Analysis
-
max time kernel
70s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 12:39
Behavioral task
behavioral1
Sample
2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe
Resource
win7-20240708-en
General
-
Target
2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe
-
Size
8.8MB
-
MD5
ee7b4efe98eb1fac28a8bcb68c5e6d5c
-
SHA1
6a930a36fe1f06302a505ae1a281280fcc18be24
-
SHA256
e145ac6a651c72bb03e5c6d0a6ae337de6267a32c874c92c0d31fbd46d28e137
-
SHA512
e551cfa338dafa1a30a50d5bd27d9d7bc404adc7cbea20ba59e7740e6660fedd647359a5403ae356d1f5bb84db894aa6461eb5cbb46e37733ae44d92a9a5bdb6
-
SSDEEP
98304:A+/mLsGZ6NBaEDvDgYm930k3OxsdOqy1zQ9PvJ6OAhQrK4m:qZYRm9kFsdLrZAV4m
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/memory/2312-0-0x0000000000400000-0x0000000000D05000-memory.dmp family_blackmoon -
Executes dropped EXE 2 IoCs
pid Process 3620 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe -
Loads dropped DLL 22 IoCs
pid Process 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 3620 Eternalblue-2.2.0.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe 8156 Eternalblue-2.2.0.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eternalblue-2.2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eternalblue-2.2.0.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3620 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 31 PID 2312 wrote to memory of 3620 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 31 PID 2312 wrote to memory of 3620 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 31 PID 2312 wrote to memory of 3620 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 31 PID 2312 wrote to memory of 8156 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 33 PID 2312 wrote to memory of 8156 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 33 PID 2312 wrote to memory of 8156 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 33 PID 2312 wrote to memory of 8156 2312 2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-17_ee7b4efe98eb1fac28a8bcb68c5e6d5c_eternalromance_icedid_mimikatz_qakbot.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.1.135 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.1.135 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:8156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa