Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-04-2024 16:38
General
-
Target
2024-04-28_a65be14a5d8e76845204882be7cc16d7_icedid_xiaobaminer.exe
-
Size
3.2MB
-
MD5
a65be14a5d8e76845204882be7cc16d7
-
SHA1
2359561c0735b6dbe0f9010db556c5f89e7463da
-
SHA256
0bd1642ac4764f9a2a8677b71e219fd47cfab5b28229bc373a88c1c26065cdea
-
SHA512
5672600557ce41328399d9b3c1f3a558791e58a349d022d525952ed0b6c48a90a58f11fbf1316c7efd6bd8e69e659e3ce9aa5d74f30e8ca6c7fc7e2cd212e55d
-
SSDEEP
49152:7iYgiAmOHYew6TKAQatuT7Qs13XHMRdgLaAbDiPH7PDPVChq7pYq:/AmFF13XYdgpDiPbPDPVChi6
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 6 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_a65be14a5d8e76845204882be7cc16d7_icedid_xiaobaminer.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_a65be14a5d8e76845204882be7cc16d7_icedid_xiaobaminer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.htmlMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.htmlFilesize
12KB
MD533f73419b8fc156a8a5e0eee311a2639
SHA17ebd3842e080ed34f4675eea740c3e90d8db7bc2
SHA256442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215
SHA5121f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlFilesize
8KB
MD5ffbe89b376301d5a5e1602502f3a049e
SHA14fd73b0508a04073411bfb0af9f1e77a2009850a
SHA256fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217
SHA51225807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
16KB
MD5b8723baac78bf9c17d116fe9b25c81b2
SHA17b04a048a42f9611afde747a57694574de887783
SHA256b8dd69bd1f86b0f1889122b8376ea78d44f0f0689945858f247975f7f72ef86c
SHA5121293a9aa28b83d6912ce041db03c8ebbe3aacceadf35d8cb59827abdaedefaac868ea77452bb34730073ed3b5c9679cf73d969cc3f9bd9be207a7a306db8c46e
-
C:\vcredist2010_x86.log.htmlFilesize
81KB
MD5de7558bcb50f7000e31b5717034aa8bb
SHA197bb06661702f5aeed0d9b1df8a5378efd6258ae
SHA25666ca127f53f967b6fefb9bbaeb3c95ee374708a4b2d78ebd7071619264fb8444
SHA512a9a494220cc715552c5c737edcf74b22901cd96506fd2f42f7a20c3bf287c1e032775833022722c270268bc5172ee340f9d04e11afd6accfc624dd897304fccb
-
\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
3.2MB
MD5a65be14a5d8e76845204882be7cc16d7
SHA12359561c0735b6dbe0f9010db556c5f89e7463da
SHA2560bd1642ac4764f9a2a8677b71e219fd47cfab5b28229bc373a88c1c26065cdea
SHA5125672600557ce41328399d9b3c1f3a558791e58a349d022d525952ed0b6c48a90a58f11fbf1316c7efd6bd8e69e659e3ce9aa5d74f30e8ca6c7fc7e2cd212e55d
-
memory/1064-395-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1064-758-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1736-0-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1736-1-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1736-8-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB