Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/09/2022, 21:37

220926-1gt65sdbcq 10

26/09/2022, 21:31

220926-1c217acad8 1

Analysis

  • max time kernel
    583s
  • max time network
    588s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 21:37

General

  • Target

    8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e.zip

  • Size

    293KB

  • MD5

    21f42191d0705e7d21a3631cfcb9696d

  • SHA1

    28b46f4b6b3431e70b42fd9077152e892bfad0b5

  • SHA256

    8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e

  • SHA512

    bbb2d2ad3f44c788ae132232ebabd6852f71f50b4be4dc996ec94f8a67f8165ffc0f2ab04d6f76e3806bdc59c84269d0e7efd7916efae757e08f1dd06dd852a1

  • SSDEEP

    6144:hG+4B0OYfyppAYMk7Lx7nu+S73gOINHRrAqkIE:k+YfCmytaxAl

Malware Config

Extracted

Family

icedid

Campaign

2537954433

C2

scainznorka.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e.zip
    1⤵
      PID:4696
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1780
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e\" -spe -an -ai#7zMap23490:208:7zEvent26591
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1772
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "E:\spurning\undeservinglyUnpapered.js"
        1⤵
        • Checks computer location settings
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""E:\spurning\flunkMuscular.cmd" ru"
          2⤵
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:3308
          • C:\Windows\system32\rundll32.exe
            rundll32 spurning\convolving.db,#1
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:3684
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
        1⤵
          PID:3204
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\spurning\undeservinglyUnpapered.js"
          1⤵
          • Checks computer location settings
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""E:\spurning\flunkMuscular.cmd" ru"
            2⤵
            • Enumerates connected drives
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Windows\system32\rundll32.exe
              rundll32 spurning\convolving.db,#1
              3⤵
                PID:3992
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\spurning\flunkMuscular.cmd" "
            1⤵
              PID:3404
            • C:\Windows\System32\NOTEPAD.EXE
              "C:\Windows\System32\NOTEPAD.EXE" C:\spurning\flunkMuscular.cmd
              1⤵
              • Opens file in notepad (likely ransom note)
              PID:728
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\spurning\undeservinglyUnpapered.js"
              1⤵
                PID:3792
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2300

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/3684-134-0x0000000180000000-0x0000000180009000-memory.dmp

                Filesize

                36KB

              • memory/3684-140-0x000001AF4F2E0000-0x000001AF4F2E6000-memory.dmp

                Filesize

                24KB