blackmoon | 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Size

69KB
MD5

09dcc6f99a1e78c05df924a21752873e
SHA1

8c702f343e5ebbb0bc6f44d5184caa8f91b01fa1
SHA256

1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be
SHA512

4b99dba7a5f7d5280977e0ea84e5d0e5954fd46254bcb8ca6be48cfa25e233b17234d0be903366c4f575d80b5e3621f362b11ff42c49f3fa9eaf77b7bee6073f
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8ac:T6DJrXAnHmgMJ+dOnFoutac

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	Sysceamnptnm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-26.dat	upx
behavioral2/memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamnptnm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe
2236	Sysceamnptnm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2236	3940	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	95
PID 3940 wrote to memory of 2236	3940	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	95
PID 3940 wrote to memory of 2236	3940	1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe	95

C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
"C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
c497c3890beef899f17ce3c9f4cf6094

SHA1
51a5974721a2f9e76c4d176719d2b8f8efcc8b5c

SHA256
26fb97dd6d49d8dd547a1f1123ed4ea96099d0104273a3bd5665ca3010c207b4

SHA512
87c2c80232bdbe59c66da80f47cef0abfa30b27fd75f3075acf96e2de0722fed935f3dc1472de0d9d51fb1667c7157a51961ac54480b3cca4c9f2004ceee5660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
be2ae8a9d738667774406810e9474047

SHA1
abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

SHA256
f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

SHA512
e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
34a31dff4a06599d613e8903b8ec356a

SHA1
b373ac1759e6774481625c22c1b804c45e18ac31

SHA256
f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844

SHA512
a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
f6e71c7c85bd9c19d8e2163909a8233f

SHA1
a6f3bd3ad32b2e57f46d7b4695db0a8d00139d0b

SHA256
3847592f31dd6c61e46e37427cee89b95441028d30014f31485f4fc2d5d60245

SHA512
914aa222453ad077d951430009b36087baa9e959be5b972e3b7867cc99b87c96a2e88b233130669f93592222f4a14a70d357cd86bddcd71d6767ac8838064e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
a183dbba7354f6ad8da95dbed04e67fa

SHA1
b58ff518d99fd7955d421e4bad8c877a411edac1

SHA256
712f8379ff53dd4ab614cea5a3ba480a95b9b9943d48b17c8695aa1d9762767a

SHA512
f3a902e5b49636488841652352e8c570fc9fef28f202bde0b899837da72a7aff99a3c75e8295ec4faa8fd4597188c0a1a5f606bd2fc638af5c6b646c93e620f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
8d0e81ac0d54d4dae35c044cf61a357c

SHA1
4b4dc20ac38d4e3afce95916a319e6a57361301a

SHA256
3dc83d53fe784a0e975435c548e60356f82c0badbedd0f1815228db429cdb555

SHA512
aebb72a9382c086c8101f021a182aafa815af2707d63394007615b0e754143bc5486a07f26b160cc4cdc22c4c67f9ef7823e442e57786bbcdec3ce0168218281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
b67a1e9d1a903d7e1036aa3f4ca04633

SHA1
d7a3e71906e4f7f5eba6873200d9fd258b8ebe62

SHA256
337bf4273ee72aa6564b811b639adbe6788e1cab7eeed5870a2137f2cf26206c

SHA512
e53677859abf7908ab424705c15738da359758b2cf6369e8d89a9f6b39f303eaf305f81b25a991ce515022127a0677548de2b194854eb72bef60996b60648fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
0cc2d93b1a11cc857ce586f856c30c1c

SHA1
356de0e1d267d3bc508e98dcbc7cbefd5a5d8cfe

SHA256
d906b8624e9e42a3006a274abd4a7e8fe0068d8b66908b4c7875e8104760f61e

SHA512
349530d53f2669b19907b4fd897ff6cc69aa7e926b3b7df41b4c9e43653c655a0acc3ae886a4e72ddd160b3dfde29f3d3f1ae6580aaeec67bec7111275b6443d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe

Filesize
69KB

MD5
c310a63a388ab11190d222579ce743aa

SHA1
1986a818988157ad44cdf865122cec45b7492948

SHA256
757534c1944d2b97d2a35167412b17b1a941444b0404c5266afd52bbf3f8365a

SHA512
3fe7090532e947fdd6482ec270d10f397b13a722c91d52388115a7fe49ce289e21ec5056c806b4a2cafc58b2addcee432736eca8f944812ef402183a5db85b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
da7899ea5fbe668f5d22ba00b3812e4d

SHA1
4effc239f6a69cd8a0acdf91355eea03dceeb3d7

SHA256
7a849ec4a9aa15bb62c3ee7ab42c540c24e5eca650f8c2f2691b39b7b5f76bd1

SHA512
103b9c5e0aab549dd8022b17c46a71c850581a639bad2b4c2a3db7cebb6608ff54ced6245ec177e28e258c826569f2b941370746d99362328655f80ad7b53d91

Download Submit
memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download