Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-23...id.exe

windows7-x64

7

2024-04-23...id.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2024, 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-23_4b5b2058244eaf6a55ce4dd722617fad_backswap_icedid.exe

  • Size

    2.6MB

  • MD5

    4b5b2058244eaf6a55ce4dd722617fad

  • SHA1

    a40a6ed831510ae9d19f2ac2db0fd519ebbe1691

  • SHA256

    40e2615b967c45d75abb75a0baea8d04167107c7c840096f3d4c48df4c4d14a6

  • SHA512

    9bed66c4f5d4988f49998d1e432c369eef9b4fac7279e542bf1b3537d5ceb135e4997094c15d071dde94d85149e5a23ce286c818d61b6af8cb6ba25d2358c80d

  • SSDEEP

    24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6LF:tl1vqjdPQRw/D4mizA0dizLrB51vQ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-23_4b5b2058244eaf6a55ce4dd722617fad_backswap_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-23_4b5b2058244eaf6a55ce4dd722617fad_backswap_icedid.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
      "C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
      2⤵
        PID:1576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
      Filesize

      642KB

      MD5

      d871f2c4088b8b4044a06352378e5f47

      SHA1

      1ac52a4fa15aaee20307c475ff0ef95351418074

      SHA256

      bfc4f31183a35555e19d2095a743129b20949acbcb5ea43a5fbfaa0b7e624bfa

      SHA512

      294a0cc0d8f89b077821ed97891dc693bdb6dd3f7b4436840f78e5663ece817cf6400d782f31ae33b8fdbbffa9c1691e2411fc9240d2100c2c1e2a4be71b2d68

      Download Submit

    • C:\WINDOWS\Media\ActiveX.ocx
      Filesize

      12B

      MD5

      b613e5924d034f357f0f41a3c6b29cda

      SHA1

      95f04f57b482d3fa9e0c9f16b43dd28cef0061ec

      SHA256

      5db9c995f6f5d82b6c1a42f6141655ef72ac30e92741812f0643b6e880626119

      SHA512

      2670961de3ce5e48906d19933050b07dcad54d0a63f5a89a22728fc04d4c91f273fe8eeeca65018773a0c33097bef9557ee6de6da8a8d3ad06d437297495765f

      Download Submit