Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
Resource
win7-20240704-en
General
-
Target
2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
-
Size
21.3MB
-
MD5
88e5f7fcb3a6b6f2ebb54bbdaae394e5
-
SHA1
a1797481b116c8f9d6dbf72b538ec200528a0aa4
-
SHA256
db12041535a38a59fc09b85f67302cbc9859b0f444c5fa677bcfd4f4f3b8e303
-
SHA512
c8de757766df4c27f092320f07906886cb3a4e39eea82f9da5abcf0f9555c8eaa9e3c333321e5738066368584c5c2b75528b27bd92a08f833b2c05b0d3ae1aad
-
SSDEEP
196608:w1zsKFJndotUVMbUJfF7PD2pbJ6VszmYN8jqqw8o3BNYtRlR:WPFJm6VorNk28o3gtRj
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral1/files/0x000700000001925d-4.dat family_blackmoon behavioral1/memory/2228-36-0x0000000000BE0000-0x0000000000D9B000-memory.dmp family_blackmoon behavioral1/memory/2228-53-0x0000000000BE0000-0x0000000000D9B000-memory.dmp family_blackmoon behavioral1/memory/2228-64-0x0000000000BE0000-0x0000000000D9B000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2228 Tomcat.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk Tomcat.exe -
Executes dropped EXE 1 IoCs
pid Process 2228 Tomcat.exe -
Loads dropped DLL 3 IoCs
pid Process 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 2228 Tomcat.exe -
resource yara_rule behavioral1/memory/3040-1-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/memory/2228-20-0x00000000002E0000-0x00000000002F8000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tomcat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe 2228 Tomcat.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2228 Tomcat.exe Token: SeLockMemoryPrivilege 2228 Tomcat.exe Token: SeCreateGlobalPrivilege 2228 Tomcat.exe Token: SeBackupPrivilege 2228 Tomcat.exe Token: SeRestorePrivilege 2228 Tomcat.exe Token: SeShutdownPrivilege 2228 Tomcat.exe Token: SeCreateTokenPrivilege 2228 Tomcat.exe Token: SeTakeOwnershipPrivilege 2228 Tomcat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2228 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 30 PID 3040 wrote to memory of 2228 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 30 PID 3040 wrote to memory of 2228 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 30 PID 3040 wrote to memory of 2228 3040 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\Documents\Tomcat.exe"C:\Users\Admin\Documents\Tomcat.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD50da3fe479e80097442bd49221a6b350a
SHA1b6282b7a231ae343addda71355e87893e1ad5824
SHA256e1ec86f4e5d584cb2b4659164cd3b409b99756742a95814dfcdfecffa164ab1e
SHA51230360772ac29aa3d3f8cf243605b25d7871ca771832123785a3d17861495884d2d063436f6b0ee7528c06558f2db3d2b4d6b9d4768d667b5f6887f41f18f6992
-
Filesize
225B
MD527d0fbd1ec2e45fcb3b188759f00ca69
SHA132e6c2b0d4fe661c772cd3c7013dd758cdf4060c
SHA256deced7dae9f9d3729078ef25f2a4d48d3bb38251f436e4fde91a6df4b5118070
SHA512ad539456b537fedd0443b4fd22f726070cd509fa1b9c2b0233383f16c565e7fd22b79f2040d1055c4c03da5c309699b58a2bcda08fb8b9e134a9314e06929f2a
-
Filesize
1.6MB
MD54450058efd92854936ddb1c7a7619c4a
SHA15bb4e2a8d4e8d16d9aa15f728c453f56fca24405
SHA256356ba962940bc10e18343aee4f6943147b55c6a8778d06df4eab6e401cee89a5
SHA512b66dc4f173a7370446a51fcdfc82d29db837097788a3cf3f82c1bc9a0c54bb96a9cbec119446bb25823d8cab5a2eb8888f8042b8e48a3ade524e1159a9af4180