blackmoon | 0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b

General

Target

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
Size

1.2MB
MD5

3805a528be33b01aa59408a38787d6c9
SHA1

329e122b904742d4586a0872edc9b6b48e9b189a
SHA256

0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
SHA512

c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
SSDEEP

24576:9bByw7EJLbByw7EJNMaS5jcAkSYqyEGjOlDM0:9bYwI9bYwIfMfpYqmj2D

Score

10^/10

blackmoon banker evasion persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3652-133-0x0000000000400000-0x000000000044D000-memory.dmp	family_blackmoon
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	family_blackmoon
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	family_blackmoon
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	family_blackmoon

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

ZhuDongFangYu.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ZhuDongFangYu.exe

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZhuDongFangYu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe"	ZhuDongFangYu.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

ZhuDongFangYu.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	ZhuDongFangYu.exe

Drops file in Drivers directory 1 IoCs

Processes:

ZhuDongFangYu.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ZhuDongFangYu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe

Executes dropped EXE 1 IoCs

Processes:

ZhuDongFangYu.exe

pid process

2268 ZhuDongFangYu.exe

pid	process
2268	ZhuDongFangYu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZhuDongFangYu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe"	ZhuDongFangYu.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ZhuDongFangYu.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ZhuDongFangYu.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ZhuDongFangYu.exe

description	ioc	process
File opened for modification	C:\autorun.inf	ZhuDongFangYu.exe
File created	D:\autorun.inf	ZhuDongFangYu.exe
File opened for modification	D:\autorun.inf	ZhuDongFangYu.exe
File created	C:\autorun.inf	ZhuDongFangYu.exe

Drops file in Program Files directory 64 IoCs

Processes:

ZhuDongFangYu.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	ZhuDongFangYu.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ZhuDongFangYu.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ZhuDongFangYu.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	ZhuDongFangYu.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ZhuDongFangYu.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	ZhuDongFangYu.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	ZhuDongFangYu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	ZhuDongFangYu.exe

Drops file in Windows directory 3 IoCs

Processes:

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exe

description	ioc	process
File created	C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
File opened for modification	C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
File opened for modification	C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe	ZhuDongFangYu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exe

description	pid	process
Token: SeDebugPrivilege	3652	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
Token: SeDebugPrivilege	2268	ZhuDongFangYu.exe
Token: 33	2268	ZhuDongFangYu.exe
Token: SeIncBasePriorityPrivilege	2268	ZhuDongFangYu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exe

pid process

3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
2268 ZhuDongFangYu.exe

pid	process
3652	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
2268	ZhuDongFangYu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe

description	pid	process	target process
PID 3652 wrote to memory of 2268	3652	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe	ZhuDongFangYu.exe
PID 3652 wrote to memory of 2268	3652	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe	ZhuDongFangYu.exe
PID 3652 wrote to memory of 2268	3652	2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe	ZhuDongFangYu.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ZhuDongFangYu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	ZhuDongFangYu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ZhuDongFangYu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ZhuDongFangYu.exe

C:\Users\Admin\AppData\Local\Temp\2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"
2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
Filesize
1.2MB

MD5
3805a528be33b01aa59408a38787d6c9

SHA1
329e122b904742d4586a0872edc9b6b48e9b189a

SHA256
0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b

SHA512
c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917

Download Submit
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
Filesize
1.2MB

MD5
3805a528be33b01aa59408a38787d6c9

SHA1
329e122b904742d4586a0872edc9b6b48e9b189a

SHA256
0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b

SHA512
c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917

Download Submit
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
Filesize
1.2MB

MD5
3805a528be33b01aa59408a38787d6c9

SHA1
329e122b904742d4586a0872edc9b6b48e9b189a

SHA256
0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b

SHA512
c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917

Download Submit
memory/3652-133-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads