Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
-
Size
1.9MB
-
MD5
b3e86c1f0cd4d3c80b6358ba5d04a4fc
-
SHA1
31792f3ad45d997a4f75f53f735077cc47067c9c
-
SHA256
fcd959776cf1c7b86e31ac27b6bc9156f062371534fe2e7507182ae1e862da6d
-
SHA512
0210447bcb0dd2a77241feab6c79f82ecc127680707105b4fef0031edccf465ed7a2d14253e2feab171a5904080a196c0588c00ee172d51716cfd298a2908edf
-
SSDEEP
24576:bvnizplWJhtl3hUt0oOYSzfwi2p/xdHATun37YWX4+33IQkQrEH7Y7:biglPTD2p/gTunLrIM
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000012248-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
resource yara_rule behavioral1/memory/2040-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x0008000000012248-1.dat upx behavioral1/memory/2040-37-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2040-43-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2580 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2580 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 29 PID 2040 wrote to memory of 2580 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 29 PID 2040 wrote to memory of 2580 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 29 PID 2040 wrote to memory of 2580 2040 2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2040.log2⤵
- Opens file in notepad (likely ransom note)
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1020B
MD54b688abda9e171ecd8c1b6e701c2ddc5
SHA1a13fa88144f0b8e994e26d39849e39829a314dca
SHA256dd901c28d1ede23f17fae7d45bb16cd45da5931ee40e998f097a06a59fd83ffa
SHA512cfb52b36ebec24919e6990e8ff6a8dfbc018a39631d7d431cde2289c5d1fca1b8e3b39b934dbd7fe8e3fe54b76da96deca6b15b58672ed6e829c10cd7291368b
-
Filesize
661B
MD575d75ca8030f89ce67c55f6923863ceb
SHA19ff00914de259fc082889e8e23619215a330d622
SHA256d1d51a5745945183ac648fa5ed855bedc5b5a0aa6bd6b04b23fd0d6e5b99ae66
SHA5122908be2ec0ff3ffc8823ae5f02d521716e9fabdba21eaeec23bfad0389394ccb452cef6608b216fc62d26eb4322387a01b009417fd3070be525e8d58f2d57c0c
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab