blackmoon | ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
Size

69KB
MD5

6c5ef20154f58186bdf0917529d01b67
SHA1

1909dca5a05d243739dd01819fc6e16e9089b340
SHA256

ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461
SHA512

6a25b372b99c108277faed251fd02c68405096b5b092862c7966082f6ec5df8165519b001053aeb4a82a6d81fcb3900749ba11c503455194926a49b617910aa1
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a8:T6DJrXAnHmgMJ+dOnFouta8

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/748-20-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/748-57-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/4780-58-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/4780-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	Sysceamowdez.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/748-20-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-28.dat	upx
behavioral2/memory/748-57-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4780-58-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4780-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamowdez.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe
4780	Sysceamowdez.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4780	748	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	89
PID 748 wrote to memory of 4780	748	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	89
PID 748 wrote to memory of 4780	748	ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe	89

C:\Users\Admin\AppData\Local\Temp\ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe
"C:\Users\Admin\AppData\Local\Temp\ca53fd3df37b262fde8f174e0efd2d4f57de6f0130e009748fcf669c3fae6461.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\Sysceamowdez.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamowdez.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
e7ac07161833c2c3e11a4f1e6dc42c32

SHA1
ba246e113bc53efb725474d7a28d9523a0e650ce

SHA256
c03a6e6209601b013c394611453fb82d2d742f0c9f89ba0d7878c161a7b1b3dc

SHA512
a798a524291fe0acf11ba3b7eaaadcaeb3c6397e620a63d7fdb7787031e8f51174c5da4d9944f2e7de375113eb943794ab2ea4d2f7bb51c46f7ca48a9ab769e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
14c87bd922addc5dec6234127cb9c662

SHA1
376105e0babe9cf6236a1158b81d8923b4a80af0

SHA256
04b497675ab2dc4096956f6ea978858a5fbb80701f42ce1e6903e6d948cb2d61

SHA512
0f0ca6c06618e309e1b5fac2ee29611ef9afa71f86af3e743a7f824535914a6bac4462835efde958fcd6b4d23606a21db10225adb41b4850fae067ca3690236d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
d21ff713d14d30e2676cf9b5961f5706

SHA1
f3b0d97dc3b8f20968e55b274f20b6b6f615b607

SHA256
4701dfa959ebffd913f9b3909daf52874cff995aafc145b4408d9bcf8b34ec78

SHA512
99fa73a0eae74b7e8248f6d13f10a1e1ee41eb0e5bf519b27f98d05e40bc73e9a815c0843f96199b0f2f2f7d4459a123c012ce88b5f1fb9e98381864d2ea1483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
23371d3cf9429c724ac291c14f429126

SHA1
b7f438199bbaf4b1d67ad85fd83ae20d2f496f0b

SHA256
a8fbce78410cc672d4f0e0acc317a0cd8998f3d2c855177586a79f9271d11c08

SHA512
6a3192671c6e6c48befe3e0178f6930fa70a80bc0f7bda9f79d9259f09f20363ba87f5b084f8edb3b539799dd3eef13d8b766bb06130ea889f1c1c00f28c39fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
cef69d8a49bf4ddf59a76e911ca5054c

SHA1
fd81e106dd1ce00659d51741e069818400b27568

SHA256
ba1f51e806345988aef40d60570ba4870eecd09b937e8b3a03bddc9508eae3c9

SHA512
d4ccaa0cb86e5f0b2ba1d3ab4c200dc1219ea8daaff950621c6d5be83baa6832068669c65e42ad8f6cc748ca2ec7b6d704be60c300c72266d3e7e2d198fc1a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
41e64dea0afa899f805ce360b7fb8ad4

SHA1
989b343320c8e366d2296a8516670b4b82819233

SHA256
e1ba28d7e5191970007f9bbd261d064fb68561e2d0d5978bada4ee7d7e2bd8ab

SHA512
6d80ff7cff0edf9298ee7afd2fefa26a010a38a6022b15bdeeed85578c1a1c573c5735ac45a0ee33338fa0f47219b87c2150a74ff9a662dafff84f65caaac305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
94069b6be4586c6273c728930fa51c94

SHA1
8a95620a19e5f2b5be95896545b1298b3a0a00fa

SHA256
68fade2f95b1c0871583f380fc7f544d826fa8c6b292de82ffb146e526027aab

SHA512
0c1485bd28031d889f2c6536253c089034c729d9c7982d783c8657c145dd790e6462b1022c78c1c9da172e6c7ce3fe88cb9d81330e8beb9280ba14edc5b8ef66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
808a6a3625dba2861af847b7c949f750

SHA1
2790d30d1a469bab0f5bd6c1f6966ae6a69a3e13

SHA256
b9d46a1875fba0518e7591349b8e53fbdb170b86daea09640a2755bddd39840e

SHA512
e8ce9a04a684c041cc01be36e129bddfa1fb4ab00c452417852061e7488b5fb23d639ebabb1957089088e1edbe02f7fa9cf96fa4759491545c9faf68f823e46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamowdez.exe

Filesize
69KB

MD5
e0d7dad360692d5b4b3d8ee75e296233

SHA1
198a0f6d4f9c37f6b6770265764380225cda80c6

SHA256
ea685697e1b78dc56412b86627955ea110b65eb1d4dacfdee50e3bb7194fecdb

SHA512
ffadc05c5ccf92edd3a5f08a943ccc89c5c9572d23a141dcbcec605492ecdffcea3d727c91096e1566cc7292a7b306464a9b325c5ceed6f309aa24fd2009397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
1dc58af8a28643f60283396153557759

SHA1
b05382f6992bdc0b5f1b0f627c1c564718793785

SHA256
f15c139a6e3607a0b4fb5cf74b66d88395ff32d23798a1bf0f6166127b16f378

SHA512
b3363b03550a6681bc24797fe741e515954036ecd5fbc1069f1c5cb6024f8b4685237bbbf65278eb0861ac6fafd30dab0346aa35f2509bf214cf6d59386fbba6

Download Submit
memory/748-57-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/748-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/748-20-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4780-58-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4780-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download