blackmoon | 3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Size

1.6MB
MD5

49ed775e66e2cd74be732cc95bab5ef0
SHA1

9b10b9e0ec21e85e2c0ec8a07c774488abb58cdb
SHA256

3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881
SHA512

c290e2bdd9e920378a4698b276e3d43269066ce3d157cb5d16562714715abd5e9903218d0160da18ee145621eb597220d7acc4baf1b028f7ddaa6dbb26462563
SSDEEP

24576:kEoD7eAzxG0Jc0a1VjXsIQRJ5OTJ7hIVymFNlMtRVblP9PIjo3rSAp0sUPYud9m4:kZzju1VbsIQe/I07SAp0sUPYu7Uo7

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/572-10-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-13-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-12-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-9-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-16-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-17-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-15-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-19-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-20-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-25-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon
behavioral1/memory/572-26-0x00000000001B0000-0x000000000036B000-memory.dmp	family_blackmoon

Drops startup file 1 IoCs

Processes:

3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/572-11-0x0000000000120000-0x0000000000138000-memory.dmp upx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral1/memory/572-11-0x0000000000120000-0x0000000000138000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

pid	process
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeBackupPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeRestorePrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeShutdownPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeCreateTokenPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	572	3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3464397fe5b97bef1dedab8818a3f0679d555b3f0264ce6c539f45941f0b5881_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-11-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/572-10-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-13-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-12-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-9-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-7-0x000000000020B000-0x000000000020C000-memory.dmp

Filesize
4KB

Download
memory/572-6-0x00000000000F0000-0x000000000011B000-memory.dmp

Filesize
172KB

Download
memory/572-16-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-17-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-15-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-14-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-1-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download
memory/572-19-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-20-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-23-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-24-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-25-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-26-0x00000000001B0000-0x000000000036B000-memory.dmp

Filesize
1.7MB

Download
memory/572-27-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-28-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-32-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-33-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-36-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-37-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-40-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-41-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-45-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download
memory/572-46-0x0000000002A60000-0x0000000002AB9000-memory.dmp

Filesize
356KB

Download