blackmoon | d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Size

69KB
MD5

26aafcb37ad64fd9b71ae85cf33c3494
SHA1

0542cefc8f008f0f21f5ea6b7c29331337a6def6
SHA256

d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe
SHA512

3e1f84f1eafc2fca85bc73e2898263f43bd5496911619a099261c81adb68f708a0a7b5e68bb9db96cdf791cb18198d9a305b90c64f74bb7b9e4ef4c18535bd07
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a0:T6DJrXAnHmgMJ+dOnFouta0

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/3940-56-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/1744-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	Sysceamimthb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023cce-26.dat	upx
behavioral2/memory/3940-56-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1744-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamimthb.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe
1744	Sysceamimthb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1744	3940	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82
PID 3940 wrote to memory of 1744	3940	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82
PID 3940 wrote to memory of 1744	3940	d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe	82

C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe
"C:\Users\Admin\AppData\Local\Temp\d47ccf05f2aa6bb319c18b321377b21609e94613879cc500d73c8e92bdeea1fe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\Sysceamimthb.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamimthb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
bf1d5b0df977add0a71af75cd105abba

SHA1
aa043f630b333fb6338fc6a52f99a80685d7933d

SHA256
a19eebe94a8e2d2dd13dc7e33a1625e51b6b9ada9bb28e9d8852b78eaf11d1d2

SHA512
1048ca2d8e314d471fadb034be1835663955578c13a5a863771a39780794ff87d37f2b11b9295d9e1e635521a8bda3a2cd17f7709674f15efa8c06e96e72f0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
011ddb737cff5db5a6c49b4b76524753

SHA1
7661adacc256199dedc2710f16d0a87a42ef22fe

SHA256
7e737c5606dd1bcea7cee237c4ffaa3d72e055794b8fd8dca99b4f15fbc0e5a5

SHA512
3c694ff56719783d966fc4a29cf7d2e15b0626b5a276f5ee703af717ddf013d8b7068092a47a9563816c6c2b00283150a997a5d864a9c09af2fb93f9c5535b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
b9f866a192d8f03fea9753d9e3ce9e61

SHA1
1a25348795f02be5377b7f2bc521f77b906170f7

SHA256
f9a5be03b672a7a6f1ada443d04659be25fe9b3527d76c315f17e6036d64c154

SHA512
6cd2eb4bab51d071cc7042d6703a9f15f9c57676ef2e08c8895383b7852412cc2f787897abdac7910135289a50d04396ed0dd90dfe1d2292a1884ef0880e37bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
e1f076c849ea907c11b662c2e308710d

SHA1
8ad889b76e9856ca31fff366c82e3af519bfec90

SHA256
8f42c648838f597f036c7736584e4f52ca0b1b19cfe2b74a91fb49969df6e7cc

SHA512
03426b77f51de7c408c5e86b015854d179c9e33b9ed79b02af46a18a3c5fe17bde886a822e1a8a4913fecf849d5397c98f634d5f024d799839cf647649f651c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
3f0d20a94f152a97d66bae8779173f75

SHA1
e64c57f72c617b504543aa9d43aad7df958edc0b

SHA256
dee70f34d8b2beadf0adde9eed4d767168be50a7f6c2f5d882094ec4b182f15d

SHA512
d5a2adcf62328296451eb9c671c71f6a6508197e6d415000290c53e6315435d159a62e8801626ce6a98c296a71c0ee268dc2a12dc91872d21767abf5744ffd43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
ac496267b91a1848299d4fc820b07ea0

SHA1
7ef00e28883ff669b56e96ee70d7e431e8b7edaa

SHA256
19f4d6d0c98322fb821c219f0789a891323421cb195260ea23167effb95d09b7

SHA512
a64ba9b7e105333d0af7d112cc662d98258a54a5823e15624675546f3313bb86c18cdba303ab52e3ce493832ba17df4a5e3b4f883c47ffd3a920a90edf284991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
90908397afc75f40675accfea66564a8

SHA1
e333890ef7cec6ded061433e9ced80098d052b17

SHA256
2949d3bda4ce0f1a9742752d752d704da9d54a2014cc2c690abad91914eeebb5

SHA512
1606634694b491b6ad4cc10d21004ab9cef81c5b1b81266d7bf78a52fafc8fc19eaeab99131634c9964c160e4a3efb3d4c6e915835d0a0ea2fb0ca2d52bdfe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamimthb.exe

Filesize
69KB

MD5
8b9c6bf24bcc505ae1aeb59856a61020

SHA1
1152d25b4d6efca40328619a6316cf018245da68

SHA256
8ebf5f2c9dd8a46d32e32fa415107217a65aecb1f6edf4327b23b244e411190c

SHA512
f4c5878f72c27e5bf3a8d1f9281e4af1ee4080b536108ddf9f40dad48b5843e5aa94b39e42d67aa271ed7d84377e015e38d9faac16393612b1821bbdcbf62395

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
29d3892a72c8e40a2d6ce8d09f7f17dd

SHA1
b79c3014b1b63e20326f0273c9ac612e6c4fa9d4

SHA256
538dbd2e3556dbf15cce32c33c3e015dcff313cc50e8b58f3739b7ddbdef81de

SHA512
20c8df7851a095307e413d74e70c0017462308f153e8c43ae077a76af714eb97847f7799faf78a067e70c4715b7d2fbe86c3613c0405245f56d2283c84cac963

Download Submit
memory/1744-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download