blackmoon | 34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cd

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe
Size

69KB
MD5

61495fc6878dcd9aa17b177f2e727180
SHA1

e85e35c72caedd3d93d32eb1720402a8fd36c655
SHA256

34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cd
SHA512

44fd0962e6a116e5cd4fc6408886621fd4a4351fef624ece183e14536f5979a41c7fe2f145a04e99fde29ab0e12aaa42563b811f15eedcea577b2a3ffcca3bc4
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8aE:T6DJrXAnHmgMJ+dOnFoutaE

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/452-55-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/3220-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe

Executes dropped EXE 1 IoCs

pid	Process
3220	Sysceamdpazi.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/452-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-26.dat	upx
behavioral2/memory/452-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3220-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamdpazi.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe
3220	Sysceamdpazi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3220	452	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe	86
PID 452 wrote to memory of 3220	452	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe	86
PID 452 wrote to memory of 3220	452	34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe	86

C:\Users\Admin\AppData\Local\Temp\34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe
"C:\Users\Admin\AppData\Local\Temp\34ab31c06953e8710cbd0e818b1b6b40c5993901e7c584dfa98d3118a14442cdN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\Sysceamdpazi.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamdpazi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
77fc7f39a248ade7cff55478dcb4aa19

SHA1
5672ee3879f41c132c1070d16d356b031a70c74a

SHA256
408f58cba4c71913697b8aeed47122af1f6e86c67dfef1bc1e2f95e788c0c8f7

SHA512
8477545e6d337c385742d2e1b763e2083e3bcca1523dd51bcba22f714a3427a99b308fcfeeebe73d9609dd4a2bb82bae40b43c4f5c567a05075ed538525e401b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
011ddb737cff5db5a6c49b4b76524753

SHA1
7661adacc256199dedc2710f16d0a87a42ef22fe

SHA256
7e737c5606dd1bcea7cee237c4ffaa3d72e055794b8fd8dca99b4f15fbc0e5a5

SHA512
3c694ff56719783d966fc4a29cf7d2e15b0626b5a276f5ee703af717ddf013d8b7068092a47a9563816c6c2b00283150a997a5d864a9c09af2fb93f9c5535b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
ac3df84c0f0b75fd8f33a0e4c7db6c60

SHA1
c1e99536a94bf9f1847728ffc0afec220c5469d8

SHA256
1a331d0154a88426a4fe00be5312d99e0209965c732ccbd5fa5f2aeb0a3504b3

SHA512
2f686f9ec7c71de697ec6f544bc821219f8070064c75a6900e155149f1494fece8395381acb5c36b336ecf0f1e86a2b0cb8dd45d3735f1855619c28a29c1dfea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
0ab5d695cdade64ea0a20cecbd2247ed

SHA1
acbfd2c68b663fa863a862e7a1b5c0edfa9ce562

SHA256
ba9ac8e024fe19e02875f2baea60ef9349c566e065b4d932255570f8c9dfd071

SHA512
4dd9b9932338d8fbc835e35dfd586dbd43f23e18652c0bf3a9a45e0ad7d5a5e69f1a4299685615995dee93512258b4a717b1c1fe5a7d265763b7cbe86628b522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
47a1416440f262d391c9d20925e9fa06

SHA1
553818a6e53219f70f23dda7650584107cd1fd52

SHA256
c7f2d68075f7b84b89d610c413dbaaeff338ba0d1f6e7a56e821bd3172cd7b32

SHA512
9d7fdf1680241c1e8f57511bc98452686183c65dd63bab5e68599acd71ad00237558e24908fa8ef3caecfc0cb963de7189eb470ad1cb3f6914031fc0045677b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
19ca32a1f704065fd4ef8d158397860b

SHA1
e547a8433273ab2cb87f9b54676e0a18409b5369

SHA256
824fca07754d95abf835588f6e6aa863e2561c689be75669c90318a660e7f17a

SHA512
a009471f8a91d13166d4269c64e5f8b49f4511a92c6b4cd2c1b3c23ae73b46c2a4a69c582472c531ea7584c4a56153aebd3ba58c19f29c9abc8fe273ce82a4e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
83b4a23ac523626d905f48a151b60e57

SHA1
81a0b6ee199fff58adfc92302739bbd913e70cf7

SHA256
28066792b0c7ae7f2c66f54f3b5f470d21f8280bb25e16c7ac63677a1aedd3f0

SHA512
4ca9d264b40d609a0e384a7c548b0aca8b3fbc7e201cdfb384285c1599875a97252755d678b50b1289feeb5f86d217e31a92de333b0386d10702cb1dff885ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamdpazi.exe

Filesize
69KB

MD5
5a63bb746497e024e485d0a095da9879

SHA1
7bfc5e26d925a7896f3eee14b43e7c6e2a825c64

SHA256
0c7d4fbb4c500961a8e7973a2d8475a9b95db765567ec641c05ada3209ef8e52

SHA512
026911580488f878210deca513ea05b57cb3607670a189321d514573c073ca5c972b052cd316b378b8db1e3d3d5f2a5020ee266db83a2475ffea706008ff69e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
bacd264fb7d6aecdda7eae67a1e762fe

SHA1
d9cac2380538bbf65d8cac58b42fb31c4fa61ec9

SHA256
082e33d268c4ab1ad3f1412f2951bda31b64850a8ad46670fe855642e7602890

SHA512
cd9c6774fb00e4fdb541800847cc38fd690de139a7c64050223a2f14aa6366223d070315937310deb1aacf4cfa98487d2303ec5d9f1fd2c29c824d06a7ed9a21

Download Submit
memory/452-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/452-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3220-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download