Analysis Overview
SHA256
5b1b08a4b4ce88ba1181b53b70f8a03d11726ce18869cc14ff4d7832a6ae0acb
Threat Level: Known bad
The file Tomcat.bin was found to be: Known bad.
Malicious Activity Summary
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Drops startup file
UPX packed file
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 08:28
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 08:28
Reported
2024-06-14 08:30
Platform
win10v2004-20240508-ja
Max time kernel
66s
Max time network
73s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tomcat.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tomcat.exe
"C:\Users\Admin\AppData\Local\Temp\Tomcat.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| HK | 206.238.115.178:3760 | tcp | |
| HK | 206.238.115.178:3760 | tcp | |
| HK | 206.238.115.178:3760 | tcp | |
| HK | 206.238.115.178:3760 | tcp |
Files
memory/4800-0-0x0000000010000000-0x0000000010109000-memory.dmp
memory/4800-6-0x0000000000C2D000-0x0000000000C2E000-memory.dmp
memory/4800-7-0x0000000000BE0000-0x0000000000DD7000-memory.dmp
memory/4800-10-0x0000000000BE0000-0x0000000000DD7000-memory.dmp
memory/4800-9-0x0000000003080000-0x0000000003098000-memory.dmp
memory/4800-11-0x0000000000BE0000-0x0000000000DD7000-memory.dmp
memory/4800-12-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-13-0x0000000000BE0000-0x0000000000DD7000-memory.dmp
memory/4800-14-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-15-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-17-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-18-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-19-0x00000000037D0000-0x0000000003829000-memory.dmp
memory/4800-20-0x00000000037D0000-0x0000000003829000-memory.dmp