Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06/04/2021, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
hostsvc.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
hostsvc.dll
-
Size
63KB
-
MD5
fcb6cf720c45b554c5f689fa914ffd2c
-
SHA1
4d247be7e4c3ee51c026c49dc4b9f59479e8ca77
-
SHA256
ca93e1c7dc98ca126438c4772f9c3377de5f628b612fe3dc8f72709d5e5bbdb0
-
SHA512
a27fb5b32662f0624be8b96aaab8e8b09933dee0c996009970d8f7348d5df2142eb23f9215c35c95640a767399dce4636122dc81e58b5cc15ff3ffa3a6a86514
Malware Config
Extracted
Family
icedid
Campaign
2608516171
C2
234willkids.uno
Extracted
Family
icedid
rsa_pubkey.plain
Extracted
Family
icedid
Botnet
478101429
C2
gabry4saver.website
usser234dopper.space
tasyateles.club
jrburnit.website
Attributes
-
url_path
/news/
Signatures
-
IcedID First Stage Loader 1 IoCs
resource yara_rule behavioral2/memory/636-2-0x0000000000830000-0x0000000000837000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 5 IoCs
flow pid Process 25 2960 rundll32.exe 27 2960 rundll32.exe 28 2960 rundll32.exe 29 2960 rundll32.exe 31 2960 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2960 rundll32.exe 2960 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1580 net.exe 688 net.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3692 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 512 systeminfo.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{D90526ED-D8D6-91B9-A7EF-C3A85104A663} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{D90526ED-D8D6-91B9-A7EF-C3A85104A663}\ = 0255c1ede42f3a4217ade67d0be71cf4759098788cef7620a30f18095887ff32d47b4c7358053e33ee05c708b04bd52eeac376e11e1fbfc26e0cbfdbd6f02fc9bc54de5beecf042efa4ef42765e3f5161fbe88f4017f1acd5e0ba716a3e0f59c6fbbcec90db303318e4c32df6a4b3e5af80b53c02dcc58d3651b72f4015f139621cd15455c16854668355e464298d93ad69581a49dec9019ef2ba8823fcb4fb9e4234ed5652c8e4124bd106fa98b79c883832acecc02ea7e21545733908a9338cf4db8e5244e55a50cbea9a86d23cf07c7dd7f8e859abf8ca71719d364bf10ebb4fc7824cdcc7b0534c619fb696b120c2656d77236d09dbe116a2cc946fdf67f735cc81c79763c27c31efd69a2c7ecc98321d7effee0fbfffbe0b07032464c8484ac0e72eaea42d01440de9870160e3f4d46a30dea6f33969711ec683bc9069981a98db2ca7a8a04 rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 636 regsvr32.exe 636 regsvr32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe 2960 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3996 WMIC.exe Token: SeSecurityPrivilege 3996 WMIC.exe Token: SeTakeOwnershipPrivilege 3996 WMIC.exe Token: SeLoadDriverPrivilege 3996 WMIC.exe Token: SeSystemProfilePrivilege 3996 WMIC.exe Token: SeSystemtimePrivilege 3996 WMIC.exe Token: SeProfSingleProcessPrivilege 3996 WMIC.exe Token: SeIncBasePriorityPrivilege 3996 WMIC.exe Token: SeCreatePagefilePrivilege 3996 WMIC.exe Token: SeBackupPrivilege 3996 WMIC.exe Token: SeRestorePrivilege 3996 WMIC.exe Token: SeShutdownPrivilege 3996 WMIC.exe Token: SeDebugPrivilege 3996 WMIC.exe Token: SeSystemEnvironmentPrivilege 3996 WMIC.exe Token: SeRemoteShutdownPrivilege 3996 WMIC.exe Token: SeUndockPrivilege 3996 WMIC.exe Token: SeManageVolumePrivilege 3996 WMIC.exe Token: 33 3996 WMIC.exe Token: 34 3996 WMIC.exe Token: 35 3996 WMIC.exe Token: 36 3996 WMIC.exe Token: SeIncreaseQuotaPrivilege 3996 WMIC.exe Token: SeSecurityPrivilege 3996 WMIC.exe Token: SeTakeOwnershipPrivilege 3996 WMIC.exe Token: SeLoadDriverPrivilege 3996 WMIC.exe Token: SeSystemProfilePrivilege 3996 WMIC.exe Token: SeSystemtimePrivilege 3996 WMIC.exe Token: SeProfSingleProcessPrivilege 3996 WMIC.exe Token: SeIncBasePriorityPrivilege 3996 WMIC.exe Token: SeCreatePagefilePrivilege 3996 WMIC.exe Token: SeBackupPrivilege 3996 WMIC.exe Token: SeRestorePrivilege 3996 WMIC.exe Token: SeShutdownPrivilege 3996 WMIC.exe Token: SeDebugPrivilege 3996 WMIC.exe Token: SeSystemEnvironmentPrivilege 3996 WMIC.exe Token: SeRemoteShutdownPrivilege 3996 WMIC.exe Token: SeUndockPrivilege 3996 WMIC.exe Token: SeManageVolumePrivilege 3996 WMIC.exe Token: 33 3996 WMIC.exe Token: 34 3996 WMIC.exe Token: 35 3996 WMIC.exe Token: 36 3996 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 636 wrote to memory of 2960 636 regsvr32.exe 75 PID 636 wrote to memory of 2960 636 regsvr32.exe 75 PID 2960 wrote to memory of 3244 2960 rundll32.exe 79 PID 2960 wrote to memory of 3244 2960 rundll32.exe 79 PID 3244 wrote to memory of 3868 3244 cmd.exe 81 PID 3244 wrote to memory of 3868 3244 cmd.exe 81 PID 2960 wrote to memory of 3996 2960 rundll32.exe 82 PID 2960 wrote to memory of 3996 2960 rundll32.exe 82 PID 2960 wrote to memory of 3692 2960 rundll32.exe 84 PID 2960 wrote to memory of 3692 2960 rundll32.exe 84 PID 2960 wrote to memory of 512 2960 rundll32.exe 86 PID 2960 wrote to memory of 512 2960 rundll32.exe 86 PID 2960 wrote to memory of 2000 2960 rundll32.exe 91 PID 2960 wrote to memory of 2000 2960 rundll32.exe 91 PID 2000 wrote to memory of 3424 2000 net.exe 93 PID 2000 wrote to memory of 3424 2000 net.exe 93 PID 2960 wrote to memory of 3344 2960 rundll32.exe 94 PID 2960 wrote to memory of 3344 2960 rundll32.exe 94 PID 2960 wrote to memory of 3328 2960 rundll32.exe 96 PID 2960 wrote to memory of 3328 2960 rundll32.exe 96 PID 2960 wrote to memory of 1580 2960 rundll32.exe 98 PID 2960 wrote to memory of 1580 2960 rundll32.exe 98 PID 2960 wrote to memory of 688 2960 rundll32.exe 100 PID 2960 wrote to memory of 688 2960 rundll32.exe 100 PID 2960 wrote to memory of 2564 2960 rundll32.exe 102 PID 2960 wrote to memory of 2564 2960 rundll32.exe 102 PID 2564 wrote to memory of 3844 2564 net.exe 104 PID 2564 wrote to memory of 3844 2564 net.exe 104
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\hostsvc.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\arrive_x64.tmp",update /i:"SickCash\license.dat"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\cmd.execmd.exe /c chcp >&23⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\system32\chcp.comchcp4⤵PID:3868
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:3692
-
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:512
-
-
C:\Windows\system32\net.exenet config workstation3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:3424
-
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:3344
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:3328
-
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:1580
-
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:688
-
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain4⤵PID:3844
-
-
-