Analysis

  • max time kernel
    153s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2023 20:53

General

  • Target

    2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe

  • Size

    4.0MB

  • MD5

    e8df7f21de1a5b5c02f7a938248a4eee

  • SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

  • SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

  • SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • SSDEEP

    98304:ALkCqK9jITuvn4LNfYWVV0FLOAkGkzdnEVomFHKnPn:UkCqM5AnV0FLOyomFHKnPn

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-26_e8df7f21de1a5b5c02f7a938248a4eee_icedid_JC.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe
      -auto
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2800
  • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe
    C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe Service 1
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe
      -OBJECT1
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe

    Filesize

    4.0MB

    MD5

    e8df7f21de1a5b5c02f7a938248a4eee

    SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

    SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

    SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe

    Filesize

    4.0MB

    MD5

    e8df7f21de1a5b5c02f7a938248a4eee

    SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

    SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

    SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • C:\Windows\SysWOW64\wIEtYKLUkYhyQ.exe

    Filesize

    4.0MB

    MD5

    e8df7f21de1a5b5c02f7a938248a4eee

    SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

    SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

    SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • \Windows\SysWOW64\wIEtYKLUkYhyQ.exe

    Filesize

    4.0MB

    MD5

    e8df7f21de1a5b5c02f7a938248a4eee

    SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

    SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

    SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • \Windows\SysWOW64\wIEtYKLUkYhyQ.exe

    Filesize

    4.0MB

    MD5

    e8df7f21de1a5b5c02f7a938248a4eee

    SHA1

    78aeba0b6170d8b8ef9890e131cd85d7e68a3b2d

    SHA256

    92a9266a0c9d6a31670cd87db06f10fa65b936c77e6e94a38e86219f91df3098

    SHA512

    faec10b43975f7f46c0ad3dccd7d008d372bc7d187cf1e9e2bf564949240a30aeeeb3c97a2b59a497eaa815f6e75cc30c2d4e95da3dd1f8f1f3824c974f60acf

  • memory/2756-9-0x0000000000320000-0x000000000032B000-memory.dmp

    Filesize

    44KB

  • memory/2756-10-0x0000000000320000-0x000000000032B000-memory.dmp

    Filesize

    44KB

  • memory/2756-11-0x0000000000320000-0x000000000032B000-memory.dmp

    Filesize

    44KB