blackmoon | 699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee

Analysis

max time kernel
299s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Size

338KB
MD5

f27c460214d36b81e3ced4e57f5cb5a9
SHA1

6e681c3574c2ea438950f623e7dbe0682c91ce8f
SHA256

699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee
SHA512

a2683741dc79b198134f5c4985e48470a343039fe96c9483aca3c2f5e9e78cb52fb477b2d18e4229595b0ebae93f0454f248f95c04ac8fee8c2b4f53df78d960
SSDEEP

6144:b5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zkXudeh:b5/Q58drihGiLhmGNiZsx0B/zkXoeh

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016241-150.dat	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
2100	Sysceamwkcdr.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamwkcdr.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe
2100	Sysceamwkcdr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2100	3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	32
PID 3008 wrote to memory of 2100	3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	32
PID 3008 wrote to memory of 2100	3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	32
PID 3008 wrote to memory of 2100	3008	699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe	32

C:\Users\Admin\AppData\Local\Temp\699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe
"C:\Users\Admin\AppData\Local\Temp\699b222667bbc6d120abc8b3a01c5e38f34cf4695ad4ddfb67fa65ba88cfa8ee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\Sysceamwkcdr.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamwkcdr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
748ac2950512e7a84706ead4ae3ca696

SHA1
721e46335a8612ef899a10a398f09832710914b6

SHA256
199b44a2d5a612c2eb543d4d781201fd3127af4418e308866e0803d9ba24262e

SHA512
79e3167a99a4f30935825c8cc06ce4782012cb551db16826df40ff7c1506b88b0133cdd3195755568dc78b19c345fc000ce27b240f68f641c9338abba2b9801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
471B

MD5
08ae0da9a482c80f4e6601882693bdf3

SHA1
7c5f1d8ccf982d47bcc958ad74a5a220f356afb8

SHA256
a58a60103a77fec29c456cb8acbc8fb32d4c57044395f1aaaaf55ee53463b19b

SHA512
9e35a99fef4531043bfcd14c74e530a97f7120e26902fe2d75808b64a3e1582e0ca418f0aa734c61b4690a884a803f717d3ce9f953c25b7c4016f8f081ff2048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
9916af29552e6344903438e5b5ef8e69

SHA1
7a8ec190faccb0642fdb2360f29725775263588e

SHA256
3d0ce3defc3aef969728590a759651839273a7ee2e33e7695ca361b032439b19

SHA512
8d1f47b2ee0cb22c703305877ca91d8072bc1270c25f0a635cd7a2b703c68b2a0bf5f4127cac89e99c4c868268c604bafd4d554e7912dc3c56be8ff7fa1055ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4169d76f3190de4198b60d2a1d91b60e

SHA1
b2474ccda7815dbaa60ca7fa7fea4d8f9da5cff6

SHA256
69667b45004b96dd13fa114ec5b1af915be2a80ea3bc865bc0d8472bb65ff3ae

SHA512
7b10a0df1a142559fb4a65fbf0ca3a25a94aaee4bd7afd760f04f301a131199ce145f2862f94619c9482d66b16d3588f67150eaa9ca41bb9db592fdb86541459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

Filesize
410B

MD5
a1a838759edf5fd0ee290fae0a449d81

SHA1
64d818629aaa1415ead99c707e4b3727c1e20ddb

SHA256
9ff7a584f6fed7e7b1fe9864f71af920a5a25dffe1e58a75fba7e7c61ff7a5e6

SHA512
fba86279a3d3e6043fb45b95d99a390ae38a864821b5c516ec541fc945c2922d86ac214e85de0df581a78922c0e294e7d2365a55ee7a7b8b728ad07a377a4ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B8D87CA29E93F2FEEB2834BE22FBB2

Filesize
250B

MD5
5ab68809d84138388fe0c55b52e6a5c5

SHA1
430be4fecce406741dcaa2ac07023185818fb899

SHA256
a635da89d16511352fb54b358b56446be548fffca10ad8b77406ca1f7521070c

SHA512
90b94a9690c6b32c884fa9c14b2af4bfd7233d623cb65fa72e3c0894cc14afdc8d2e452821a9fa668fdd5edfcc02a464780c97b94fec2a3d1977cc9cf249d185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamwkcdr.exe

Filesize
338KB

MD5
b89cc9e34f9e72a8063c3ab4a453996a

SHA1
1b305953760c3cd5d013587996d12061f0a60465

SHA256
15154ed7f2bc24089306f37efd15d2eb66fc03e3dcf23fe4819eeabf2ae4f95c

SHA512
0556713670ccccf6caa03a01b78d0fd3ac07de079ff2c98ca2949eeda06cfaaf147a5c73f16b65cd73412000abb404dd952039997e9acdcbe6a04c8ea2d1e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA5F7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
ed65912190c1ebfa6363aff27c3a33e4

SHA1
e59a08ef137248ed064308859b7193feb6e63903

SHA256
a18363fd7965314f5e69bbd9602e4cd5b21e14fea8ccb7ec3837ae08f0c405ab

SHA512
53cb0999146cdbf98ace02c9ea12957b7338b26e390453d7d56af05745c7bbf0a288f9288ce7bba9c06970ce1fb0cacd4fc58226e2430cf5022e4cb9d9395cf9

Download Submit