Analysis
-
max time kernel
176s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2023 04:06
Behavioral task
behavioral1
Sample
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe
-
Size
1.2MB
-
MD5
3805a528be33b01aa59408a38787d6c9
-
SHA1
329e122b904742d4586a0872edc9b6b48e9b189a
-
SHA256
0cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
-
SHA512
c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
-
SSDEEP
24576:9bByw7EJLbByw7EJNMaS5jcAkSYqyEGjOlDM0:9bYwI9bYwIfMfpYqmj2D
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3652-133-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" ZhuDongFangYu.exe -
Drops file in Drivers directory 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe -
Executes dropped EXE 1 IoCs
Processes:
ZhuDongFangYu.exepid process 2268 ZhuDongFangYu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\autorun.inf ZhuDongFangYu.exe File created D:\autorun.inf ZhuDongFangYu.exe File opened for modification D:\autorun.inf ZhuDongFangYu.exe File created C:\autorun.inf ZhuDongFangYu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe ZhuDongFangYu.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe ZhuDongFangYu.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe ZhuDongFangYu.exe File created C:\Program Files\Internet Explorer\ielowutil.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE ZhuDongFangYu.exe File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe ZhuDongFangYu.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe ZhuDongFangYu.exe File created C:\Program Files\Internet Explorer\ExtExport.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe ZhuDongFangYu.exe -
Drops file in Windows directory 3 IoCs
Processes:
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exedescription ioc process File created C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe File opened for modification C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe File opened for modification C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe ZhuDongFangYu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exedescription pid process Token: SeDebugPrivilege 3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe Token: SeDebugPrivilege 2268 ZhuDongFangYu.exe Token: 33 2268 ZhuDongFangYu.exe Token: SeIncBasePriorityPrivilege 2268 ZhuDongFangYu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exeZhuDongFangYu.exepid process 3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe 2268 ZhuDongFangYu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exedescription pid process target process PID 3652 wrote to memory of 2268 3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 3652 wrote to memory of 2268 3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 3652 wrote to memory of 2268 3652 2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe ZhuDongFangYu.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system ZhuDongFangYu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ZhuDongFangYu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe"C:\Users\Admin\AppData\Local\Temp\2023-04-29_3805a528be33b01aa59408a38787d6c9_icedid_xiaobaminer.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
1.2MB
MD53805a528be33b01aa59408a38787d6c9
SHA1329e122b904742d4586a0872edc9b6b48e9b189a
SHA2560cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
SHA512c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
1.2MB
MD53805a528be33b01aa59408a38787d6c9
SHA1329e122b904742d4586a0872edc9b6b48e9b189a
SHA2560cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
SHA512c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
1.2MB
MD53805a528be33b01aa59408a38787d6c9
SHA1329e122b904742d4586a0872edc9b6b48e9b189a
SHA2560cb412b4cba1cf5c0d3899c25a31980d5b4117fc448f6073ad134e2d1dccd39b
SHA512c3d868699fe04f1306abbd85befefe6d3ac451fe44543f6af18936f781db749f775f57eaa1756feacd8e7ab40f4491ea4c128a4cfd5baa457d368e90b30e6917
-
memory/3652-133-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB