Overview

overview

10

Static

static

10

2025-04-02...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-02_279fd4ef507def420016b5d4c9e5d93f_hacktools_icedid.exe

  • Size

    2.0MB

  • MD5

    279fd4ef507def420016b5d4c9e5d93f

  • SHA1

    7a1fc1555f601a78af89820fd7dda6881327b972

  • SHA256

    f592ffaf8d229b5510e2fde22f06ea40b29532f85e83c410a9d1079b74b8a576

  • SHA512

    0c9cbe2bd3cc6206687d3ee209a6e62f5b913b3faf5ab2db5ef6ebeec67d1af6601e5e229a7f9c3a01a08683e63b154edb55c81fc6ce73ce9683f7d589a71bc1

  • SSDEEP

    24576:PSH25PwcN2jx23LdZNtWFKVXIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECo:PlDoOTNtGKJIvfuRVy/Pur2Mgo

Score
10/10
blackmoonbankerbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 13 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-02_279fd4ef507def420016b5d4c9e5d93f_hacktools_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-02_279fd4ef507def420016b5d4c9e5d93f_hacktools_icedid.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:6012
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ippatch.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3204
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ipsee.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ipsee.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5500
      • C:\Users\Admin\AppData\Roaming\ipsee.exe
        "C:\Users\Admin\AppData\Roaming\ipsee.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4960
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1508
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1848
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3104
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:880
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:2112
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3504
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:408
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3988
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3916
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:4424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RCX8251.tmp
    Filesize

    868KB

    MD5

    1f3d72a781785331a48de83490b1e536

    SHA1

    bbffa94c168fe753618b89830069d2ae50475a80

    SHA256

    faf6b5692ebe47a4f7adac994e518b98aee17072c678393f505e9d02e7317e15

    SHA512

    5e9dea3a9198aeebb910fa15249dffb2bd7c5840b66d0db76bf08afbcc3fe7349c5f4d48bcc669dd933bf5a230c8cac5754633696041def382261a773f92a6f1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk
    Filesize

    771B

    MD5

    e3d909a991393608a259b3f66b90d13c

    SHA1

    e1e36670cac144b7af3f6bbc8c15df020d42e26e

    SHA256

    66cabbe6416328b463c0d563e734ae4e97cef6293d16c9cbe405d0a774b18022

    SHA512

    3013e62fdd053ffbe91e0defca850708e76054d4a7d2e770aa5c3045a27a3510f93b8623dba92a491b3c57711feb60fd53bc9e6ee2f438c2fcee08efd391813c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll
    Filesize

    154B

    MD5

    40b80bda339faae4739d77caa3ebd0eb

    SHA1

    54e11813769d714dbf3153ec6f2620b919a00fca

    SHA256

    c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

    SHA512

    ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RCX7E88.tmp
    Filesize

    2.0MB

    MD5

    35738f88f0f24298147c658b2a7a15c2

    SHA1

    cbdbaa24f6252cc6b9381fb03e17f68a10f1fcb7

    SHA256

    2f9ecd0b72427ff7abb4ab1da25c6af21e66e59b379e9fd7552169265dfbef27

    SHA512

    84971c66d19f9afb564c2cb67c574283aff208eaca791c9e29e8949cbbe2b55acfee7a0acb3f1e2026beca7c2cff9a579f380457f09ebecb85d95cbf19904c72

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    3e041c5d552899a538b138e7ebb2daad

    SHA1

    29223e33d0b48027a527f6ebcaa7ce9f25d15382

    SHA256

    79b559e91167b52c6c0ebfe88db15466c30a43a8b3575d827646a22943e2cc9b

    SHA512

    bdd7938435102c28dbaa5547469b01a2cd626890bc8b2b2a0f2ebffdd98811e180edb0dacabf3a9c5b6c41d4cf1693dfad06d1887e0178e41c804e47f15c58a7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    c2ade18b0ba74e110b0a95618bb1f1f6

    SHA1

    67a40f7728fd786b7e7da36d61ae00dc617e2e3c

    SHA256

    5ec52173b42da9494173a11f93170187552a5301db88cfafd8f72948c70c261c

    SHA512

    9ccc8370df9314cce2ef7943ca10f97a03c807895aa42dadb57e6fe1639737ed513afedc7b1c2c3cc77199c26d670a1e615eab8a0353203aa53493623754f758

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mydll.dll
    Filesize

    256KB

    MD5

    1018155ced6c44a355d614c6b1169ef7

    SHA1

    9dd1d46cb5aff0f3979203213dd3b5610c76da1c

    SHA256

    c13df890185ba4983482a2ceee54f36b2e3e986d9ac389f4c82b32df500247cf

    SHA512

    806bdc7db82b0fe29dbe8cb943c913bc295d1ca9e9cb96a8231222bd162486d1e6982cc17c2246f95c5e6c3d2feff5d52dae96dcacb8f9224a4c686747e3bae1

    Download Submit