blackmoon | ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5b

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
Size

69KB
MD5

e2e9d741195093c978039f30f8bca360
SHA1

82f1fcfb90b923d0ba407a1b7a5211bbb4a96a7b
SHA256

ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5b
SHA512

fe933113c9a1fa7a9d7d1c1b8a68b2ba57e0e7c5f62d1aab1b97e0df910ccf39a2f759008fda32394a69cb8b56c1b513590982cee7d0e2a058867c6c670e4a19
SSDEEP

1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8a0:T6DJrXAnHmgMJ+dOnFouta0

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4612-55-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon
behavioral2/memory/4896-72-0x0000000000400000-0x0000000000468000-memory.dmp	family_blackmoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe

Executes dropped EXE 1 IoCs

pid	Process
4896	Sysceamocwfe.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4612-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-26.dat	upx
behavioral2/memory/4612-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4896-72-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamocwfe.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe
4896	Sysceamocwfe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4896	4612	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	89
PID 4612 wrote to memory of 4896	4612	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	89
PID 4612 wrote to memory of 4896	4612	ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe	89

C:\Users\Admin\AppData\Local\Temp\ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe
"C:\Users\Admin\AppData\Local\Temp\ef23a1299d2f236b23ca10fd35287d44461b98bd7208a036c2889319877efb5bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\Sysceamocwfe.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamocwfe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
6a133e0e8bba27fe05f02ad775e8b843

SHA1
dbd3c1202c50c3469ae5787ae19e432da1046d40

SHA256
79d2783e02fc43128367a3621b138bd5c83e8a839ce82c830cd6015d02dc8ef1

SHA512
8719badd813827086e3ad2ea49057d6d2fe7a340c1dd6c55e3fa0eaedf01ad497875043028fd1e867ce2a6a69f89694afa477a308e3d41026d77bf0ac7ae4812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
741bc9b4dd8fcc14c29eb7e58a9b0f47

SHA1
f373b5afd5e68ba8c4fcb43a0e4ad85f7be09582

SHA256
eb401c00eca47569fde8c18ec6dfc2d50af19eb043c7878e3866ed235ef0e9e7

SHA512
f717b0634f3f56a7061e30c01e817f720ad1216cea01feeb70c56f37c914b32b07de030a85837c96a6114efc473ddd1189382f38e606fc70b1704c38cd780edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
34a31dff4a06599d613e8903b8ec356a

SHA1
b373ac1759e6774481625c22c1b804c45e18ac31

SHA256
f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844

SHA512
a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
1KB

MD5
39e36760b0b773b688df5e24175fa481

SHA1
7a21e781658937b8e906b0b8bb461e5c626f65fe

SHA256
087101e8f43a2cfbe47d6d12a835b31b72ff6401b66b47a7eabac4e35ce6f6cd

SHA512
5e4d61a464ab5fa2a36ced836eb6034b9a63c6ee3d4c06edfdeb54bf5f25003d2fe89f701df8f9376785536885799b56e5cf8462e32970c19dd0d042fbaa6108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
5318f693b498f43aee1d1e7e55b1cb7c

SHA1
73ea7e9b6659abf84e7f45b07cf958ac340de72e

SHA256
9b88b53c7d5b46d6417427d900eb839acd85be9c1a5f055771d5b5758253445b

SHA512
19f1ee6dc25781b4369f56768372edd8a20fb7d3f4597fd9a497e95a5f97899d34aa9a8fd68a7932e35e59f582c7ecdbabd43fc0cbc23e306976bae3dae8bf02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
4625fc535bcdcc17e03976bc5ce16b92

SHA1
a066d0d4f92a8ef4c871aadbfd42bd7cc53016b7

SHA256
d4956605780f0ef140e7ceb5686cb898e7dd738ecf74e234435e1858cbca2b3e

SHA512
c29e4598f2e1e2a0e6e6f5f4d968f85225dc29e49ccf2f211bd849c8a6e987429b4a724ef7852d54604dcb6d104645fbaf81dcae09f60f26fac1126baa75b0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
39cd5983b87db1fae9029fde053eaf28

SHA1
b2842d2853767bc9bb5b276f25902db1ec99f3b3

SHA256
a1285245bee664d65fd6ef189e2716100abd49b22bcd603915c0b7b6341eb621

SHA512
4572cfc5f8aac5586f2c896dd1f31d9c6fe52c6c79640af9b6b5deff94bfc7f5542765ebbca931081bb8c77e242f311ceef2a110c4685acb5fcf4db3244ce571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

Filesize
536B

MD5
d9ff8ba358d8ec3d6275e450ea499140

SHA1
d2518cf7e07db1d23ee304abe4090db3c8cf3cdd

SHA256
bc6035d7528f677c278972f2897a42ba367f2535c2efa62ebbd1336cbbab808c

SHA512
f9d59f30867e24f72c37326a00ec801b58619429a7a48d685b6887774afe474568230c70136d92a3f98d1416b85c5b5c6bc8c87b98091b5b31ef8c91ef6eb45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamocwfe.exe

Filesize
69KB

MD5
13e7b744ac60d70dc5ac941b6230f83c

SHA1
02e289e95d56d981c522475fbfd85f81b703fa3d

SHA256
dd49e848dfb4e5ddc56128ff806c1961b97d19953c8b127a98be1a5aa472b9f9

SHA512
0ea8119c8eb2a8d8e5d7cd939b7a82f8e8c8158c123b9c597cd7d1530da6067e79eacdbe0e677da6e7423c8cc0d363a6fe18b0e962c757f7a74882bbaa711a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
103B

MD5
4b6ec0b9eaf0ed934757a2961673fc85

SHA1
9eec40491bdd520ee3f88802026fc8cea118637c

SHA256
78ad9bc49374b8feaec1a42bbe5ad30d4c3a0db5d8b18e40b5eb96eda548c84c

SHA512
0b7e55fbc2881a308bd689c88e853bd95fa2ea9b07480360b17566d65caa30f39a2de94ef9c26d08e87b7ff674f5535ec72575f7804f3823e72d5c3b9e32bff0

Download Submit
memory/4612-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4896-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download