Malware Analysis Report

2024-09-11 22:16

Sample ID 240615-axtbnswfnl
Target 2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid
SHA256 bfb24129df2368514df7e351283e77f294eb08cc97bb8820f187ee8670cbe1af
Tags
blackmoon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfb24129df2368514df7e351283e77f294eb08cc97bb8820f187ee8670cbe1af

Threat Level: Known bad

The file 2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid was found to be: Known bad.

Malicious Activity Summary

blackmoon

Blackmoon family

Detect Blackmoon payload

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Detects executables packed with VMProtect.

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:35

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:35

Reported

2024-06-15 00:38

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\xminfo.wav C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tl.85163.net udp
US 8.8.8.8:53 tl2.85163.net udp
US 8.8.8.8:53 t.pcpcg.com udp
US 8.8.8.8:53 t.pcpcg.com udp
US 8.8.8.8:53 t.pcpcg.com udp

Files

memory/788-19-0x0000000003090000-0x0000000003190000-memory.dmp

\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll

MD5 54da9cb20347baec926b6678f8efb3ab
SHA1 18ca10861aa561c56666270cca7fd44c73c28d72
SHA256 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390
SHA512 e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

memory/788-26-0x0000000000360000-0x0000000000361000-memory.dmp

memory/788-24-0x0000000000360000-0x0000000000361000-memory.dmp

memory/788-28-0x0000000000360000-0x0000000000361000-memory.dmp

memory/788-31-0x0000000004951000-0x0000000004C2C000-memory.dmp

memory/788-29-0x00000000048E0000-0x0000000004F2C000-memory.dmp

memory/788-32-0x00000000048E0000-0x0000000004F2C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:35

Reported

2024-06-15 00:38

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\xminfo.wav C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_7559e0e4ac83c50c36e85106db93aaba_hacktools_icedid.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tl.85163.net udp
US 8.8.8.8:53 tl2.85163.net udp
CN 101.200.217.135:1010 tl2.85163.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CN 139.196.231.11:1010 tl.85163.net tcp
US 8.8.8.8:53 t.pcpcg.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll

MD5 54da9cb20347baec926b6678f8efb3ab
SHA1 18ca10861aa561c56666270cca7fd44c73c28d72
SHA256 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390
SHA512 e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

memory/5068-28-0x0000000005B70000-0x00000000061BC000-memory.dmp

memory/5068-31-0x0000000005B70000-0x00000000061BC000-memory.dmp

memory/5068-30-0x0000000005BE1000-0x0000000005EBC000-memory.dmp

memory/5068-27-0x0000000003A70000-0x0000000003A71000-memory.dmp

C:\ÌìÁúСÃÛ\ÔËÐÐÎļþ\SoftXLic.ini

MD5 2810535ea287b1c72fb0033b284e9f2d
SHA1 0ee2e6196c0fdc3334ac90457263c2d654eb3d2a
SHA256 c0189d30487d7b98b3fa228ab135da25d72fd4fa4673fd1baaf370f4a54fa7d9
SHA512 20422ef6840e6be643be2d5cb4504a9d5b1b29bac9a0611d6c33f58a94f51f64f3d32786399024c6024ab4e4f53b3b5e55d1c13396ce119d28af4149fcf228f6

memory/5068-40-0x0000000005BE1000-0x0000000005EBC000-memory.dmp

memory/5068-41-0x0000000005B70000-0x00000000061BC000-memory.dmp