blackmoon | f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab

General

Target

f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe
Size

282KB
MD5

7221de427bfc94627d5dca358b07653c
SHA1

356b3562884ed9409ebc490db637a80c891b660e
SHA256

f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab
SHA512

7b75c91ef877f780e8b8bddd0d85ed1992e78502f4633e1d4ec9ef1e9fdcd2751208d2d0b200de841e60b52568f79594759e85dfe317a85486c7f54a035fad5d
SSDEEP

6144:dnriPrgSyrSjda3biWdzvOsoXsYczVgYSyykq3tiMmVVpOfMR+B8ckBtqqXpeYwR:dnQZnda3OWAsPYciuykCtizOhB8ck3q3

Score

10^/10

blackmoon banker discovery evasion persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb9-7.dat	family_blackmoon
behavioral2/memory/560-23-0x0000000000400000-0x00000000004C8000-memory.dmp	family_blackmoon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pythonw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pythonw.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	pythonw.exe

Loads dropped DLL 2 IoCs

pid	Process
3084	pythonw.exe
3084	pythonw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ÏÔ¿¨Çý¶¯ÓÅ»¯×é¼þ = "C:\\ProgramData\\pythonw.exe"	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	pythonw.exe
File opened (read-only)	\??\L:	pythonw.exe
File opened (read-only)	\??\M:	pythonw.exe
File opened (read-only)	\??\O:	pythonw.exe
File opened (read-only)	\??\P:	pythonw.exe
File opened (read-only)	\??\R:	pythonw.exe
File opened (read-only)	\??\B:	pythonw.exe
File opened (read-only)	\??\Y:	pythonw.exe
File opened (read-only)	\??\X:	pythonw.exe
File opened (read-only)	\??\G:	pythonw.exe
File opened (read-only)	\??\K:	pythonw.exe
File opened (read-only)	\??\N:	pythonw.exe
File opened (read-only)	\??\S:	pythonw.exe
File opened (read-only)	\??\T:	pythonw.exe
File opened (read-only)	\??\U:	pythonw.exe
File opened (read-only)	\??\V:	pythonw.exe
File opened (read-only)	\??\E:	pythonw.exe
File opened (read-only)	\??\J:	pythonw.exe
File opened (read-only)	\??\Q:	pythonw.exe
File opened (read-only)	\??\W:	pythonw.exe
File opened (read-only)	\??\Z:	pythonw.exe
File opened (read-only)	\??\H:	pythonw.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/560-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/560-23-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pythonw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	pythonw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pythonw.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe
3084	pythonw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe
3084	pythonw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3996	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	83
PID 560 wrote to memory of 3996	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	83
PID 560 wrote to memory of 3996	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	83
PID 3996 wrote to memory of 2304	3996	cmd.exe	85
PID 3996 wrote to memory of 2304	3996	cmd.exe	85
PID 3996 wrote to memory of 2304	3996	cmd.exe	85
PID 2304 wrote to memory of 2040	2304	cmd.exe	86
PID 2304 wrote to memory of 2040	2304	cmd.exe	86
PID 2304 wrote to memory of 2040	2304	cmd.exe	86
PID 560 wrote to memory of 3084	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	87
PID 560 wrote to memory of 3084	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	87
PID 560 wrote to memory of 3084	560	f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pythonw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pythonw.exe

C:\Users\Admin\AppData\Local\Temp\f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe
"C:\Users\Admin\AppData\Local\Temp\f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd.exe /c SCHTASKS /Delete /TN "SDL" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c SCHTASKS /Delete /TN "SDL" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Delete /TN "SDL" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
- C:\ProgramData\pythonw.exe
  C:\ProgramData\pythonw.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\ProgramData\python38.dll

Filesize
272KB

MD5
d30cd5301720b65435f734e6351b2050

SHA1
d89f13113b3bdd1ee085a40e52ff12f1e2463858

SHA256
613ae676d96080041ac9f08825ae2d0fb8d63cbbeabb1cc54cca9945b6a4409d

SHA512
461c75e1a54d17bc532ed0c4f1b860b139cfadad756a5b4a53e6d6bd3449daa7062dcd32fa4e3b53a64861b553f0bf265800e146fa1aa7d06d6b72be487f44ea

Download Submit
C:\ProgramData\pythonw.exe

Filesize
93KB

MD5
867945992b1375b625b16f0e5ba1b623

SHA1
af2e140ecd754d2e700c7043c26b35f0a1e4c982

SHA256
51182a4dc90f0d8019031e27f9fb8f8f2b8d73cd0c8f5ad5aac194c9f3f5c1e1

SHA512
d46c21753edaa50ec6e913932bccec59b59da2077fa4ef66abcaadc4f5e291dc21662c11c0c607c9be65bb52e9190b9f8e216aa7319e2d4ff26e876b85457a68

Download Submit
C:\ProgramData\wc.xml

Filesize
75KB

MD5
82c3c8d3a6221cf8db71fdee532bfedf

SHA1
6c2a447acc79cacecc8efbe0b8de38fd194aa095

SHA256
3177dbc2ce8f68405fc874f6189ccf947d8217227ffc81a85f9b23aec1f47f80

SHA512
491e914b091d218a663abca5f2c2aed2b839ba87a74429c285145baef6a23fb4cf0718b64869a04237258d0608c44c6e2cec3446feaae9b4d5a7071a0325f420

Download Submit
memory/560-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/560-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3084-16-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-14-0x0000000002DA0000-0x0000000002E1E000-memory.dmp

Filesize
504KB

Download
memory/3084-12-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/3084-21-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-20-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-19-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-18-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-22-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-13-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3084-24-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download
memory/3084-26-0x0000000002E70000-0x0000000002EC5000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads