chinese_generic_botnet | 8ab29d462bedfcb4b4174f2b7a41fe683ba0b6904a09902583ec7a7464964732

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
Size

2.0MB
MD5

9f914e571b5b4fb328008dc5793715e7
SHA1

c321f44fbb74204e0324fcee5c54b3ae10434e20
SHA256

8ab29d462bedfcb4b4174f2b7a41fe683ba0b6904a09902583ec7a7464964732
SHA512

a6b0e32d0aa1ef6898ac1f4d20f4f3a1b3fce912c5e3becf1d1ca5f01d6ac21265f1e521bf2c4f7fe686d7807adb8eaf0090e1e6c312e8cea3eaa43a6f48aba8
SSDEEP

24576:UXzUbSX5Z/IYno0dbnnmrtyF2ZifBvlGsu6ot9vtC1FoV1pltylcVHhE9HHWAjh3:UX4uXjo0ZCUFN5vUikV1XacrEY3M7TFJ

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/1664-8719-0x0000000000400000-0x0000000000548000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1904-17430-0x0000000000400000-0x0000000000548000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
1664	QQ.exe
2880	svchost.exe
1904	Kvzbtbs.exe

Loads dropped DLL 3 IoCs

pid	Process
1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Kvzbtbs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1904	Kvzbtbs.exe
1904	Kvzbtbs.exe
1664	QQ.exe
1904	Kvzbtbs.exe
1664	QQ.exe
1904	Kvzbtbs.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe
1664	QQ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kvzbtbs.exe	QQ.exe
File opened for modification	C:\Program Files (x86)\Kvzbtbs.exe	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Kvzbtbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Kvzbtbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Kvzbtbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-b2-7b-41-92-e1\WpadDecision = "0"	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}\WpadDecisionReason = "1"	Kvzbtbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}\WpadDecisionTime = d0ae0c4d4e66da01	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}\WpadDecision = "0"	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}\66-b2-7b-41-92-e1	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-b2-7b-41-92-e1\WpadDecisionReason = "1"	Kvzbtbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-b2-7b-41-92-e1\WpadDecisionTime = d0ae0c4d4e66da01	Kvzbtbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Kvzbtbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Kvzbtbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kvzbtbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}	Kvzbtbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E0A0DE17-105D-4E7A-A6C7-4AB654FFC3F8}\WpadNetworkName = "Network 3"	Kvzbtbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-b2-7b-41-92-e1	Kvzbtbs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
2880	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1664	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	28
PID 1844 wrote to memory of 1664	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	28
PID 1844 wrote to memory of 1664	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	28
PID 1844 wrote to memory of 1664	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	28
PID 1844 wrote to memory of 2880	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	29
PID 1844 wrote to memory of 2880	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	29
PID 1844 wrote to memory of 2880	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	29
PID 1844 wrote to memory of 2880	1844	2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9f914e571b5b4fb328008dc5793715e7_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Roaming\QQ.exe
  "C:\Users\Admin\AppData\Roaming\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  PID:1664
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2880

C:\Program Files (x86)\Kvzbtbs.exe
"C:\Program Files (x86)\Kvzbtbs.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
296KB

MD5
a6acb044a1e5f1813c671cd604e614b1

SHA1
35ea9a47a692cc805d6e9050b731d49e5609591b

SHA256
c196618be7a7bac1f55f080c52ca2b51d80fd748554957708741b9ed3c722167

SHA512
487fb1a1c56363d2276e1c5a4f5af2461b6c484e432a6d991e2e6caf2558328be8cd1bf1294c3b3218b21fb2b58bd006155584708fcb2bdc162bad17f187627e

Download Submit
\Users\Admin\AppData\Roaming\QQ.exe

Filesize
936KB

MD5
f21c518bcafa5fe911f17ffb3c1797b0

SHA1
6ddf4338b8802ed0e698af6d78695cc12d7e55d6

SHA256
a64ace959b459d7f23ceb7b2ff1cbe7f9346e3aa412118d4078b940e13b087a8

SHA512
482a3c93ed737da332be810d543a2afd274b6c20ebcdccf4a324cca756629ffcd402c7ba5b514ad19f91bb27ecdc3de0e3baa30f65658c1f152ad1bcc9f8f25f

Download Submit
memory/1664-865-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-832-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-22-0x0000000076370000-0x00000000763B7000-memory.dmp

Filesize
284KB

Download
memory/1664-871-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-833-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-835-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-837-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-839-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-841-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-843-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-8719-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1664-847-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-869-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-851-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-853-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-861-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-859-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-857-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-855-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-863-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-845-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-13-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1664-849-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-867-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-873-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-875-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-877-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-879-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-881-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-883-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-885-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-887-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-889-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-891-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-893-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-2568-0x0000000002100000-0x0000000002281000-memory.dmp

Filesize
1.5MB

Download
memory/1664-8715-0x00000000023B0000-0x00000000024C1000-memory.dmp

Filesize
1.1MB

Download
memory/1664-8714-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1844-12-0x00000000033B0000-0x00000000034F8000-memory.dmp

Filesize
1.3MB

Download
memory/1904-8728-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1904-11277-0x0000000001FC0000-0x0000000002141000-memory.dmp

Filesize
1.5MB

Download
memory/1904-17416-0x0000000002270000-0x0000000002381000-memory.dmp

Filesize
1.1MB

Download
memory/1904-17424-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1904-17430-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download