chinese_generic_botnet | 1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
Size

3.2MB
MD5

673ec9946966504e0d8d87cf8bf0fb15
SHA1

1348b01163e263e3c9aee874ca6cb94d85d3c855
SHA256

1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee
SHA512

9d51b5bcbd41d7bafb359b46bf203ff9dc5e5f128f5990e8afc362f7dd7b301769323b84744c84aa09f9ab3f1bbf69a89cc601ab5dfe5c62c0606c5f9b084429
SSDEEP

98304:84uTo0ZCKFwlCNZTOoqXAx88BqcVu1pggGsgBsCESpQ3v:84e7vNZTcAyhyyWgGppqv

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/3436-13105-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/3436-13109-0x0000000000400000-0x000000000052B000-memory.dmp	unk_chinese_botnet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	svchost.exe
3436	xzw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Suaeweq.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xzw.exe"	xzw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2792	svchost.exe
2792	svchost.exe
2792	svchost.exe
3436	xzw.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe
3436	xzw.exe
2792	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
2792	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2792	4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	25
PID 4480 wrote to memory of 2792	4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	25
PID 4480 wrote to memory of 3436	4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	26
PID 4480 wrote to memory of 3436	4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	26
PID 4480 wrote to memory of 3436	4480	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	26

C:\Users\Admin\AppData\Local\Temp\2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Roaming\xzw.exe
  "C:\Users\Admin\AppData\Roaming\xzw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
149KB

MD5
8c7aa823acfa21cbc0ba9d5a57db2498

SHA1
fd773e0a7b57a6ae6994cd29fcb65d31246075cc

SHA256
62e61b2292849fb6492234d3ee8a837e9af65e9f81f11320facf0b5a0a58b9c7

SHA512
3567f44f2cbe7ac0e1a146339dcc5c47dfddd0d81f2b5fa47e665db3aef10a86e472ac8b9d555764e189bdd8b9414440d0e1e53d61993bbd977c7b68330b179f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
483KB

MD5
8046b96cbf621d52d272f3bb217f2aec

SHA1
240961e75a12d96a67f326a48d1b2c911303de18

SHA256
85e415e428e1cd8415ec872e14a8b6b86cd8117b22e0bd6c9d0897e1bc83250c

SHA512
f44d5341cb181bf4a810ac8e1a06bbcc6c2c22e574e603667b28792a24c492821494bdf90835cc50161952cc9d487779a47dbfc63178a134da1db58748381b58

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
216KB

MD5
dd7e3b47c405fd40c341805df668e71e

SHA1
6325d9ea3dfe84fe5cf6af7928cfff8e778b8ac4

SHA256
8667b876ac749d433de26fe47683f89ab82a4fad8638c6d2349a2928d3ea910f

SHA512
6df2a93280782b8831161dcff5b06922f6d47a7550db5f7ba8fb4926a0212ac5803dfdac54afaa173c4ecf996eb47342e0f8fffe977397133ba9cbee4e8e8a8f

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
3KB

MD5
c8b277263e39dbd82fe6a97c499e23f2

SHA1
1424e0d41ec385a6c914de969392509e3535da84

SHA256
b4222ca83044b8917d20ccc9bdc53d223bc064dc7fb087fd85643b6e5696d491

SHA512
b9aa7d2ac63e4c2651e275c758d8ca07ca25a5aa5807183315a5fe599839760e97959a73c1151546c930386ece118de5de2370c4d829fa066d776b5847b72d46

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
341KB

MD5
153b2c70825b4bfabd9a4dacfe44f171

SHA1
6964a7e6edc6808d154c0be55b80b19036654f53

SHA256
25b8a89abfc3fee2892b71d585bccad14d266a200d052326ca63c4445b0f856f

SHA512
4b5a7e664cf418687c1257b89df08250314df88d49809def0d01edb3c722bd753e1f1457e5069222e2de0b3ffb142333b661dc092af81ec11090649bd0b3dbfa

Download Submit
memory/2792-13110-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13133-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13135-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-99-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-103-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-108-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-138-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-11-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13129-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13127-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13125-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13123-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13102-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13119-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13111-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/3436-3902-0x0000000077010000-0x00000000771B0000-memory.dmp

Filesize
1.6MB

Download
memory/3436-13096-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13105-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3436-13109-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13097-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13103-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13104-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13099-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13101-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13098-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-5911-0x0000000076C20000-0x0000000076C9A000-memory.dmp

Filesize
488KB

Download
memory/3436-20-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-21-0x0000000076050000-0x0000000076265000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads