File name:

1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f

Full analysis: https://app.any.run/tasks/0c7f0a57-6e52-4f34-8539-f11af1b4c5ef
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: December 06, 2024, 14:08:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
ip-check
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

BE790674034849EF38EA2B5C100766D9

SHA1:

9A8D9E0F208AA0A026EFFD80BD792E31AB3AC3B6

SHA256:

1D5F1309B47F894A9ED5BAD8965CDC789AB61F39CCE507CD663925EE0798CC0F

SSDEEP:

98304:OXA02zmKMbChyoIa7ec/c9dmXZVCwSoO4wFuF+CQXWlTifjqRk0ev6PumEOxVt4V:DSHLqAfP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • cmmon32.exe (PID: 5316)

  • SUSPICIOUS

    • Accesses video controller name via WMI (SCRIPT)

      • cmmon32.exe (PID: 5316)

    • Accesses WMI object caption (SCRIPT)

      • cmmon32.exe (PID: 5316)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cmmon32.exe (PID: 5316)

    • There is functionality for capture public ip (YARA)

      • cmmon32.exe (PID: 5316)

    • There is functionality for taking screenshot (YARA)

      • cmmon32.exe (PID: 5316)

    • Mutex name with non-standard characters

      • cmmon32.exe (PID: 5316)

    • Potential Corporate Privacy Violation

      • cmmon32.exe (PID: 5316)

    • Connects to the server without a host name

      • cmmon32.exe (PID: 5316)

  • INFO

    • Checks supported languages

      • 1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe (PID: 6012)

    • Reads the software policy settings

      • cmmon32.exe (PID: 5316)

    • Checks proxy server information

      • cmmon32.exe (PID: 5316)

    • Disables trace logs

      • cmmon32.exe (PID: 5316)

    • Reads security settings of Internet Explorer

      • cmmon32.exe (PID: 5316)

    • UPX packer has been detected

      • cmmon32.exe (PID: 5316)

    • Changes appearance of the Explorer extensions

      • cmmon32.exe (PID: 5316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:25 08:38:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 659456
InitializedDataSize: 6483968
UninitializedDataSize: -
EntryPoint: 0xbcfd9c
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe upnpcont.exe no specs pickerhost.exe no specs isoburn.exe no specs runonce.exe no specs gpscript.exe no specs esentutl.exe no specs cmdl32.exe no specs sdchange.exe no specs userinit.exe no specs #BLACKMOON cmmon32.exe 1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236isoburn.exeC:\Windows\SysWOW64\isoburn.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Disc Image Burning Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\isoburn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1520sdchange.exeC:\Windows\SysWOW64\sdchange.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Remote Assistance SD Server
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sdchange.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1732PickerHost.exeC:\Windows\SysWOW64\PickerHost.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
File Picker UI Host
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\pickerhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3464userinit.exeC:\Windows\SysWOW64\userinit.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Userinit Logon Application
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\userinit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4428esentutl.exeC:\Windows\SysWOW64\esentutl.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4528upnpcont.exeC:\Windows\SysWOW64\upnpcont.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
UPnP Device Host Container
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\upnpcont.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5316cmmon32.exeC:\Windows\SysWOW64\cmmon32.exe
1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Connection Manager Monitor
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmmon32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5340runonce.exeC:\Windows\SysWOW64\runonce.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5400cmdl32.exeC:\Windows\SysWOW64\cmdl32.exe1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Connection Manager Auto-Download
Exit code:
0
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmdl32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6012"C:\Users\admin\Desktop\1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe" C:\Users\admin\Desktop\1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
4 311
Read events
4 046
Write events
265
Delete events
0

Modification events

(PID) Process:(5316) cmmon32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(5316) cmmon32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\cmstp.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
1E9D130000000000
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5316) cmmon32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Operation:writeName:CheckedValue
Value:
0
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5316cmmon32.exeC:\YYDS\Config.initext
MD5:C931DE02027E8659C92CA0EA6150D48E
SHA256:75F91843D5838BC38F46AC6186CD3C30703B32E392E5D0D674628F96BFB3B5B5
5316cmmon32.exeC:\NNCtext
MD5:F899139DF5E1059396431415E770C6DD
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
21
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.192:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.192:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
880
svchost.exe
GET
200
23.48.23.192:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
203.205.255.185:443
https://u.y.qq.com/cgi-bin/musicu.fcg
unknown
5316
cmmon32.exe
GET
200
112.34.112.38:80
http://qifu-api.baidubce.com/ip/geo/v1/district?ip=197.26.191.56
unknown
unknown
5316
cmmon32.exe
POST
200
112.74.35.32:80
http://112.74.35.32/PPXNEW.asp
unknown
unknown
5316
cmmon32.exe
POST
200
112.74.35.32:80
http://112.74.35.32/PPXNEW.asp
unknown
unknown
5316
cmmon32.exe
POST
200
112.74.35.32:80
http://112.74.35.32/PPXNEW.asp
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.192:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.192:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
880
svchost.exe
23.48.23.192:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
880
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5316
cmmon32.exe
203.205.255.185:443
u.y.qq.com
Tencent Building, Kejizhongyi Avenue
HK
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.192
  • 23.48.23.193
  • 23.48.23.178
  • 23.48.23.180
  • 23.48.23.194
  • 23.48.23.188
  • 23.48.23.176
  • 23.48.23.185
  • 23.48.23.190
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
u.y.qq.com
  • 203.205.255.185
whitelisted
2024.ip138.com
  • 174.35.118.62
unknown
vv.video.qq.com
  • 129.226.102.98
whitelisted
qifu-api.baidubce.com
  • 112.34.112.38
  • 182.61.62.106
  • 39.156.66.4
  • 124.237.176.106
  • 111.206.209.154
  • 110.242.68.112
  • 182.61.200.153
unknown
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

PID
Process
Class
Message
5316
cmmon32.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
5316
cmmon32.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1d5f1309b47f894a9ed5bad8965cdc789ab61f39cce507cd663925ee0798cc0f