Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

2024-02-03...id.exe

windows7-x64

9

2024-02-03...id.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe

  • Size

    701KB

  • MD5

    e9b22be94f71a738e1cff829700b8520

  • SHA1

    3f5cf33e93c3dc7b18a69550f12b7b2888f64f9a

  • SHA256

    ae4f4218c335c6566aee6608bd56c0e84a53d3a08beec5846d79cf0aad0784f6

  • SHA512

    ae3041d0ecab807379f32533b98c5e835eb8a1683ea492504186c41ba78cc8e6a9c18bb2746c12335c74d75545ee781bcff0bc3ff688da8893a7b3019db79f2c

  • SSDEEP

    12288:q7bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:0HnmlJblvSdFP8THlhqe1kh7

Score
9/10

Malware Config

Signatures

  • Detects executables built or packed with MPress PE compressor 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\2764.vbs"
        3⤵
        • Deletes itself
        PID:3816
  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
      2⤵
      • Executes dropped EXE
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2764.vbs
    Filesize

    500B

    MD5

    f08109a35419671850cdf957caa30fdc

    SHA1

    22567ecc476e94204ae90d1faed27f7440766230

    SHA256

    85cbfb08762f04d83f6edb59eda3f1f21ae21e1cf16d332c700f007808a9e1d7

    SHA512

    d8637d66d366b413934acf3809ab51a031dd0401e7872e62e6ed2f1939c4ceb60ce5f8d5c46fcbf1e471876226bbcbcb4b04013985f7544b94fb30ede15ee7aa

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    455KB

    MD5

    c2b8829803304ac15dba39a575408446

    SHA1

    c0e5461399bfaaab65adb506cf265a8fecf05830

    SHA256

    e9df274d3a3d7c8fd87f1942137771e823385ad5da464134a4e489addde6e4fb

    SHA512

    b4a9ed1e1c7a9736bf8e8469c6853f78d18fec5babc4df7220a3ceaa9ed08d8ef5f3d8a29a8279338d03cb39aa0358dcf9645b7e81dc47cde74289d581d29e3d

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    68KB

    MD5

    6d9048a21d5bce7fd48a607765f2af5e

    SHA1

    80a11d97ba60f87ed74c160bd79e1d90d0dfdb27

    SHA256

    f58087aa9de7d622890087523dc4b1f201acf5240e37a926dd02f2cbbe1308b8

    SHA512

    5ec22d113510e69bb23e396887010424646b1166115bcb84a3c3fb63866ab7148211ea4c26f201dbf0f0767751ee0abdce896136696a1fc8890e176ad2f3e68e

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    1.8MB

    MD5

    8c3c1ff1bd28dfb5f8ce9cac5175da08

    SHA1

    c6deff82d26ce8ba49d4a744164987bb3237789d

    SHA256

    05ca9e7febefa1e2f67dce199064191dd3c81a69a7e9d77b647defa3fddfaf83

    SHA512

    1a5e4410ca6fce4c48f43b6dcb6fec9cb9e0d9625e947afe95712c07edbb8c46d1a7c4c2a36497406e6a69626ddd293036d543af81c48d0352791fe073a2a830

    Download Submit

  • memory/2756-20-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2756-33-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2756-29-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2756-27-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-7-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-25-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-4-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-2-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-5-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4868-0-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download