chinese_generic_botnet | 66efd841fe3f48cba194688551284c8b7b775d8dd7401b813fd879bf7b366e7f

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
Size

2.0MB
MD5

431c75b491aa7535b92c5d9c00e23675
SHA1

08f45830bc988aa234db210881c3e6a10c92cd5a
SHA256

66efd841fe3f48cba194688551284c8b7b775d8dd7401b813fd879bf7b366e7f
SHA512

6b0c1c9b8fb53261cd400a304c8d01bd0980186f26e9ec6215d7b87eeb1199321a8d3043757ec31047d72c05c656f2c3b27cce6d6e0acc95ea3ed9023d0c023e
SSDEEP

49152:6X4uXjo0Zdx+3M7TF5D2n+H5cOoUao+vib4rMw:e4uTo0Zdxzs9Oobo+q8Mw

Score

10^/10

chinese_generic_botnet botnet discovery

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/2784-16655-0x0000000000400000-0x0000000000549000-memory.dmp	unk_chinese_botnet
behavioral1/memory/8828-16658-0x0000000000400000-0x0000000000549000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

Processes:

svchost.exeQQ.exeDhttdfv.exe

pid process

2780 svchost.exe
2784 QQ.exe
8828 Dhttdfv.exe

pid	process
2780	svchost.exe
2784	QQ.exe
8828	Dhttdfv.exe

Loads dropped DLL 3 IoCs

Processes:

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe

pid	process
2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe

Drops file in System32 directory 1 IoCs

Processes:

Dhttdfv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Dhttdfv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 45 IoCs

Processes:

QQ.exeDhttdfv.exe

pid	process
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
8828	Dhttdfv.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
8828	Dhttdfv.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe
2784	QQ.exe

Drops file in Program Files directory 2 IoCs

Processes:

QQ.exe

description ioc process

File created C:\Program Files (x86)\Dhttdfv.exe QQ.exe
File opened for modification C:\Program Files (x86)\Dhttdfv.exe QQ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files (x86)\Dhttdfv.exe	QQ.exe
File opened for modification	C:\Program Files (x86)\Dhttdfv.exe	QQ.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exeQQ.exeDhttdfv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhttdfv.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

Dhttdfv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-78-f8-a0-b7-48\WpadDecisionReason = "1"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Dhttdfv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Dhttdfv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Dhttdfv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}\WpadDecision = "0"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}\96-78-f8-a0-b7-48	Dhttdfv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-78-f8-a0-b7-48\WpadDecisionTime = 90e0d496f406db01	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-78-f8-a0-b7-48\WpadDecision = "0"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Dhttdfv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Dhttdfv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}\WpadNetworkName = "Network 3"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-78-f8-a0-b7-48	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}\WpadDecisionReason = "1"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Dhttdfv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Dhttdfv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Dhttdfv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Dhttdfv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}	Dhttdfv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{14C447CD-CF95-48C1-AC80-963353CBF7F2}\WpadDecisionTime = 90e0d496f406db01	Dhttdfv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exesvchost.exe

pid process

2676 2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
2676 2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
2780 svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe

description	pid	process	target process
PID 2676 wrote to memory of 2780	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	svchost.exe
PID 2676 wrote to memory of 2780	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	svchost.exe
PID 2676 wrote to memory of 2780	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	svchost.exe
PID 2676 wrote to memory of 2780	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	svchost.exe
PID 2676 wrote to memory of 2784	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	QQ.exe
PID 2676 wrote to memory of 2784	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	QQ.exe
PID 2676 wrote to memory of 2784	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	QQ.exe
PID 2676 wrote to memory of 2784	2676	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	QQ.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Users\Admin\AppData\Roaming\QQ.exe
  "C:\Users\Admin\AppData\Roaming\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2784

C:\Program Files (x86)\Dhttdfv.exe
"C:\Program Files (x86)\Dhttdfv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:8828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
296KB

MD5
7460f67864161928611617d5c28dada8

SHA1
f1de37cb94fc08b4897fe89f57eff6fb07250a20

SHA256
f3c6834b83000b99f2bbef17060d8379f7519a16a6bcef1780aa06e141e57875

SHA512
f864719ecb83a9f5534edbc410361d27e036d8b6a545ef48996968893f0e258461edc96d0c48ab75890c08c146837b3a0997cf6b666d17da269d4df525eb852e

Download Submit
\Users\Admin\AppData\Roaming\QQ.exe

Filesize
940KB

MD5
b36366f4a27987d6de47887b03f29c68

SHA1
6f290bd6c132ec5c824558a29bdf75d25ced94e3

SHA256
4cc1ab70e6fd0d4441c778d40212c6e3114e14d56da85717214f8498e1c1501b

SHA512
a9441175872e88fc49482ef4707fad0e1f15a3ee1f4c74f3a2fafd3744968025d35ca61ed1905239a01df58511985e00708cdae7cb9acae4cca8b51032e02359

Download Submit
memory/2676-10-0x0000000003200000-0x0000000003349000-memory.dmp

Filesize
1.3MB

Download
memory/2676-17-0x0000000003200000-0x0000000003349000-memory.dmp

Filesize
1.3MB

Download
memory/2784-545-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-523-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-19-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2784-583-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-525-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-529-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-535-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-543-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-541-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-539-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-537-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-533-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-531-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-527-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-547-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-569-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-522-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-581-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-20-0x0000000075460000-0x00000000754A7000-memory.dmp

Filesize
284KB

Download
memory/2784-579-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-577-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-575-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-573-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-571-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-567-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-565-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-563-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-561-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-559-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-557-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-555-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-553-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-551-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-549-0x0000000002120000-0x0000000002231000-memory.dmp

Filesize
1.1MB

Download
memory/2784-16655-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/8828-16658-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download