Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 14:12

General

  • Target

    2024-04-15_6368f5120dd08ba12a494ab4fe5639c6_icedid_virut.exe

  • Size

    622KB

  • MD5

    6368f5120dd08ba12a494ab4fe5639c6

  • SHA1

    b4f826114fc006592ad451481888865ee1487ac0

  • SHA256

    b967108e603c58ac5814ca8c0813d9f8486fee701d68e2950f10a6c799918ea7

  • SHA512

    daf9f9c79eb2044660307e338e5c491559abf7a3763d7b34864fc12e879cdbb9703eac8883f0fa50382f864f9e0bfbe48a75b8468cc2cf4b147cef25dd592759

  • SSDEEP

    12288:S0IH9lhso5uVYjw2qD1o4Z+Xkajlk9Vuo:QH9rKYs2qD1taji9L

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1368
      • C:\Users\Admin\AppData\Local\Temp\2024-04-15_6368f5120dd08ba12a494ab4fe5639c6_icedid_virut.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-04-15_6368f5120dd08ba12a494ab4fe5639c6_icedid_virut.exe"
        2⤵
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Local\Temp\2024-04-15_6368f5120dd08ba12a494ab4fe5639c6_icedid_virut.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-04-15_6368f5120dd08ba12a494ab4fe5639c6_icedid_virut.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

      Filesize

      14KB

      MD5

      133d29868ee17907b71b08517b96bc5b

      SHA1

      f89b24866fe73f010ee6c1a3161f02685fc40d68

      SHA256

      9cee27b57a3d100c2cb4c19310bb0c7ad97a16cd4bd61a03e12ce9e9db9e4a99

      SHA512

      5f695913f69d2bdfc102c16dad26716de3046ea173b886afab58ce1bf1a5b26e1423b8b7051cbfce03b76c75800cedc4107174bd1b2648415928739e74ef6142

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      12KB

      MD5

      8156706568e77846b7bfbcc091c6ffeb

      SHA1

      792aa0db64f517520ee8f745bee71152532fe4d2

      SHA256

      5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

      SHA512

      8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      8KB

      MD5

      7757fe48a0974cb625e89012c92cc995

      SHA1

      e4684021f14053c3f9526070dc687ff125251162

      SHA256

      c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

      SHA512

      b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

      Filesize

      451KB

      MD5

      c7371cdbe6c8d461fb0cd2b6ffff4149

      SHA1

      b14a225b802e60140e0223ad01d324e6251faedb

      SHA256

      5e98280da59d7500bb4635e55e47472301588dae5142f02c480fd1ee3bcd71a0

      SHA512

      9a452583cf04216b721eda4ac12e801e68b40c712415bddb1088b90787cec0b8c2482b6df58d19be45fbc2fbdba3a5918487238e2b43e7fcb3126639e7524aac

    • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

      Filesize

      640KB

      MD5

      fe68d4e8d4fb91e0980ebfb53eff4841

      SHA1

      7b6b3caa3957731aa2fbf1399caf29a0bde7cdd8

      SHA256

      08c7baa09b8ff88a9af3ec44952f15ca56a42ee1406fb5c5ccb5b9ec00915103

      SHA512

      62c2eb207f5b3de8ae25a3ac75c2eb13973b0a9728a40eff073389f1ab984aef3033a7a961915ee84e6da78e576be46fefe8a606c08ce4858d3058a731fef101

    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

      Filesize

      640KB

      MD5

      def2915c8f58eff9d0747774c2404c5d

      SHA1

      89acb0e06c62cb67346e4f6a2c40eb88f27738a7

      SHA256

      7da9e19a1f5ce6f2c732fc504961d50e835102631cd042b6f08f19c550d567f9

      SHA512

      5e078b8e08429c930450ec0b34c6713383cfe9a6e63cf2e02e6db80bf4782ba2fc1054889d8eea77eaeb8ad4a820bc9e6db193aebf2b24150536e75a8961fc42

    • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

      Filesize

      461KB

      MD5

      f59bd671a0b7cf5bfad96162b1957ca4

      SHA1

      514bf3855bdd1061c1a25809d3447663c32c4a27

      SHA256

      469f6627ae599f4fd85627e35005c1322070a1f56edb954c812cbc26bf96dca3

      SHA512

      959461f46719dcdc12e7b50fa9d4ff82d20d8deedb59dabcfef2c3815d048293992a5415e5a6e3020eb0bf73bbfb14b5ca8d01c9c0f2bb624c07b1e58d58d18a

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      451KB

      MD5

      2cdd1a660503cddd2c541750c01d3187

      SHA1

      235191bda09eb09b87bb13ae2eb0acf6de86f8f3

      SHA256

      2f570782218f27433548ea279dfcd1efeadca5264a00cc00304236f11108097d

      SHA512

      f971ced680890e617db1404a6e6e0d951bcc1917bb6ff6d6e850c7400c3d9a91966cf417347c7cee6bb7496acc7a424e68bdbf4cf6dae85d6c1ff015e673a2b0

    • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

      Filesize

      461KB

      MD5

      0b5368183ef611ba3c98471a681e4a38

      SHA1

      844ea282e2c324c61a28a313b05373b03a1089dd

      SHA256

      1b6b7ccb21074ee9b41e5fd9aedce5b7a84405ce966c065ce5cce00a667fad9b

      SHA512

      48e789e7e5dea6425df310d39b039194e2e36761fe2760e3a6ee1d9188daf797068c929eef1c717692227d3186c4fd06f3ddcd5d62b137b83afa53dbbbe26f53

    • C:\Users\Admin\AppData\Local\Temp\ose00000.exe

      Filesize

      152KB

      MD5

      50dc6c9056335edb76bff652eaa05b55

      SHA1

      c011a51b1a8011cd0e3ba07287ae6037d303f54b

      SHA256

      3872f15027a23c39f8f0ff2e9dc55bc1799b3c5aae47d39b55591eddcc534082

      SHA512

      0e44a40b255104cbd0633ef0c6485b10abbd030e2537e72f4c7dfa2551f0f09cc2897ff39724350172810a2c6954cbeae20593c00358d9975cb46a491a26eb80

    • C:\Windows\SysWOW64\runouce.exe

      Filesize

      10KB

      MD5

      d048635c68c46553bc312ea3f96e9b52

      SHA1

      076ca0deef3b5bc35dadf9bfa2160c2410c251fb

      SHA256

      56579103515b46c27ad679657d483f1bf450d47ae28f61d149d804cca7fcdc4a

      SHA512

      67a9ed6473964055fb28f15e8166d72a446701662bc3355a74a0593fe7695ab0c5f62ff26ef9f23ee77128e91bdf0d1a5121b3b9d382aa689d80b78bab107cba

    • C:\vcredist2010_x86.log.html

      Filesize

      81KB

      MD5

      5ff48b840106c89dbb26d759660daaf2

      SHA1

      77f5162a4f1a76354e579447f91ad4b6fd5a3878

      SHA256

      f97e4620387385acc10c8a87256f6284fd09ff52e97b183b57af787220d7da3c

      SHA512

      15ec6dc2cef26e2ae77c39ef9995e4d7848c4f32aca0fa7fcc20e8c32b0104faa56f8d891b7d575ac1b35064dbfca2e8aa85bbc37f66323a895f2264ecee0b51

    • memory/1368-14-0x0000000002640000-0x0000000002641000-memory.dmp

      Filesize

      4KB

    • memory/1368-15-0x0000000002640000-0x0000000002641000-memory.dmp

      Filesize

      4KB

    • memory/1968-0-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB