blackmoon | ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
Size

314KB
MD5

afee45b830be9fae35ebda722b801800
SHA1

2b49f9ed6ae2b0c36612d2267b58803bab96259e
SHA256

ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d
SHA512

d485dff2f4eda2c140e2ee87f3d048c3b78157c82ab746ca1704dcd7c38f67e98b42b6f31137ae6ef84a4c35b3cbe9d012977b62a7a2cd52ee80adfda5597862
SSDEEP

6144:PMivKqmiRqbQFI7tjBty1xYtwQYpk0iYCF+lq9177tGKBoudDeklV04E3:0kYbQFI7RPwk00rFekHLE

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015cc9-9.dat	family_blackmoon
behavioral1/memory/2420-21-0x0000000000400000-0x00000000004BD000-memory.dmp	family_blackmoon

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
3012	pythonw.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
3012	pythonw.exe
3012	pythonw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÏÔ¿¨Çý¶¯ = "C:\\Users\\Public\\Downloads\\desktop\\pythonw.exe"	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-0-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/2420-21-0x0000000000400000-0x00000000004BD000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pythonw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pythonw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	pythonw.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe
3012	pythonw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3012	2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe	30
PID 2420 wrote to memory of 3012	2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe	30
PID 2420 wrote to memory of 3012	2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe	30
PID 2420 wrote to memory of 3012	2420	ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe	30

C:\Users\Admin\AppData\Local\Temp\ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
"C:\Users\Admin\AppData\Local\Temp\ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\ProgramData\pythonw.exe
  C:\ProgramData\pythonw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\ProgramData\python38.dll

Filesize
272KB

MD5
9a54895a1ac99f435a8c89516547e759

SHA1
4cb748cdb7dc9a4b424cc29fa41b3ac2d015e5b4

SHA256
e58d00dca904f875d30a1e980f89325d70cba8fb75939aa95621f348a733ba8c

SHA512
a123af33e5baaa1b8291ce911e75a4cd699f6812620eb7997db0855e3ad41232cba7aee2ca2fe19f302e308aa8778afbd0356d358d5bc11455f4f23080a3d224

Download Submit
C:\ProgramData\pythonw.exe

Filesize
93KB

MD5
867945992b1375b625b16f0e5ba1b623

SHA1
af2e140ecd754d2e700c7043c26b35f0a1e4c982

SHA256
51182a4dc90f0d8019031e27f9fb8f8f2b8d73cd0c8f5ad5aac194c9f3f5c1e1

SHA512
d46c21753edaa50ec6e913932bccec59b59da2077fa4ef66abcaadc4f5e291dc21662c11c0c607c9be65bb52e9190b9f8e216aa7319e2d4ff26e876b85457a68

Download Submit
C:\ProgramData\wc.xml

Filesize
156KB

MD5
eba56b08fb99be3cd1f858834d0d58d0

SHA1
77be8a344fbf4fca1737cda27ac9a6c9d60c8832

SHA256
a42c6872cdc6ae03ab19e8e0017829062ca284b55a9ae4f6c9b9277ebf7d3ca3

SHA512
476b62331e41beac5137101ee8ff429abf9a7985632d706880c0eae72585e86d1c2b4666ab60068ed6b6434dd3b6e44c808dfa2de590c3b5b6fde1085f2af447

Download Submit
memory/2420-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2420-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3012-14-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download
memory/3012-15-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download
memory/3012-19-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download
memory/3012-23-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download