Analysis
-
max time kernel
153s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 20:53
Behavioral task
behavioral1
Sample
2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe
Resource
win7-20230831-en
General
-
Target
2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe
-
Size
4.0MB
-
MD5
e8df7f21de1a5b5c02f7a938248a4eee
-
SHA1
78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
-
SHA256
92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
-
SHA512
faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf
-
SSDEEP
98304:ALkCqK9jITuvn4LNfYWVV0FLOAkGkzdnEVomFHKnPn:UkCqM5AnV0FLOyomFHKnPn
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
resource yara_rule behavioral1/files/0x000900000001201f-1.dat family_blackmoon behavioral1/files/0x000900000001201f-4.dat family_blackmoon behavioral1/files/0x000900000001201f-5.dat family_blackmoon behavioral1/files/0x000900000001201f-6.dat family_blackmoon behavioral1/files/0x000900000001201f-8.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 2800 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1696 wIEtYKLUkYhyQ.exe 2220 wIEtYKLUkYhyQ.exe 2756 wIEtYKLUkYhyQ.exe -
Loads dropped DLL 2 IoCs
pid Process 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 2220 wIEtYKLUkYhyQ.exe -
resource yara_rule behavioral1/memory/2756-9-0x0000000000320000-0x000000000032B000-memory.dmp upx behavioral1/memory/2756-10-0x0000000000320000-0x000000000032B000-memory.dmp upx behavioral1/memory/2756-11-0x0000000000320000-0x000000000032B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe File opened for modification C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 1696 wIEtYKLUkYhyQ.exe 2220 wIEtYKLUkYhyQ.exe 2756 wIEtYKLUkYhyQ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 1696 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 29 PID 2300 wrote to memory of 2800 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 30 PID 2300 wrote to memory of 2800 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 30 PID 2300 wrote to memory of 2800 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 30 PID 2300 wrote to memory of 2800 2300 2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe 30 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33 PID 2220 wrote to memory of 2756 2220 wIEtYKLUkYhyQ.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe-auto2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul2⤵
- Deletes itself
PID:2800
-
-
C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exeC:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe Service 11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe-OBJECT12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5e8df7f21de1a5b5c02f7a938248a4eee
SHA178aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
SHA25692a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
SHA512faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf
-
Filesize
4.0MB
MD5e8df7f21de1a5b5c02f7a938248a4eee
SHA178aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
SHA25692a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
SHA512faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf
-
Filesize
4.0MB
MD5e8df7f21de1a5b5c02f7a938248a4eee
SHA178aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
SHA25692a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
SHA512faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf
-
Filesize
4.0MB
MD5e8df7f21de1a5b5c02f7a938248a4eee
SHA178aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
SHA25692a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
SHA512faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf
-
Filesize
4.0MB
MD5e8df7f21de1a5b5c02f7a938248a4eee
SHA178aeba0b6170d8b8ef9890e131cd85d7e68a3b2d
SHA25692a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098
SHA512faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf