3ee81f2aebbbcb640be76a437d86c8e6dd6d4d26979861228a8df69b14d539ab1108434a53457b

Download Submit
memory/1280-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1280-65-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1280-51-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4248-73-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download