Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
Resource
win7-20240704-en
General
-
Target
2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe
-
Size
21.3MB
-
MD5
88e5f7fcb3a6b6f2ebb54bbdaae394e5
-
SHA1
a1797481b116c8f9d6dbf72b538ec200528a0aa4
-
SHA256
db12041535a38a59fc09b85f67302cbc9859b0f444c5fa677bcfd4f4f3b8e303
-
SHA512
c8de757766df4c27f092320f07906886cb3a4e39eea82f9da5abcf0f9555c8eaa9e3c333321e5738066368584c5c2b75528b27bd92a08f833b2c05b0d3ae1aad
-
SSDEEP
196608:w1zsKFJndotUVMbUJfF7PD2pbJ6VszmYN8jqqw8o3BNYtRlR:WPFJm6VorNk28o3gtRj
Malware Config
Signatures
-
Detect Blackmoon payload 13 IoCs
resource yara_rule behavioral2/files/0x000800000001e55f-8.dat family_blackmoon behavioral2/memory/624-26-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-27-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-23-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-22-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-30-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-31-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-32-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-34-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-42-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-63-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-76-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon behavioral2/memory/624-88-0x0000000000DE0000-0x0000000000F9B000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe -
Deletes itself 1 IoCs
pid Process 624 Tomcat.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk Tomcat.exe -
Executes dropped EXE 1 IoCs
pid Process 624 Tomcat.exe -
resource yara_rule behavioral2/memory/1116-2-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1116-3-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/624-21-0x00000000025F0000-0x0000000002608000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tomcat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe 624 Tomcat.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 624 Tomcat.exe Token: SeLockMemoryPrivilege 624 Tomcat.exe Token: SeCreateGlobalPrivilege 624 Tomcat.exe Token: SeBackupPrivilege 624 Tomcat.exe Token: SeRestorePrivilege 624 Tomcat.exe Token: SeShutdownPrivilege 624 Tomcat.exe Token: SeCreateTokenPrivilege 624 Tomcat.exe Token: SeTakeOwnershipPrivilege 624 Tomcat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1116 wrote to memory of 624 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 86 PID 1116 wrote to memory of 624 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 86 PID 1116 wrote to memory of 624 1116 2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_88e5f7fcb3a6b6f2ebb54bbdaae394e5_icedid_jrat_sakula.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\Documents\Tomcat.exe"C:\Users\Admin\Documents\Tomcat.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54450058efd92854936ddb1c7a7619c4a
SHA15bb4e2a8d4e8d16d9aa15f728c453f56fca24405
SHA256356ba962940bc10e18343aee4f6943147b55c6a8778d06df4eab6e401cee89a5
SHA512b66dc4f173a7370446a51fcdfc82d29db837097788a3cf3f82c1bc9a0c54bb96a9cbec119446bb25823d8cab5a2eb8888f8042b8e48a3ade524e1159a9af4180
-
Filesize
218B
MD50da3fe479e80097442bd49221a6b350a
SHA1b6282b7a231ae343addda71355e87893e1ad5824
SHA256e1ec86f4e5d584cb2b4659164cd3b409b99756742a95814dfcdfecffa164ab1e
SHA51230360772ac29aa3d3f8cf243605b25d7871ca771832123785a3d17861495884d2d063436f6b0ee7528c06558f2db3d2b4d6b9d4768d667b5f6887f41f18f6992
-
Filesize
225B
MD527d0fbd1ec2e45fcb3b188759f00ca69
SHA132e6c2b0d4fe661c772cd3c7013dd758cdf4060c
SHA256deced7dae9f9d3729078ef25f2a4d48d3bb38251f436e4fde91a6df4b5118070
SHA512ad539456b537fedd0443b4fd22f726070cd509fa1b9c2b0233383f16c565e7fd22b79f2040d1055c4c03da5c309699b58a2bcda08fb8b9e134a9314e06929f2a