Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2023, 18:03

General

  • Target

    3688a31bd6273724217ed4de651162ce_icedid_xiaobaminer_JC.exe

  • Size

    2.6MB

  • MD5

    3688a31bd6273724217ed4de651162ce

  • SHA1

    74d561751fb834179d2b2e5f5620783725cb63e5

  • SHA256

    cdf31b82d2dc519aa3af5a47b0791fd33751792717674e7579f3d0cf9411b21c

  • SHA512

    3a33029d73fc07f94fd4bd73c4919beb25a6f4b8203e46830df2418cb477868bb87a86693942e85fe08a3487ce728da6118524547a91e6a623e1b6e5034ae80d

  • SSDEEP

    49152:9bYwIICRaYSDA+ouZ/K0tDmNhJXLkZRJ+0Y8TCXXJdWdYw6VdNRIky/Cr70QiB:yCCRUZ/K0tKNhJXKsdXXJdWGw6VdIkyl

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3688a31bd6273724217ed4de651162ce_icedid_xiaobaminer_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\3688a31bd6273724217ed4de651162ce_icedid_xiaobaminer_JC.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      "C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

    Filesize

    2.6MB

    MD5

    3688a31bd6273724217ed4de651162ce

    SHA1

    74d561751fb834179d2b2e5f5620783725cb63e5

    SHA256

    cdf31b82d2dc519aa3af5a47b0791fd33751792717674e7579f3d0cf9411b21c

    SHA512

    3a33029d73fc07f94fd4bd73c4919beb25a6f4b8203e46830df2418cb477868bb87a86693942e85fe08a3487ce728da6118524547a91e6a623e1b6e5034ae80d

  • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

    Filesize

    2.6MB

    MD5

    3688a31bd6273724217ed4de651162ce

    SHA1

    74d561751fb834179d2b2e5f5620783725cb63e5

    SHA256

    cdf31b82d2dc519aa3af5a47b0791fd33751792717674e7579f3d0cf9411b21c

    SHA512

    3a33029d73fc07f94fd4bd73c4919beb25a6f4b8203e46830df2418cb477868bb87a86693942e85fe08a3487ce728da6118524547a91e6a623e1b6e5034ae80d

  • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

    Filesize

    2.6MB

    MD5

    3688a31bd6273724217ed4de651162ce

    SHA1

    74d561751fb834179d2b2e5f5620783725cb63e5

    SHA256

    cdf31b82d2dc519aa3af5a47b0791fd33751792717674e7579f3d0cf9411b21c

    SHA512

    3a33029d73fc07f94fd4bd73c4919beb25a6f4b8203e46830df2418cb477868bb87a86693942e85fe08a3487ce728da6118524547a91e6a623e1b6e5034ae80d

  • memory/4720-133-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB