blackmoon | d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Size

69KB
MD5

26aafcb37ad64fd9b71ae85cf33c3494
SHA1

0542cefc8f008f0f21f5ea6b7c29331337a6def6
SHA256

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe
SHA512

3e1f84f1eafc2fca85bc73e2898263f43bd5496911619a099261c81adb68f708a0a7b5e68bb9db96cdf791cb18198d9a305b90c64f74bb7b9e4ef4c18535bd07
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a0:T6DJrXAnHmgMJ+dOnFouta0

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4544-55-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/4252-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

Executes dropped EXE 1 IoCs

pid	Process
4252	Sysceamkonlc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4544-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-26.dat	upx
behavioral2/memory/4544-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4252-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamkonlc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe
4252	Sysceamkonlc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4252	4544	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82
PID 4544 wrote to memory of 4252	4544	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82
PID 4544 wrote to memory of 4252	4544	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82

C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
"C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\Sysceamkonlc.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamkonlc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
bf1d5b0df977add0a71af75cd105abba

SHA1
aa043f630b333fb6338fc6a52f99a80685d7933d

SHA256
a19eebe94a8e2d2dd13dc7e33a1625e51b6b9ada9bb28e9d8852b78eaf11d1d2

SHA512
1048ca2d8e314d471fadb034be1835663955578c13a5a863771a39780794ff87d37f2b11b9295d9e1e635521a8bda3a2cd17f7709674f15efa8c06e96e72f0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
011ddb737cff5db5a6c49b4b76524753

SHA1
7661adacc256199dedc2710f16d0a87a42ef22fe

SHA256
7e737c5606dd1bcea7cee237c4ffaa3d72e055794b8fd8dca99b4f15fbc0e5a5

SHA512
3c694ff56719783d966fc4a29cf7d2e15b0626b5a276f5ee703af717ddf013d8b7068092a47a9563816c6c2b00283150a997a5d864a9c09af2fb93f9c5535b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b9f866a192d8f03fea9753d9e3ce9e61

SHA1
1a25348795f02be5377b7f2bc521f77b906170f7

SHA256
f9a5be03b672a7a6f1ada443d04659be25fe9b3527d76c315f17e6036d64c154

SHA512
6cd2eb4bab51d071cc7042d6703a9f15f9c57676ef2e08c8895383b7852412cc2f787897abdac7910135289a50d04396ed0dd90dfe1d2292a1884ef0880e37bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
4c54940f95e445530b9bf55857ae8b0b

SHA1
9f74b42ed0573d8834f818a2952f9cea85f9e3ac

SHA256
fa3b9f032f9c35ad9560a6a2fa3736b04b1b7fdc1caf9c826665ec65e48f4155

SHA512
ba145834129a1328f420df9f02a89d7a0fb02c55c46bd5fe1c163462a474df597bf795967f1d8af9c9b5d2f58fde752498bf050d88579276b08e1e7bc02f2619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
077fb07380beb20f97dc14d47ff70ec5

SHA1
5b3e6d373dc132c00df64261f800e527461b7067

SHA256
fbab719c65bfc921daf532e275c9609516f207513f9ae1345beb29f8006b18b4

SHA512
2d0e8f36f8f7332cece2f724a975cb70f7ee720ec2cdb3513d564dd9f8e088e3f2b26dcaa7d2c6761cec310967211686e6dcc866b375004466581197b926dbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
896e12ffac3428a01027ef3eaa7f3e76

SHA1
002b2c9a097c20410ce9281d7e030795288daace

SHA256
e538eded6368242a10294336934df763b9734c6734fbaaf2c3807a2f07048051

SHA512
eeec36bd440542aff730383ccf9e283d4a1a00a29adc1c47588568409bc0dd4a05d919a3b83ee5221e56a3d6d605bc6b92bf6682b2f6fef0defb29002516b79b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
3356efd3f690e359200e333d02a5b64a

SHA1
3aa6ae187c61165f9f994c648f273c02c6bffb4b

SHA256
4f0c0f616dae73e5d9195ecf5d3b8da09269bdc9e358783609cd0a7b71579b54

SHA512
3be24cce8d34dd2748c30690e2045c0d77dd110ae31f9bf8261ec1a3c1ac3a503d31fbccc0abe30046a57e01534445de6c411cc94b3b6b4d5bff82ef3c801b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamkonlc.exe

Filesize
69KB

MD5
6a1f0940240e06fa3068772a8c011979

SHA1
aeec7c048422fc9639a1b32cd630cbf08237b4c0

SHA256
da13717928584f31d6a0d786108365bee9b449f53e3c20be6f26b6042cecda80

SHA512
eefc685a646fd011583efb8c9a5c87859a151d1e74c5a951d77665e95251c37e5c78da055d0b45dedee1470e96c3799717d680a71326bfbfb3cf9e6835278eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
29d3892a72c8e40a2d6ce8d09f7f17dd

SHA1
b79c3014b1b63e20326f0273c9ac612e6c4fa9d4

SHA256
538dbd2e3556dbf15cce32c33c3e015dcff313cc50e8b58f3739b7ddbdef81de

SHA512
20c8df7851a095307e413d74e70c0017462308f153e8c43ae077a76af714eb97847f7799faf78a067e70c4715b7d2fbe86c3613c0405245f56d2283c84cac963

Download Submit
memory/4252-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4544-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4544-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download