Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 06:02

General

  • Target

    2024-05-18_89e42e00a254301818f04bcd76fefffb_icedid_xiaobaminer.exe

  • Size

    7.8MB

  • MD5

    89e42e00a254301818f04bcd76fefffb

  • SHA1

    3aa475d0ad23f576088f0dad74d78f3f9cc8c419

  • SHA256

    5b72a670584e91af70c62db03fb28205b771fac2f072ea501a99014ddccb1b25

  • SHA512

    6b6cbff9e4ed3d42abc26d789574bd55c47bdee1ab9d308b5738644d49f04bfbf2003ed0581ae05e50fbaedf910ee152360c755a48f6668e4f3e109e6b53d823

  • SSDEEP

    98304:JT6tWQtZ/K0tGOFWVRuLftCTcm6Z6aLapI9:J6tWyZ/K0ttYVAATcm6Z6acI9

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 7 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-18_89e42e00a254301818f04bcd76fefffb_icedid_xiaobaminer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-18_89e42e00a254301818f04bcd76fefffb_icedid_xiaobaminer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      "C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

    Filesize

    6KB

    MD5

    24bed74a2a49536d75ebfd9c87d105eb

    SHA1

    ec830db2834d33dd61437ccf330ca2ad6b73e377

    SHA256

    3cc5fa1f9ed7884a08539190a1670bbe64b0e64d1d585d4c1befcf7f91960682

    SHA512

    a29b8c9f0a3f354e36c805b3956f637a9024ba3df8085c20f148ee4e550603191725e40d0c784192022b637227b06d831cc83a3790cc372e94431d5685545265

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

    Filesize

    12KB

    MD5

    33f73419b8fc156a8a5e0eee311a2639

    SHA1

    7ebd3842e080ed34f4675eea740c3e90d8db7bc2

    SHA256

    442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215

    SHA512

    1f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

    Filesize

    8KB

    MD5

    ffbe89b376301d5a5e1602502f3a049e

    SHA1

    4fd73b0508a04073411bfb0af9f1e77a2009850a

    SHA256

    fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217

    SHA512

    25807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02

  • C:\vcredist2010_x86.log.html

    Filesize

    81KB

    MD5

    14d3a30b38fc98ff0edf7f7111193d1a

    SHA1

    16975ffadb334e485f3a6f4296f2479164fa2a98

    SHA256

    551ed26ab10ebe9c9175e3cd53dc36e61ea2b9d346b5b49cdb50d1a36569856c

    SHA512

    6f5cd3a589c61399c719ef28754aafec2b29bf2a0d372059c4b1ff9bde612b59aebdba783afc2fa1e9199cb9d588cadd4e0615f67171baf86a981d4b5ae7047a

  • \Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

    Filesize

    7.8MB

    MD5

    89e42e00a254301818f04bcd76fefffb

    SHA1

    3aa475d0ad23f576088f0dad74d78f3f9cc8c419

    SHA256

    5b72a670584e91af70c62db03fb28205b771fac2f072ea501a99014ddccb1b25

    SHA512

    6b6cbff9e4ed3d42abc26d789574bd55c47bdee1ab9d308b5738644d49f04bfbf2003ed0581ae05e50fbaedf910ee152360c755a48f6668e4f3e109e6b53d823

  • memory/2044-1-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2044-0-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2044-7-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/3024-10-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/3024-374-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/3024-753-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB