Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 12:56
Behavioral task
behavioral1
Sample
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe
Resource
win7-20240215-en
General
-
Target
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe
-
Size
1.1MB
-
MD5
79a17b53b3edeaeab4605b38cc4232ac
-
SHA1
89189261cfa22aa7814a6e5178e372999dcec754
-
SHA256
1703ac8fb1e1b860af65dee1ab82b9f44a5008e25178798605e4fc433cf7a71c
-
SHA512
37842f7f40cdf76df87873791aebf0c7a4ae20e8fc9a3fcd084445b968e8ebf5c51f146b865f47b6fa5f4f0cbce24a8feb41af81701225852734e035aa969554
-
SSDEEP
24576:7iBygZsKLNm3HkxltQV8/w6TZwxCQ3kt9jbHCaStjl+5:7iYgiAmOHYew6TKAQatbiaSP
Malware Config
Signatures
-
Detect Blackmoon payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/3032-0-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/3032-1-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon \Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon behavioral1/memory/3032-6-0x0000000002AE0000-0x0000000002B37000-memory.dmp family_blackmoon behavioral1/memory/3032-9-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2580-10-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2580-11-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2580-739-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2580-765-0x0000000000400000-0x0000000000457000-memory.dmp family_blackmoon -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" ZhuDongFangYu.exe -
Drops file in Drivers directory 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe -
Executes dropped EXE 1 IoCs
Processes:
ZhuDongFangYu.exepid process 2580 ZhuDongFangYu.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exepid process 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\autorun.inf ZhuDongFangYu.exe File created D:\autorun.inf ZhuDongFangYu.exe File opened for modification D:\autorun.inf ZhuDongFangYu.exe File created F:\autorun.inf ZhuDongFangYu.exe File opened for modification F:\autorun.inf ZhuDongFangYu.exe File created C:\autorun.inf ZhuDongFangYu.exe -
Drops file in System32 directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\SysWOW64\dfrgui.exe ZhuDongFangYu.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\InstallShield\setup.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Ribbons.scr ZhuDongFangYu.exe File created C:\Windows\SysWOW64\typeperf.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\xcopy.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wbem\mofcomp.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\cmd.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\colorcpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\efsui.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\findstr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\cacls.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\DWWIN.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tracerpt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\iscsicpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\vssadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\AtBroker.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Utilman.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\winrs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\write.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\bthudtask.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\find.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ndadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\osk.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tcmsetup.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\com\comrepl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\autofmt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\calc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\fsutil.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\MRINFO.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sdiagnhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\unregmp2.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\DisplaySwitch.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\diskcopy.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\compact.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mtstocom.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\net.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ROUTE.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\extrac32.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\getmac.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\perfmon.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\shutdown.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\diskraid.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\winver.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\icardagt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\MuiUnattend.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\netbtugc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\verclsid.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\whoami.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wlanext.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\esentutl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\setx.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tzutil.exe ZhuDongFangYu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Program Files\Internet Explorer\iexplore.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Mail\WinMail.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html ZhuDongFangYu.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm ZhuDongFangYu.exe File created C:\Program Files\Windows Journal\Journal.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe ZhuDongFangYu.exe -
Drops file in Windows directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcglidhost_31bf3856ad364e35_6.1.7600.16385_none_05a2b72417ec1c6a\mcGlidHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_6.1.7601.17514_none_ba1c770af0b2031b\cvtres.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-12.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-10.htm ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe ZhuDongFangYu.exe File created C:\Windows\ehome\Mcx2Prov.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_5cbb962a4f0d58c1\fc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519\UI0Detect.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_2d3b8ff08901343f\DismHost.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\GlobalSerif.CompositeFont ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6884b0de065e8852\calendar.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_drvinst.exe_6593e92a ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6\hh.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\icsunattend.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-xcopy_31bf3856ad364e35_6.1.7600.16385_none_62cc00cc559fd4ec\xcopy.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe ZhuDongFangYu.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.1.7600.16385_none_fe560f0352e04f48\MineSweeper.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\SvcIni.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\finger.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\msdtc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_7832a1aacb77df29\mcbuilder.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-tools-ksetup_31bf3856ad364e35_6.1.7600.16385_none_7861b83567d966e6\ksetup.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..platform-input-core_31bf3856ad364e35_6.1.7601.17514_none_2f3651e7f36d703f\wisptis.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-3.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_6.1.7600.16385_none_6d0100c50efddc3c\RunLegacyCPLElevated.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_6.1.7600.16385_none_7582a4a93f08b488\fltMC.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-recover_31bf3856ad364e35_6.1.7600.16385_none_e2083f75ce4c0619\recover.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_4f18faed6aae2509\bitsadmin.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-mobsyncexe_31bf3856ad364e35_6.1.7601.17514_none_f1584379b2973708\mobsync.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_e3ace21ee6af3fb6\secinit.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tzutil_31bf3856ad364e35_6.1.7601.17514_none_9269da4819c69a89\tzutil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mspaint_31bf3856ad364e35_6.1.7600.16385_none_ea12784c0842bfc1\mspaint.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_b8db1dc46558b805\evntcmd.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-sxs_31bf3856ad364e35_6.1.7601.17514_none_b0540607b5e5d445\sxstrace.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Hand Prints.htm ZhuDongFangYu.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-4.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-15.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_1179f9944d0d9973\certutil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7110452767e88835\xpsrchvw.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnscacheugc.exe_aa32623e ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1_netbtugc.exe_825f4f74 ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0212532a5cdf4b5f\picturePuzzle.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ktmutil_31bf3856ad364e35_6.1.7600.16385_none_e47ee9c51ad9df17\ktmutil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\502.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-14.htm ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_wpf-globaluserinterfacecf_31bf3856ad364e35_6.1.7600.16385_none_09f32bc9cd996ba2\GlobalUserInterface.CompositeFont ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-3.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-synchost_31bf3856ad364e35_6.1.7600.16385_none_c575fec016436d8a\SyncHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_aef2c7dbb6cc16c1\ftp.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\audit.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\InputPersonalization.exe ZhuDongFangYu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exeZhuDongFangYu.exedescription pid process Token: SeDebugPrivilege 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe Token: SeDebugPrivilege 2580 ZhuDongFangYu.exe Token: 33 2580 ZhuDongFangYu.exe Token: SeIncBasePriorityPrivilege 2580 ZhuDongFangYu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exeZhuDongFangYu.exepid process 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe 2580 ZhuDongFangYu.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exedescription pid process target process PID 3032 wrote to memory of 2580 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 3032 wrote to memory of 2580 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 3032 wrote to memory of 2580 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 3032 wrote to memory of 2580 3032 2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe ZhuDongFangYu.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system ZhuDongFangYu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_79a17b53b3edeaeab4605b38cc4232ac_icedid_xiaobaminer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2580
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.htmlFilesize
16KB
MD517f3bbed916ce900652433f2593ff684
SHA185d4fbf534aa8acd759a489d31e06ac27677f3a7
SHA256aa21cb6b8fd8ee6e90ecc5b858dbcbecd3a97efa1f58145a26e619c2ab457bb5
SHA51281a01663f9d577882d82744d063af5fd570ee2d98cd5f6995f3f5aedaa99b45b215ef0e081056001026f45fe79ce811bef5979ce8973df8527b1920ad2215bdf
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.htmlFilesize
6KB
MD524bed74a2a49536d75ebfd9c87d105eb
SHA1ec830db2834d33dd61437ccf330ca2ad6b73e377
SHA2563cc5fa1f9ed7884a08539190a1670bbe64b0e64d1d585d4c1befcf7f91960682
SHA512a29b8c9f0a3f354e36c805b3956f637a9024ba3df8085c20f148ee4e550603191725e40d0c784192022b637227b06d831cc83a3790cc372e94431d5685545265
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.htmlFilesize
12KB
MD533f73419b8fc156a8a5e0eee311a2639
SHA17ebd3842e080ed34f4675eea740c3e90d8db7bc2
SHA256442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215
SHA5121f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlFilesize
8KB
MD5ffbe89b376301d5a5e1602502f3a049e
SHA14fd73b0508a04073411bfb0af9f1e77a2009850a
SHA256fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217
SHA51225807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
14KB
MD5138687bae4d5ae5ecd9f49d4603846b6
SHA1b9bd64f7c2f3a00ac7ad28d21d0f589e881eb5b5
SHA256aa696a838bb49ef4a6c83890ffa39424a471a84bcbc57ae86867b1f9bba3994f
SHA512c6b0b2a25e95a082695e658eb9086d67e2d517aed8adcb625e2b81a29887b4ae31d26cc99738703516ea9072773e06f8871b8775706aeec705f227a68fb7efa6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
16KB
MD5b8723baac78bf9c17d116fe9b25c81b2
SHA17b04a048a42f9611afde747a57694574de887783
SHA256b8dd69bd1f86b0f1889122b8376ea78d44f0f0689945858f247975f7f72ef86c
SHA5121293a9aa28b83d6912ce041db03c8ebbe3aacceadf35d8cb59827abdaedefaac868ea77452bb34730073ed3b5c9679cf73d969cc3f9bd9be207a7a306db8c46e
-
C:\vcredist2010_x86.log.htmlFilesize
82KB
MD50a182919dc63ea32c6bf53ca8d76d7fb
SHA1794f647d0c72dfc8891feae7a446eaec97c619d1
SHA256c203ee0f7b45e55a1271525513f1a0638e86ebfd96ab08ad99f4b8bf6a24da1f
SHA5120b4f6850ca39675c081be2c69df2ba9819d1485a384ebd35d70eddf14405404abcb5b33233ffcb7327b1d79440248a51b3d5ec36ae4e773c28436f88de5a1788
-
\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
1.1MB
MD579a17b53b3edeaeab4605b38cc4232ac
SHA189189261cfa22aa7814a6e5178e372999dcec754
SHA2561703ac8fb1e1b860af65dee1ab82b9f44a5008e25178798605e4fc433cf7a71c
SHA51237842f7f40cdf76df87873791aebf0c7a4ae20e8fc9a3fcd084445b968e8ebf5c51f146b865f47b6fa5f4f0cbce24a8feb41af81701225852734e035aa969554
-
memory/2580-11-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2580-10-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2580-739-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2580-765-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3032-9-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3032-6-0x0000000002AE0000-0x0000000002B37000-memory.dmpFilesize
348KB
-
memory/3032-0-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3032-1-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB