Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 07:32
Behavioral task
behavioral1
Sample
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe
Resource
win7-20240419-en
General
-
Target
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe
-
Size
3.0MB
-
MD5
5c69cea1526cfd434a0285f72b1b0a6f
-
SHA1
b6376b7741b98b0d3a345b00066c7e7d9bf6adb7
-
SHA256
8d3ed905410544bcd46e7665fd25c1f1e9a5c62625844ae86e46ffff8b75bb41
-
SHA512
bba0f44407bd344686a83ef78d5276251e2572f34397c39878aed12caf35d4d802fae3efebf418c08e0c2dbcacf7540c21ddb4ba51a25faa6cba241a8b40994e
-
SSDEEP
49152:7bIqnzcErNNQJ1uvFYgjI45TMwwapIgThpYqcpYq:4bBLapIK6Z6
Malware Config
Signatures
-
Detect Blackmoon payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-0-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/1996-1-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon \Windows\360\360Safe\deepscan\ZhuDongFangYu.exe family_blackmoon behavioral1/memory/1996-6-0x0000000001FD0000-0x0000000002023000-memory.dmp family_blackmoon behavioral1/memory/1996-9-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/1912-10-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/1912-11-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/1912-505-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon behavioral1/memory/1912-755-0x0000000000400000-0x0000000000453000-memory.dmp family_blackmoon -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" ZhuDongFangYu.exe -
Drops file in Drivers directory 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ZhuDongFangYu.exe -
Executes dropped EXE 1 IoCs
Processes:
ZhuDongFangYu.exepid process 1912 ZhuDongFangYu.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exepid process 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" ZhuDongFangYu.exe -
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification F:\autorun.inf ZhuDongFangYu.exe File created C:\autorun.inf ZhuDongFangYu.exe File opened for modification C:\autorun.inf ZhuDongFangYu.exe File created D:\autorun.inf ZhuDongFangYu.exe File opened for modification D:\autorun.inf ZhuDongFangYu.exe File created F:\autorun.inf ZhuDongFangYu.exe -
Drops file in System32 directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\WSManHTTPConfig.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\more.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mstsc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\schtasks.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rasphone.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\rrinstaller.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SndVol.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\bootcfg.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\fsutil.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sfc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\wscript.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\format.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\chkntfs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\proquota.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\TRACERT.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Dism\DismHost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Mystify.scr ZhuDongFangYu.exe File created C:\Windows\SysWOW64\comp.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tasklist.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dnscacheugc.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\runas.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\lodctr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\makecab.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\newdev.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate_ssp.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Robocopy.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\takeown.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dcomcnfg.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Dism.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\unregmp2.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\migwiz\migwiz.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RegisterIEPKEYs.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tcmsetup.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE ZhuDongFangYu.exe File created C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\regedit.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\mfpmp.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\isoburn.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\osk.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\systray.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\tree.com ZhuDongFangYu.exe File created C:\Windows\SysWOW64\colorcpl.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\diskperf.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\raserver.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\taskkill.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\xpsrchvw.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\Bubbles.scr ZhuDongFangYu.exe File created C:\Windows\SysWOW64\dvdplay.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\icsunattend.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\gpupdate.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\psr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\sdiagnhost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\scrnsave.scr ZhuDongFangYu.exe File created C:\Windows\SysWOW64\findstr.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\fixmapi.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe ZhuDongFangYu.exe File created C:\Windows\SysWOW64\esentutl.exe ZhuDongFangYu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html ZhuDongFangYu.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm ZhuDongFangYu.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Media Player\wmplayer.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html ZhuDongFangYu.exe File created C:\Program Files\Windows Mail\wabmig.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ZhuDongFangYu.exe File created C:\Program Files (x86)\Windows Mail\wabmig.exe ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html ZhuDongFangYu.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html ZhuDongFangYu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html ZhuDongFangYu.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe ZhuDongFangYu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html ZhuDongFangYu.exe -
Drops file in Windows directory 64 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process File created C:\Windows\winsxs\x86_microsoft-windows-utilman_31bf3856ad364e35_6.1.7600.16385_none_028006129290e443\Utilman.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_6.1.7600.16385_none_bac291589d407fde\TFTP.EXE ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_26e76f2ac1492952\wmprph.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\WMIADAP.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-4.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63\auditpol.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PING.EXE ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-10.htm ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe ZhuDongFangYu.exe File created C:\Windows\ehome\CreateDisc\SBEServer.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_5aad0353642dd29f\SystemPropertiesPerformance.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-3.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_5208a7a3d3caa54c\net.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_6388acf17dd74912\SystemPropertiesProtection.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sstext3d_31bf3856ad364e35_6.1.7601.17514_none_625ebded763bbe23\ssText3d.scr ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.html ZhuDongFangYu.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe ZhuDongFangYu.exe File created C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\currency.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\502.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-9.htm ZhuDongFangYu.exe File created C:\Windows\ehome\ehexthost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntoskrnl.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_855590d1705431c5\findstr.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_af07fb6876def437\wusa.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c65f31d113437677\calendar.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-4.htm ZhuDongFangYu.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_6.1.7600.16385_none_dbfa9310f7d4d925\setspn.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm ZhuDongFangYu.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe ZhuDongFangYu.exe File created C:\Windows\Speech\Common\sapisvr.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigAutoPlay.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-12.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_6.1.7601.17514_none_6dd5e8c3b6b81894\PhotoScreensaver.scr ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\clock.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-17.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..-commandline-editor_31bf3856ad364e35_6.1.7600.16385_none_8d8925a444607f8c\reg.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_6.1.7601.17514_none_6f4ef219dd693ca6\WPDShextAutoplay.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\cpu.html ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-1.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-13.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-1.htm ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_0f797e18d8361ef2\cttune.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrshost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_6.1.7601.17514_none_0d6fabd7def3be93\PushPrinterConnections.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fddcd6a1ab604da\settings.html ZhuDongFangYu.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_6.1.7600.16385_none_96421d40c0e2903e\aspnet_regbrowsers.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.17514_none_8664adc870f5633a\taskhost.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7601.17514_none_8b399e33ba72bed9\twunk_16.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsicli.exe_20e14d4f ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\chcp.com ZhuDongFangYu.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\RSSFeeds.html ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmdl32.exe ZhuDongFangYu.exe File created C:\Windows\winsxs\wow64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_b9a4b88eb4255dbf\wuapp.exe ZhuDongFangYu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exeZhuDongFangYu.exedescription pid process Token: SeDebugPrivilege 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe Token: SeDebugPrivilege 1912 ZhuDongFangYu.exe Token: 33 1912 ZhuDongFangYu.exe Token: SeIncBasePriorityPrivilege 1912 ZhuDongFangYu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exeZhuDongFangYu.exepid process 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe 1912 ZhuDongFangYu.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exedescription pid process target process PID 1996 wrote to memory of 1912 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 1996 wrote to memory of 1912 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 1996 wrote to memory of 1912 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe ZhuDongFangYu.exe PID 1996 wrote to memory of 1912 1996 2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe ZhuDongFangYu.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ZhuDongFangYu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ZhuDongFangYu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system ZhuDongFangYu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_5c69cea1526cfd434a0285f72b1b0a6f_icedid_xiaobaminer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.htmlFilesize
16KB
MD517f3bbed916ce900652433f2593ff684
SHA185d4fbf534aa8acd759a489d31e06ac27677f3a7
SHA256aa21cb6b8fd8ee6e90ecc5b858dbcbecd3a97efa1f58145a26e619c2ab457bb5
SHA51281a01663f9d577882d82744d063af5fd570ee2d98cd5f6995f3f5aedaa99b45b215ef0e081056001026f45fe79ce811bef5979ce8973df8527b1920ad2215bdf
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.htmlFilesize
6KB
MD524bed74a2a49536d75ebfd9c87d105eb
SHA1ec830db2834d33dd61437ccf330ca2ad6b73e377
SHA2563cc5fa1f9ed7884a08539190a1670bbe64b0e64d1d585d4c1befcf7f91960682
SHA512a29b8c9f0a3f354e36c805b3956f637a9024ba3df8085c20f148ee4e550603191725e40d0c784192022b637227b06d831cc83a3790cc372e94431d5685545265
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.htmlFilesize
12KB
MD533f73419b8fc156a8a5e0eee311a2639
SHA17ebd3842e080ed34f4675eea740c3e90d8db7bc2
SHA256442c6bfe7c011e24f8c0bb1c0584b96cf804eb7198d4aacffa4c5f6769ff4215
SHA5121f9e3a64bfc78cea57f4d9fce2ff4f9adfbe7526ef10e40eaa7cd9b8109cfa124b306f6d3be5e1a777bb604dc2c497623aa9298f580cd7e9a6e3bb9818e819ad
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlFilesize
8KB
MD5ffbe89b376301d5a5e1602502f3a049e
SHA14fd73b0508a04073411bfb0af9f1e77a2009850a
SHA256fd516ab385f8dabba0da1377f5dfdc0dbdefdd224d823313eff24e8fb00c6217
SHA51225807dacb22621f69dfc9b85464e566a11b6f417632c9d2dac92b5112a8495aacc5edb2938e5515a59843fe79f25b5c65a280b41fb9b0c27bfce2b4da48cfa02
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
14KB
MD5138687bae4d5ae5ecd9f49d4603846b6
SHA1b9bd64f7c2f3a00ac7ad28d21d0f589e881eb5b5
SHA256aa696a838bb49ef4a6c83890ffa39424a471a84bcbc57ae86867b1f9bba3994f
SHA512c6b0b2a25e95a082695e658eb9086d67e2d517aed8adcb625e2b81a29887b4ae31d26cc99738703516ea9072773e06f8871b8775706aeec705f227a68fb7efa6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.htmlFilesize
16KB
MD5b8723baac78bf9c17d116fe9b25c81b2
SHA17b04a048a42f9611afde747a57694574de887783
SHA256b8dd69bd1f86b0f1889122b8376ea78d44f0f0689945858f247975f7f72ef86c
SHA5121293a9aa28b83d6912ce041db03c8ebbe3aacceadf35d8cb59827abdaedefaac868ea77452bb34730073ed3b5c9679cf73d969cc3f9bd9be207a7a306db8c46e
-
C:\vcredist2010_x86.log.htmlFilesize
81KB
MD521813092d1c89f1e99bf0ce3fa25e819
SHA1ae8970e091cc722b6585f87cd4887c869ff084ef
SHA2563bd2b25bdf8d35eec3aa101b3243d0e5ee2aab25697ece275a60ab1fba966abe
SHA512cf5cc115223f21cb7ae3bd6bd51b922cd53824e7cf79e204a2076732ff8fd27bc1a6359c4c8cd9ddf8ad6590ade110b3e29911ac71e7cff8daa39db322ef97e9
-
\Windows\360\360Safe\deepscan\ZhuDongFangYu.exeFilesize
3.0MB
MD55c69cea1526cfd434a0285f72b1b0a6f
SHA1b6376b7741b98b0d3a345b00066c7e7d9bf6adb7
SHA2568d3ed905410544bcd46e7665fd25c1f1e9a5c62625844ae86e46ffff8b75bb41
SHA512bba0f44407bd344686a83ef78d5276251e2572f34397c39878aed12caf35d4d802fae3efebf418c08e0c2dbcacf7540c21ddb4ba51a25faa6cba241a8b40994e
-
memory/1912-10-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1912-11-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1912-505-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1912-755-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1996-9-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1996-6-0x0000000001FD0000-0x0000000002023000-memory.dmpFilesize
332KB
-
memory/1996-0-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1996-1-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB