blackmoon | 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be

Analysis

max time kernel
120s
max time network
94s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Size

69KB
MD5

09dcc6f99a1e78c05df924a21752873e
SHA1

8c702f343e5ebbb0bc6f44d5184caa8f91b01fa1
SHA256

1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be
SHA512

4b99dba7a5f7d5280977e0ea84e5d0e5954fd46254bcb8ca6be48cfa25e233b17234d0be903366c4f575d80b5e3621f362b11ff42c49f3fa9eaf77b7bee6073f
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8ac:T6DJrXAnHmgMJ+dOnFoutac

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2608-27-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2608-57-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral1/memory/2756-65-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2756	Sysceamnridt.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2608-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2608-27-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x000500000001a4ab-35.dat	upx
behavioral1/memory/2756-42-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2608-57-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2756-65-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamnridt.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe
2756	Sysceamnridt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2756	2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	32
PID 2608 wrote to memory of 2756	2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	32
PID 2608 wrote to memory of 2756	2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	32
PID 2608 wrote to memory of 2756	2608	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	32

C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
"C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\Sysceamnridt.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamnridt.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
c497c3890beef899f17ce3c9f4cf6094

SHA1
51a5974721a2f9e76c4d176719d2b8f8efcc8b5c

SHA256
26fb97dd6d49d8dd547a1f1123ed4ea96099d0104273a3bd5665ca3010c207b4

SHA512
87c2c80232bdbe59c66da80f47cef0abfa30b27fd75f3075acf96e2de0722fed935f3dc1472de0d9d51fb1667c7157a51961ac54480b3cca4c9f2004ceee5660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
34a31dff4a06599d613e8903b8ec356a

SHA1
b373ac1759e6774481625c22c1b804c45e18ac31

SHA256
f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844

SHA512
a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
f6e71c7c85bd9c19d8e2163909a8233f

SHA1
a6f3bd3ad32b2e57f46d7b4695db0a8d00139d0b

SHA256
3847592f31dd6c61e46e37427cee89b95441028d30014f31485f4fc2d5d60245

SHA512
914aa222453ad077d951430009b36087baa9e959be5b972e3b7867cc99b87c96a2e88b233130669f93592222f4a14a70d357cd86bddcd71d6767ac8838064e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
b696a2d53e0ba7b993e0d161be70ee27

SHA1
d0cf599d6202affc564680389580a4c5d9ee3fad

SHA256
28eb42e1eeabe8d2c83c5854fe4c8f8199200b1cdfc3fbcf21cfebd54792672a

SHA512
658db890930867aab38a5fb8b86600f77ce19a3179150b5e51a824e9a08b88d6736d87e5d14b7a96c220d4a8118fb151a7b2ca882eca872779d2c4f4cd9a7499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
f3d38fbef73f08160e209821d32d35c9

SHA1
da170fd69479caafb2e607f1881663c08513f525

SHA256
1db5773a23517382c607b8461457cbfed79f81e9bf0daa2fbf695f4e0bdb013e

SHA512
5a3d4c35c7098fdeb113eb375eaad356e007ee5ee66418fa8e6c3c67c0d7495977dff630140aba776cdfbc61e90cb3692e0dbde1dd27e0a9a0d7c3bad6e09feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
a933f5ed74cd8f24e1ac5255a2abaa55

SHA1
5f57f20e4c5ac36e12636ef7e04fe47202d83264

SHA256
f53676db809996f1a1eb9fe084f0fb55af06775447f7cf1b2d19fcbc4ce20d77

SHA512
5c0149587437c24f49ba79b8c3099079c44f84a6acc3746ca9cf6c6ccb35cbd2a5f42f9045e1e126ae9604728387f5e79c5e7b1d77c1cc0262fb3a4814805723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
e1d04a2bb1553db13485eab2be7d0e7a

SHA1
1af028aa2d9aa2a1288d18bd6f6a85672761b3e2

SHA256
f80ed6b7c2d7ac2d1b318fd49fa4ebbf5509ce635f8a9376a353a68a8596f1af

SHA512
ac20dd63976261192d32eb64987baeace1eef028ee5b122e494f2a0f24d90e5bcb9a165adef301a9ee7acdf4b595d52e76afeff8af7835d1f896b441103b3a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab144C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnridt.exe

Filesize
69KB

MD5
ad723f56f7ccbf27e42d226e3bc6ad00

SHA1
74750d4841ec614cc512e482b505b8b922716be3

SHA256
afda4ad3447f8a8777838b405fb18ca83c49c9798bfa2a6817937083525411de

SHA512
d76b673579a7bbed52c3e3139f92a58274064f9560c555c816d2904c2e4b91bdffe7a408bd0d7d2d1c294769d7d64dc49547343f4f41f3b6124be2c37781b335

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
da7899ea5fbe668f5d22ba00b3812e4d

SHA1
4effc239f6a69cd8a0acdf91355eea03dceeb3d7

SHA256
7a849ec4a9aa15bb62c3ee7ab42c540c24e5eca650f8c2f2691b39b7b5f76bd1

SHA512
103b9c5e0aab549dd8022b17c46a71c850581a639bad2b4c2a3db7cebb6608ff54ced6245ec177e28e258c826569f2b941370746d99362328655f80ad7b53d91

Download Submit
memory/2608-41-0x0000000003EC0000-0x0000000003F28000-memory.dmp

Filesize
416KB

Download
memory/2608-57-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2608-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2608-27-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2756-42-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2756-65-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download