Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 08:05
Behavioral task
behavioral1
Sample
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
1e670827fcd92d3066bb1971bfac9af1
-
SHA1
091f0a7d5b1d123c34fd9275f6192406d600992f
-
SHA256
2bfb9ce960038630e44ffd5439a1be605ca310b9894210ba5f81cd272a2e6d5d
-
SHA512
fef0cd40ee6231f63cc87eb7dbe3f402da0bbd570da6c5adb402ecf2509617f3925c57a4c10af8643321d3f054948bbddcf3d85e4de74b5561810f59fda0eceb
-
SSDEEP
24576:72NyN1Z3jc1VCrulw6ZDKPlrc8a/w0Tkm3NCdBTNsf5jcAkSYqyEmpKI:728NnzcErpEmdY8b0TN3NCLTgpYqg
Malware Config
Signatures
-
Detect Blackmoon payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-1-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon behavioral1/memory/1648-0-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon \Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon behavioral1/memory/2292-9-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon behavioral1/memory/2292-10-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon behavioral1/memory/1648-8-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon behavioral1/memory/2292-374-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon behavioral1/memory/2292-752-0x0000000000400000-0x0000000000455000-memory.dmp family_blackmoon -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" ZhuDongFangYu.exe -
Drops file in Drivers directory 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe -
Executes dropped EXE 1 IoCs
Processes:
ZhuDongFangYu.exepid process 2292 ZhuDongFangYu.exe -
Loads dropped DLL 1 IoCs
Processes:
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exepid process 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\autorun.inf ZhuDongFangYu.exe File created D:\autorun.inf ZhuDongFangYu.exe File opened for modification D:\autorun.inf ZhuDongFangYu.exe File created F:\autorun.inf ZhuDongFangYu.exe File opened for modification F:\autorun.inf ZhuDongFangYu.exe File created C:\autorun.inf ZhuDongFangYu.exe -
Drops file in System32 directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\SysWOW64\LocationNotifications.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\migwiz\mighost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\migwiz\migwiz.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\more.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\chkntfs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\eudcedit.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\finger.exe ZhuDongFangYu.exe File created C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\raserver.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\subst.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\gpscript.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\iscsicpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\label.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\MRINFO.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\msra.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\user.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wowreg32.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wscript.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rdrleakdiag.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wsmprovhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\cttunesvr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dialer.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\icsunattend.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\nslookup.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rasautou.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dllhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dpnsvr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\efsui.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\msdt.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\runas.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\timeout.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wimserv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\msfeedssync.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mtstocom.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ocsetup.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\credwiz.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\cscript.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\fsutil.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\gpupdate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\hdwwiz.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sbunattend.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\setupSNK.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\setupugc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mode.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\w32tm.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\cttune.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ndadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rundll32.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SearchFilterHost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SetIEInstalledDate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dcomcnfg.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SndVol.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\vssadmin.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dccw.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Dism.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\odbcad32.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\xwizard.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tree.com ZhuDongFangYu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\sidebar.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html ZhuDongFangYu.exe File created C:\Program Files\Windows Photo Viewer\ImagingDevices.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\sidebar.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Mail\wabmig.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM ZhuDongFangYu.exe -
Drops file in Windows directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\Dxpserver.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehshell_31bf3856ad364e35_6.1.7600.16385_none_95955bd51390781b\ehshell.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\WMIADAP.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aeae15a0d7fc043a\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-15.htm ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_6.1.7601.17514_none_f1fca1ab90570e8a\MdSched.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rpc-ping_31bf3856ad364e35_6.1.7600.16385_none_f9aeffb75a698a7f\RpcPing.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a_rasautou.exe_477abe34 ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_856219b9f734bb75\iexplore.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_aebd843e13122315\SecEdit.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_6.1.7601.17514_none_28c78887678afbb1\mip.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\poqexec.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Fonts\GlobalSansSerif.CompositeFont ZhuDongFangYu.exe File created C:\Windows\ehome\loadmxf.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce\bridgeunattend.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2\recdisc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_12466fe3b629e036\winver.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_c1fead4e4bf85947\IMTCPROP.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_9edcb4a706944d0a\autoconv.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_3575d2dc8edf4a22\diskcopy.com ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..integration-support_31bf3856ad364e35_6.1.7600.16385_none_8429bbdebd38db4a\isintsup.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_e1cb175aef3b13bb\UserAccountControlSettings.exe ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-compact_31bf3856ad364e35_6.1.7600.16385_none_55ea2c71cf438ffc\compact.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_2a716ffd9b872f68\whoami.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27_sppsvc.exe_fc6922a9 ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\501.htm ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-consumers_31bf3856ad364e35_6.1.7600.16385_none_a6c7190f7292676c\scrcons.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a5f3b7a6a481da29\settings.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-13.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_d5b4f96cdbb9a8b1\IMJPMGR.EXE ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_6.1.7601.17514_none_331c32d99bebbdac\mip.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe ZhuDongFangYu.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\msg.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9_netiougc.exe_94123cfe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\currency.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\flyout.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-6.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\DismHost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_printui.exe_bb673fff ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1_netbtugc.exe_825f4f74 ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_b55b5e1094b0283d\certutil.exe ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wrp-integrity-client_31bf3856ad364e35_6.1.7600.16385_none_8733bee404f7386c\sfc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-13.htm ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..estartup-fverecover_31bf3856ad364e35_6.1.7600.16385_none_ab0552bceeca5a61\BdeUnlockWizard.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe ZhuDongFangYu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exeZhuDongFangYu.exedescription pid process Token: SeDebugPrivilege 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe Token: SeDebugPrivilege 2292 ZhuDongFangYu.exe Token: 33 2292 ZhuDongFangYu.exe Token: SeIncBasePriorityPrivilege 2292 ZhuDongFangYu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exeZhuDongFangYu.exepid process 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe 2292 ZhuDongFangYu.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exedescription pid process target process PID 1648 wrote to memory of 2292 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe ZhuDongFangYu.exe PID 1648 wrote to memory of 2292 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe ZhuDongFangYu.exe PID 1648 wrote to memory of 2292 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe ZhuDongFangYu.exe PID 1648 wrote to memory of 2292 1648 202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe ZhuDongFangYu.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system ZhuDongFangYu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ZhuDongFangYu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\202405201e670827fcd92d3066bb1971bfac9af1icedidxiaobaminer_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2292
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html
Filesize6KB
MD524bed74a2a49536d75ebfd9c87d105eb
SHA1ec830db2834d33dd61437ccf330ca2ad6b73e377
SHA2563cc5fa1f9ed7884a08539190a1670bbe64b0e64d1d585d4c1befcf7f91960682
SHA512a29b8c9f0a3f354e36c805b3956f637a9024ba3df8085c20f148ee4e550603191725e40d0c784192022b637227b06d831cc83a3790cc372e94431d5685545265
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html
Filesize12KB
MD533f73419b8fc156a8a5e0eee311a2639
SHA17ebd3842e080ed34f4675eea740c3e90d8db7bc2
SHA256442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215
SHA5121f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html
Filesize8KB
MD5ffbe89b376301d5a5e1602502f3a049e
SHA14fd73b0508a04073411bfb0af9f1e77a2009850a
SHA256fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217
SHA51225807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html
Filesize16KB
MD5b8723baac78bf9c17d116fe9b25c81b2
SHA17b04a048a42f9611afde747a57694574de887783
SHA256b8dd69bd1f86b0f1889122b8376ea78d44f0f0689945858f247975f7f72ef86c
SHA5121293a9aa28b83d6912ce041db03c8ebbe3aacceadf35d8cb59827abdaedefaac868ea77452bb34730073ed3b5c9679cf73d969cc3f9bd9be207a7a306db8c46e
-
Filesize
81KB
MD5f2487f9eec6279dd652b36118b3b9b01
SHA18835bfd62bc418eeadd0f2dbae89cdbff9340264
SHA2566a6a69296e0a728868c56ad8be26fd04da47d9529518a38f21fd864e33b3f3de
SHA512a560c5f5c8223fc96dffaa9de06620e1f04332a054739460eac5b6ea9db4dc6a60edde9beef652159ad117484a673504262d8fb05cad8e8015e022863d1836cd
-
Filesize
1.4MB
MD51e670827fcd92d3066bb1971bfac9af1
SHA1091f0a7d5b1d123c34fd9275f6192406d600992f
SHA2562bfb9ce960038630e44ffd5439a1be605ca310b9894210ba5f81cd272a2e6d5d
SHA512fef0cd40ee6231f63cc87eb7dbe3f402da0bbd570da6c5adb402ecf2509617f3925c57a4c10af8643321d3f054948bbddcf3d85e4de74b5561810f59fda0eceb