Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 16:38
Behavioral task
behavioral1
Sample
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe
Resource
win7-20240221-en
General
-
Target
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe
-
Size
984KB
-
MD5
aeb2f46dc50c9fdbf3068d6010123c48
-
SHA1
9630f6b7a79efb649519983461ca73b20160fba7
-
SHA256
5666170b6f5a299df44e3d9978626686da5f51f44d422bc56154767b4e70b9f1
-
SHA512
e8ce0097e3a535b1b5cdec51d36ef5a227e2a1b0d0fdb3bb8f806ec5740fe0eb3fe9813a022e86ae7d988f6b7192d30efd7e5b787084611f8f7f1489b3590811
-
SSDEEP
24576:7wRyG1Z3jc1VCrNHtBCACWvwCOcWtSpyNiymGaw8LJNvPEYV7Qsn+:7wIGnzcErNNQJHA5fW+Q++
Malware Config
Signatures
-
Detect Blackmoon payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2844-0-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/2844-1-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon \Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon behavioral1/memory/2844-6-0x0000000002AB0000-0x0000000002B03000-memory.dmp family_blackmoon behavioral1/memory/2844-9-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/2372-503-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/2372-755-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" ZhuDongFangYu.exe -
Drops file in Drivers directory 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe -
Executes dropped EXE 1 IoCs
Processes:
ZhuDongFangYu.exepid process 2372 ZhuDongFangYu.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exepid process 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\autorun.inf ZhuDongFangYu.exe File created D:\autorun.inf ZhuDongFangYu.exe File opened for modification D:\autorun.inf ZhuDongFangYu.exe File created F:\autorun.inf ZhuDongFangYu.exe File opened for modification F:\autorun.inf ZhuDongFangYu.exe File created C:\autorun.inf ZhuDongFangYu.exe -
Drops file in System32 directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\SysWOW64\ROUTE.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sdchange.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SyncHost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tasklist.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\timeout.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\winrs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rasphone.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rdrleakdiag.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wlanext.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rekeywiz.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\unregmp2.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\WerFault.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\bitsadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ntprint.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sxstrace.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wevtutil.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wimserv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\AdapterTroubleshooter.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\isoburn.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\typeperf.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\choice.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\odbcconf.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\xpsrchvw.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\efsui.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\InfDefaultInstall.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\gpresult.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\raserver.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SetIEInstalledDate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\bootcfg.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\doskey.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\iscsicpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\perfhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\resmon.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SystemPropertiesPerformance.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\TsWpfWrp.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\user.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dpapimig.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\driverquery.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wsmprovhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\openfiles.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\runonce.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\iexpress.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\proquota.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RegisterIEPKEYs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\vssadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wusa.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\colorcpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\esentutl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\more.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\label.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mshta.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\newdev.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\secinit.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\userinit.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\clip.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dplaysvr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\drvinst.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\find.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rundll32.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\shutdown.exe ZhuDongFangYu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html ZhuDongFangYu.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Media Player\wmplayer.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html ZhuDongFangYu.exe File created C:\Program Files\Windows Media Player\wmprph.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Media Player\wmlaunch.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Media Player\wmplayer.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe ZhuDongFangYu.exe File created C:\Program Files\Windows NT\Accessories\wordpad.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html ZhuDongFangYu.exe File created C:\Program Files\Internet Explorer\ielowutil.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html ZhuDongFangYu.exe -
Drops file in Windows directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-m..odeupdate-servicing_31bf3856ad364e35_6.1.7600.16385_none_ff7cf696bfb54620\ucsvc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-3.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpenc_31bf3856ad364e35_6.1.7600.16385_none_00192601418cadff\wmpenc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_netfx-ldr64_exe_31bf3856ad364e35_6.1.7600.16385_none_f98e4869675ab367\Ldr64.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\msil_smsvchost_b03f5f7f11d50a3a_6.1.7601.17514_none_e6b622bd1115139e\SMSvcHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_9fb106cecd28b3f9\credwiz.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DHtmlHeader.html ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_6.1.7600.16385_none_3020274b22e8a90f\help.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-3.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a9893e83c110fe46\cpu.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_9db1ae483049e160\EhStorAuthn.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\tree.com ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57\slideShow.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-pnputil_31bf3856ad364e35_6.1.7600.16385_none_5958b438d6388d15\PnPutil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setx_31bf3856ad364e35_6.1.7600.16385_none_086bc77632c16995\setx.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_addinprocess32_b77a5c561934e089_6.1.7601.17514_none_df35b5ac03866e22\AddInProcess32.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\PkgMgr.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_addinprocess32_b77a5c561934e089_6.1.7601.17514_none_83171a284b28fcec\AddInProcess32.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_netfx-vb_compiler_b03f5f7f11d50a3a_6.1.7601.17514_none_144b6bd462e4a41b\vbc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.1.7600.16385_none_87a28b30f517e40e\printfilterpipelinesvc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmpenc_31bf3856ad364e35_6.1.7600.16385_none_a3fa8a7d892f3cc9\wmpenc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-xwizard-host-process_31bf3856ad364e35_6.1.7600.16385_none_58ca66f699d77ff1\xwizard.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a6285ac2a45ae884\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Shades of Blue.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_6.1.7601.17514_none_ed47f623204af12a\logagent.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-diskpart_31bf3856ad364e35_6.1.7601.17514_none_c6fe6ac9ac8c7105\diskpart.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31173e7d19fe591a\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-5.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_6.1.7600.16385_none_c09aa5b3bec88beb\BdeUISrv.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.1.7600.16385_none_2af2acecc5b06906\web.config.comments ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-1.htm ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404.htm ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_6.1.7601.17514_none_12d42225a9a7aef7\rpcinfo.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qappsrv.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_6.1.7600.16385_none_d03cc6bce93bce83\TapiUnattend.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-8.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\406.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_f230138205aebc59\charmap.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_5208a7a3d3caa54c\net.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-2.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm ZhuDongFangYu.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\BrmfRsmg.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_c3afa97fae99bbe4\diskraid.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehprivjob_31bf3856ad364e35_6.1.7601.17514_none_53393627486ae37b\ehprivjob.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_64ed8ea5d0ffd85e\gpscript.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-3.htm ZhuDongFangYu.exe File created C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_a907fb2af12e5dc6\PING.EXE ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe ZhuDongFangYu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exeZhuDongFangYu.exedescription pid process Token: SeDebugPrivilege 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe Token: SeDebugPrivilege 2372 ZhuDongFangYu.exe Token: 33 2372 ZhuDongFangYu.exe Token: SeIncBasePriorityPrivilege 2372 ZhuDongFangYu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exeZhuDongFangYu.exepid process 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe 2372 ZhuDongFangYu.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exedescription pid process target process PID 2844 wrote to memory of 2372 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 2844 wrote to memory of 2372 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 2844 wrote to memory of 2372 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 2844 wrote to memory of 2372 2844 2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe ZhuDongFangYu.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system ZhuDongFangYu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_aeb2f46dc50c9fdbf3068d6010123c48_icedid_xiaobaminer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.htmlFilesize
16KB
MD517f3bbed916ce900652433f2593ff684
SHA185d4fbf534aa8acd759a489d31e06ac27677f3a7
SHA256aa21cb6b8fd8ee6e90ecc5b858dbcbecd3a97efa1f58145a26e619c2ab457bb5
SHA51281a01663f9d577882d82744d063af5fd570ee2d98cd5f6995f3f5aedaa99b45b215ef0e081056001026f45fe79ce811bef5979ce8973df8527b1920ad2215bdf
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.htmlFilesize
6KB
MD524bed74a2a49536d75ebfd9c87d105eb
SHA1ec830db2834d33dd61437ccf330ca2ad6b73e377
SHA2563cc5fa1f9ed7884a08539190a1670bbe64b0e64d1d585d4c1befcf7f91960682
SHA512a29b8c9f0a3f354e36c805b3956f637a9024ba3df8085c20f148ee4e550603191725e40d0c784192022b637227b06d831cc83a3790cc372e94431d5685545265
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.htmlFilesize
12KB
MD533f73419b8fc156a8a5e0eee311a2639
SHA17ebd3842e080ed34f4675eea740c3e90d8db7bc2
SHA256442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215
SHA5121f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlFilesize
8KB
MD5ffbe89b376301d5a5e1602502f3a049e
SHA14fd73b0508a04073411bfb0af9f1e77a2009850a
SHA256fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217
SHA51225807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
14KB
MD5138687bae4d5ae5ecd9f49d4603846b6
SHA1b9bd64f7c2f3a00ac7ad28d21d0f589e881eb5b5
SHA256aa696a838bb49ef4a6c83890ffa39424a471a84bcbc57ae86867b1f9bba3994f
SHA512c6b0b2a25e95a082695e658eb9086d67e2d517aed8adcb625e2b81a29887b4ae31d26cc99738703516ea9072773e06f8871b8775706aeec705f227a68fb7efa6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
16KB
MD5b8723baac78bf9c17d116fe9b25c81b2
SHA17b04a048a42f9611afde747a57694574de887783
SHA256b8dd69bd1f86b0f1889122b8376ea78d44f0f0689945858f247975f7f72ef86c
SHA5121293a9aa28b83d6912ce041db03c8ebbe3aacceadf35d8cb59827abdaedefaac868ea77452bb34730073ed3b5c9679cf73d969cc3f9bd9be207a7a306db8c46e
-
C:\vcredist2010_x86.log.htmlFilesize
82KB
MD549bacc7ad1b086513503d60a71fea01e
SHA1a276c0e820efc9df1cd3ac47c332e34b9fb9fb22
SHA25657946013f729210ecd0edd426e48c128ee9f396e025f9984a76dc1dbbfdfdea9
SHA5127f13b5b2a0ee720ef4a0091154196f26fe71b76f7491461366231d981a8cf23df7ab72d969e5163a7c3798019f49ac8d314c7e9f453d9f5aff02a2049cf0335e
-
\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
984KB
MD5aeb2f46dc50c9fdbf3068d6010123c48
SHA19630f6b7a79efb649519983461ca73b20160fba7
SHA2565666170b6f5a299df44e3d9978626686da5f51f44d422bc56154767b4e70b9f1
SHA512e8ce0097e3a535b1b5cdec51d36ef5a227e2a1b0d0fdb3bb8f806ec5740fe0eb3fe9813a022e86ae7d988f6b7192d30efd7e5b787084611f8f7f1489b3590811
-
memory/2372-503-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2372-755-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2844-9-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2844-0-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2844-6-0x0000000002AB0000-0x0000000002B03000-memory.dmpFilesize
332KB
-
memory/2844-1-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB