Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/08/2023, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
d.dll
Resource
win7-20230712-en
General
-
Target
d.dll
-
Size
527KB
-
MD5
60f8d1993043c054e0ddb91e11fc184f
-
SHA1
80d274ff4278baff08418d48c647c8c0604db3ab
-
SHA256
09a537a7c4bed33cfb33ae7d7b5360b52e6c1396a893b67b5e71acc28e3f74c2
-
SHA512
007d9ed82a9cb612882afa70f9482d078f7612e913fd6f4b351307b37c5eaaededaf5b1a2aa1ba0a2ebc48888a475b168b5ea2ad3ef1c35a883daf8ece9f795b
-
SSDEEP
12288:jymcE1WefvUdDpWcc/9scDp6MGuXxGSthFLEXCRF3MK:e6fvUdDp0/9sY6MGuFoCRF3MK
Malware Config
Extracted
icedid
43832328
ospertoolsbo.com
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1328 PowerShell.exe 1328 PowerShell.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3312 Process not Found 3312 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3416 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1328 PowerShell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1328 wrote to memory of 3416 1328 PowerShell.exe 96 PID 1328 wrote to memory of 3416 1328 PowerShell.exe 96
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d.dll,#11⤵PID:1788
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4628
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" d.dll vcab /k chitos76852⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3416
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82