Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe
Resource
win7-20240220-en
General
-
Target
2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe
-
Size
284KB
-
MD5
5ef445daa7878ac15623e8178961a6b3
-
SHA1
448ce6eccda4e14884c9b7cfc8fd70819e2ff132
-
SHA256
692c60c6e3f7efd735d067978145e67f74292c239dfa3788038299eb359337d3
-
SHA512
a834426e45d47a45303ed069e313dd7a9543148275642ac1e101dbf97b48f129f172c2571b46163be5e69874ce6a26c49b3e944c028cd3da4cdccbc7486b7e88
-
SSDEEP
6144:blDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:blDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2464 sethome8072.exe -
Loads dropped DLL 2 IoCs
pid Process 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\system\sethome8072.exe 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe File opened for modification \??\c:\windows\system\sethome8072.exe 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 2464 sethome8072.exe 2464 sethome8072.exe 2464 sethome8072.exe 2464 sethome8072.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2464 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 30 PID 2268 wrote to memory of 2464 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 30 PID 2268 wrote to memory of 2464 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 30 PID 2268 wrote to memory of 2464 2268 2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-06_5ef445daa7878ac15623e8178961a6b3_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\windows\system\sethome8072.exec:\windows\system\sethome8072.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965B
MD5ffe130a8a3ea451ea42a4ce80a108d76
SHA1ae4c1412cc563faa1af9cc6168eaf37ccb7bf98a
SHA256d865c8aa544f00b7fad8b15d14713a4a818f4d1066f0fd819d3a70fc25274175
SHA5120b0115af0ac68a4f8637ae2215e17e1f0ffb904acaeec653763529ccd73f3cba6d01529b9e8037313dc96ef0f94b240c572d7efc6d52c79eb6008910e0f5d3d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize1KB
MD5e17da7d45f12a31a9a48bebaa3f79190
SHA1672f5fcd657b65a9c61f04bfc12acbadad2f62d8
SHA256ea4f70132fa60b37b956698d067870c25d0df4032968e40e770141f024c6b0de
SHA512b0ba483695160948cefbe20f1acbd7c4824018b7c58813d023df34c30f2501ef4f64484553d74be9fac7d9eb5a81cd076c0b8d53c60e6439d3a3492c543bdd1b
-
Filesize
1KB
MD597a48f9b67cd984528746800acd38533
SHA1400e1d9ee2db8a89773c1f06d372168430b247f3
SHA256b5f52b15e5ce4004f6680c2cf3ff008e52bdf32191bbb0bdf087c5691b60f781
SHA51246605a2a7f9ffec2cd215c0d7be71d20dd3b339ea00b458c13ca2d581c91e51c852c2b335d9e8a743c89cc3090fcb4b4c8580178155bfa5230268669c5bad6e3
-
Filesize
284KB
MD51b15f91ad7d13f57a9946f1cdf0e6067
SHA18db4717266c1f72a81e92a4b3889b39458afa967
SHA25637712c64a95bb219399e3904d1a3c88ce6af2d86172d583eefdf4cc92e7a307b
SHA51245bdd1b4e9f8bb38135416a9839abe9fbfd5b3192ea036f9131db6884e9d7dfe839446ccfa042b9114e61f0b2e748febc5cc225d5ff3786175ec88a6191c1511