Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 02:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe
Resource
win7-20240220-en
General
-
Target
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe
-
Size
22.3MB
-
MD5
e711531569d2e446c3501c635b41e89c
-
SHA1
e414d12a763ac179385df2da92267946540a4cbb
-
SHA256
57522c2c58604834f1f1e7236d63a375503a788b805a47df738ae3663388a4bb
-
SHA512
ce0f1b8a3618be5a63cf69d8cab54e1a9bb368a5952214cad2a71ed14acbd1d910a56c5c34465bf1eda92040ac61d459e64ba3e3ff1835bca5796b22ad583a5c
-
SSDEEP
393216:sY9mGvCEJi1BEmEC0QuImhIKjWcgjB8IU7oKrZAQMu4G+56d0jSBufcOIlXESZ8K:sYsYCEJi1BEnvQu7vja8IDKrZMu4GwjA
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\Documents\Tomcat.exe family_blackmoon behavioral1/memory/2756-28-0x0000000000CF0000-0x0000000000F3E000-memory.dmp family_blackmoon -
Drops startup file 1 IoCs
Processes:
Tomcat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk Tomcat.exe -
Executes dropped EXE 1 IoCs
Processes:
Tomcat.exepid process 2756 Tomcat.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exeTomcat.exepid process 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe 2756 Tomcat.exe 2756 Tomcat.exe -
Processes:
resource yara_rule behavioral1/memory/2496-1-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/memory/2756-21-0x00000000004D0000-0x00000000004E8000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exeTomcat.exepid process 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe 2756 Tomcat.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Tomcat.exedescription pid process Token: SeDebugPrivilege 2756 Tomcat.exe Token: SeLockMemoryPrivilege 2756 Tomcat.exe Token: SeCreateGlobalPrivilege 2756 Tomcat.exe Token: SeBackupPrivilege 2756 Tomcat.exe Token: SeRestorePrivilege 2756 Tomcat.exe Token: SeShutdownPrivilege 2756 Tomcat.exe Token: SeCreateTokenPrivilege 2756 Tomcat.exe Token: SeTakeOwnershipPrivilege 2756 Tomcat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exepid process 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exedescription pid process target process PID 2496 wrote to memory of 2756 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe Tomcat.exe PID 2496 wrote to memory of 2756 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe Tomcat.exe PID 2496 wrote to memory of 2756 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe Tomcat.exe PID 2496 wrote to memory of 2756 2496 2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe Tomcat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-30_e711531569d2e446c3501c635b41e89c_icedid_magniber_sakula.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Tomcat.exe"C:\Users\Admin\Documents\Tomcat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\conf.iniFilesize
226B
MD5768e73f80e36c330c69601f4cb724810
SHA1ce56dcd9a6e73fea3c8d33011eaa1557d1e5cdfb
SHA25694f54f53720bb8fd50dd8c91cc630b9f1c3ff4be0ea0383b3749b84a5417b0cf
SHA512f6563f2dbcc8e3503f938827f4aafe4983a48b5d5f2537850632b8fe99f0a4cc7b00863bf63aa1b74545b0cf469ea7533b9c7ca37e9877fd83dbb0669d3bc88c
-
\Users\Admin\AppData\Roaming\Ling\malloc\L_mimalloc.dllFilesize
148KB
MD5051d69a619adca3472e8d7c9b0c0eb5c
SHA16cc795ac90e43e408919e19ba6f5633863560459
SHA256feefc12464985e2057a4cbd54117e9414f2e00a284106fa38b62d63052a1f7dd
SHA51250daa3344aa4d86cdd22cf5736eec993467e6574c5e341cd0fd95757c739e167b6e76c744b29ae302d08c88d469fea0767640a9257f54f9dec2c5fbb87c23b71
-
\Users\Admin\Documents\Tomcat.exeFilesize
2.2MB
MD5aad4360f411a6d350f1b5b3c01526ae3
SHA1259f5168038ae9beef7b2e98b5ae58eb46718b21
SHA2566b894a62bb0892ad1cdd5b71ba976b974b343778e4860e55759d4cf89da2ee76
SHA5126891f91e0f760f61303026867c91c37d63c0a5fda7687d6f07d171be2672b9811ef9aa59bca790c78ca3a3659784cea8ac5bc37b5bca5f5110592c275084cadc
-
memory/2496-1-0x0000000010000000-0x0000000010014000-memory.dmpFilesize
80KB
-
memory/2756-8-0x0000000010000000-0x0000000010109000-memory.dmpFilesize
1.0MB
-
memory/2756-14-0x0000000000130000-0x000000000015B000-memory.dmpFilesize
172KB
-
memory/2756-21-0x00000000004D0000-0x00000000004E8000-memory.dmpFilesize
96KB
-
memory/2756-22-0x0000000000560000-0x00000000005B9000-memory.dmpFilesize
356KB
-
memory/2756-27-0x0000000000560000-0x00000000005B9000-memory.dmpFilesize
356KB
-
memory/2756-28-0x0000000000CF0000-0x0000000000F3E000-memory.dmpFilesize
2.3MB