Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2023, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe
-
Size
2.1MB
-
MD5
57f59bc5b7de1c9ca37bb525f41c6dea
-
SHA1
708c3378a8dee003bf89fe06cb7989c7ebc10556
-
SHA256
ec684bc95c150fadd902ee9ab8620e3e0392d32a652adb3c25665b599ef85376
-
SHA512
43c3dbbf870496d1072cc1362753259eaffc2e759af116f51e35804efa76a9b27b56ac5593d8ec7fbe62e2095164cd7c808b40b19ef265e30e97c7694601e7ba
-
SSDEEP
49152:nZggjeg1R8I9nAdCQQnfVNX7T4ZRWrbd:ff38I9ZfnfVNX7mRWXd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 892 DouTuDaShi.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\DouTu\DouTuDaShi.exe 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1496 892 WerFault.exe 87 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\360.com DouTuDaShi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\360.com\NumberOfSubdomains = "1" DouTuDaShi.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DOMStorage\360.com DouTuDaShi.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage DouTuDaShi.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 892 DouTuDaShi.exe 892 DouTuDaShi.exe 892 DouTuDaShi.exe 892 DouTuDaShi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1304 wrote to memory of 892 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 87 PID 1304 wrote to memory of 892 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 87 PID 1304 wrote to memory of 892 1304 2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-27_57f59bc5b7de1c9ca37bb525f41c6dea_icedid_JC.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Program Files (x86)\DouTu\DouTuDaShi.exe"C:\Program Files (x86)\DouTu\DouTuDaShi.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 26563⤵
- Program crash
PID:1496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 892 -ip 8921⤵PID:5044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD51348b2ee09b0b51707a2769dfe85e15a
SHA13c3542933f37bfec4cbe7b939f659548655258bd
SHA256653c229856a8ff5c7f847b0f9da94853330aa3f97a23a5cabb324682909cd091
SHA512676567c5427b56dfe585ebdb628993564e9be00ce995e17cb536339914bff2cdd86f403a73b1f277e2d13048cdd89b11d129ad79c24e7e68d1a71cb3c853e717
-
Filesize
1.0MB
MD51348b2ee09b0b51707a2769dfe85e15a
SHA13c3542933f37bfec4cbe7b939f659548655258bd
SHA256653c229856a8ff5c7f847b0f9da94853330aa3f97a23a5cabb324682909cd091
SHA512676567c5427b56dfe585ebdb628993564e9be00ce995e17cb536339914bff2cdd86f403a73b1f277e2d13048cdd89b11d129ad79c24e7e68d1a71cb3c853e717
-
Filesize
1.0MB
MD51348b2ee09b0b51707a2769dfe85e15a
SHA13c3542933f37bfec4cbe7b939f659548655258bd
SHA256653c229856a8ff5c7f847b0f9da94853330aa3f97a23a5cabb324682909cd091
SHA512676567c5427b56dfe585ebdb628993564e9be00ce995e17cb536339914bff2cdd86f403a73b1f277e2d13048cdd89b11d129ad79c24e7e68d1a71cb3c853e717