Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 01:28

General

  • Target

    2024-05-18_b17f007b29bec3489eab9dd1f9b7fd6a_icedid_xiaobaminer.exe

  • Size

    2.5MB

  • MD5

    b17f007b29bec3489eab9dd1f9b7fd6a

  • SHA1

    e132a7f550fb314bc9e1eaeda7d781ee9c1752bc

  • SHA256

    4688ce4c9472819a7624da8903385b504fb85661b520b7bd5ff4b65a34321d7a

  • SHA512

    0d2e9f834363dd5e47e41a04168317ac324dca264553cbf84a203f64f442f4c1055976d845b621e604cd63fe4cd5e488aaae3a8719516dbd6c5e1bb2320cb8c6

  • SSDEEP

    49152:7bIqnzcErNNQJ1uvFYgjI45TMwwapIgThpYq:4bBLapIK6

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 6 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-18_b17f007b29bec3489eab9dd1f9b7fd6a_icedid_xiaobaminer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-18_b17f007b29bec3489eab9dd1f9b7fd6a_icedid_xiaobaminer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      "C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

          Filesize

          2.5MB

          MD5

          b17f007b29bec3489eab9dd1f9b7fd6a

          SHA1

          e132a7f550fb314bc9e1eaeda7d781ee9c1752bc

          SHA256

          4688ce4c9472819a7624da8903385b504fb85661b520b7bd5ff4b65a34321d7a

          SHA512

          0d2e9f834363dd5e47e41a04168317ac324dca264553cbf84a203f64f442f4c1055976d845b621e604cd63fe4cd5e488aaae3a8719516dbd6c5e1bb2320cb8c6

        • C:\vcredist2010_x86.log.html

          Filesize

          82KB

          MD5

          81c35fe848c0383ffea47697999d08b5

          SHA1

          f8fbda7a7e4c1b5c6857cd7bacee2c6ac6e1431d

          SHA256

          4fde901666cd1657b931d5f3e6b28cfc668544c8c7a759bd5729733bb0c79147

          SHA512

          b067b7664a297e11ec94e0776a889d34f47057662a470e7a3d907e7158fa2d0ab476e4dd21c390fadd22efc27be9add81441deddb596e4005e809ca8514ab913

        • memory/2660-0-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/2660-1-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/2660-13-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/3216-354-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

        • memory/3216-493-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB