Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
-
Size
284KB
-
MD5
a1e11f3a292eef2aeac0cb063c3b0de1
-
SHA1
c29f5dbbdf7d524e44bb68987e60e48f5dda419c
-
SHA256
95c05916fa06a693c22a4132cba139ddb32733bcd26b917e70f85c5990e99cab
-
SHA512
8d52ad54ad930f28b847fd8a69b57eb9bb3f3d61222603fb4fa6fdb5625529ad3e360a598de6e54ceb24e8e745ca79de14263bc078964889bb0ce960347547ea
-
SSDEEP
6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5520 sethome7093.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\system\sethome7093.exe 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe File created \??\c:\windows\system\sethome7093.exe 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 5520 sethome7093.exe 5520 sethome7093.exe 5520 sethome7093.exe 5520 sethome7093.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4056 wrote to memory of 5520 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 97 PID 4056 wrote to memory of 5520 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 97 PID 4056 wrote to memory of 5520 4056 2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\windows\system\sethome7093.exec:\windows\system\sethome7093.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
Filesize1KB
MD535570097426f208b5bef45704edab996
SHA1842cec71e6c57a19ec4ed636b575c3d59ae77aa5
SHA2561d6d5fb63918b49aa260c912e154746dada7cacd41f40e204646e05baf5c8f66
SHA51228e0807a8b512a68ecc64ba1e5dc27ac2486338bcb847b7565a765dd1c6ef6f857c08a50494ca36fc8f85051c9597da600c957e1ae51e87803ce16f01a7d6532
-
Filesize
1KB
MD5895f6d1d9a73fbc2992afdf5cc31695d
SHA16d429e1ed7257d6a2abb434b4c2477624d4fdd3e
SHA2565a41c9c1fda6a6f1ebcab5dc4432f50a8e66d6ff267e59a2d89e0279bc64b6fd
SHA512024c62c12709e0b96e3c97f734397c4e1a37d6db80c8aedf72abf6f0c0c8b83ee379005c5ca0fa6704ee23a900d50323da4fd23fb6a88ba65f46b22c78fbabd8
-
Filesize
284KB
MD513c3f00f07f2243492584bc056e35196
SHA1870f183792e1912fc70a68243c6dbade1b187360
SHA256dfcb3bb057bb67aca19b86b15a1c6d231e6d8d157b2c434f4622baf5483c56e0
SHA5127ca31088acce75e09446a29ecee4e07e639b3cf5094abf6e2015bf2856c12e77e12fcf68bd5b06ab263d407b234b126d91fc1aad4809d6d9cc15d2dfb3f9fdd6