Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 01:27

General

  • Target

    2024-05-12_b735220afb455ec8e627a893ccb38aea_floxif_icedid.exe

  • Size

    6.1MB

  • MD5

    b735220afb455ec8e627a893ccb38aea

  • SHA1

    78f3f7fac4ce08454f4d5159604806cc56f8b6be

  • SHA256

    905207150940c76f045e95960381fa573f3772435162835a3f027842fee5ce21

  • SHA512

    86e733b525cad73906d5bed9fa246d3a39b1c8b882b39683fef8674e3cc78c09a7f3b72dd34d995dd2067e5df2df17e577979eec072316c8c56f654ed605e1f5

  • SSDEEP

    196608:0+csxvIHt6r0IqrX2c31lrWkhqc11RcMNXmVL:017u0PX2c31lrWa5116MFY

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-12_b735220afb455ec8e627a893ccb38aea_floxif_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-12_b735220afb455ec8e627a893ccb38aea_floxif_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Users\Admin\AppData\Local\Temp\geek64.exe
      C:\Users\Admin\AppData\Local\Temp\geek64.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://geekuninstaller.com/download/?version=1.4.8.145
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc39c46f8,0x7ffbc39c4708,0x7ffbc39c4718
          4⤵
            PID:1140
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
            4⤵
              PID:3424
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3468
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
              4⤵
                PID:3504
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                4⤵
                  PID:3408
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                  4⤵
                    PID:4484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                    4⤵
                      PID:3096
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4572
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                      4⤵
                        PID:1480
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                        4⤵
                          PID:5072
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
                          4⤵
                            PID:928
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                            4⤵
                              PID:4576
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,14493905858972981409,4323600733064828405,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 /prefetch:2
                              4⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3668
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3976
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2892

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\Common Files\System\symsrv.dll

                            Filesize

                            67KB

                            MD5

                            7574cf2c64f35161ab1292e2f532aabf

                            SHA1

                            14ba3fa927a06224dfe587014299e834def4644f

                            SHA256

                            de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

                            SHA512

                            4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

                          • C:\Program Files\Common Files\System\symsrv.dll.000

                            Filesize

                            175B

                            MD5

                            1130c911bf5db4b8f7cf9b6f4b457623

                            SHA1

                            48e734c4bc1a8b5399bff4954e54b268bde9d54c

                            SHA256

                            eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

                            SHA512

                            94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

                            Filesize

                            717B

                            MD5

                            822467b728b7a66b081c91795373789a

                            SHA1

                            d8f2f02e1eef62485a9feffd59ce837511749865

                            SHA256

                            af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

                            SHA512

                            bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\154DEA943804D5660DF8712EF3E615E1

                            Filesize

                            503B

                            MD5

                            c7624b1f14076e2916fd0b572c9e40c3

                            SHA1

                            6c598485e1155b36021764fa64f293093590f8ff

                            SHA256

                            34042f740b44993670bb2b57ef94c21a6c3981de00b9e0a404b832efaf3dd2d2

                            SHA512

                            b4f4a161bef99543ee37a59814705a4b7c0a90409c22519351fa7eb2acfe237c70a6863f24ae69f7c0a54207095eaff6fe2ffac9c53c224e9426951c20508861

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

                            Filesize

                            192B

                            MD5

                            ce4307858359f6a7e027ad4d39ec3d75

                            SHA1

                            8ebe64f9e7ff3c642a0aa92ab6cf4ef217681231

                            SHA256

                            75969291e489c5ce1cd30a608151231f29ec5d4655c3a9a85d8cec54ad6dc5b6

                            SHA512

                            e52f92f70ae8ce1b7de689470e17941be64910d850bff7fe40f2989999389ae15530591db6b27d545d63cda23ee400c6a52646a590ec5c0947e766284a364663

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\154DEA943804D5660DF8712EF3E615E1

                            Filesize

                            548B

                            MD5

                            1b31ae748d0520583fbc11e574b4f112

                            SHA1

                            7043fed9a98827b30b7aa2ca9c8b30c7106183d8

                            SHA256

                            4dc67417ec68268ea209b60ab052478509620b3032a6a9a1e7c32c277db01deb

                            SHA512

                            d9abef0c54f931d28d9cfcf02bccbfdbd2264b0e58dca81136b2786565848bcd2ebf819833b9c835896202bb5a86e4f24650be28479fda5df199ed366b628a3b

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            4dc6fc5e708279a3310fe55d9c44743d

                            SHA1

                            a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                            SHA256

                            a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                            SHA512

                            5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            c9c4c494f8fba32d95ba2125f00586a3

                            SHA1

                            8a600205528aef7953144f1cf6f7a5115e3611de

                            SHA256

                            a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                            SHA512

                            9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            192B

                            MD5

                            dec9aaf9910ac7e6fe35d5c104fa2b18

                            SHA1

                            e3dd0348ab8cf07272b2a8894a6dd35d867bff4a

                            SHA256

                            f2708ee06fd92dd37b6a6482727f617ec9a396bf9ace53741c5f9fded789f355

                            SHA512

                            5fc6b2d08a3861059d9d8ca4d55ea7ca52608863bd782618cbff0d17ad3550374feef185fda9c4b8a2fdfe51c4a3ce8f6179febd529078d20b91586052e36d8f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            8f883b91b769f8ac4663c0cffaa0f2f8

                            SHA1

                            646ad951470cf10e545e3a7d82ea673271664b82

                            SHA256

                            db76aa09041fa94e9dfd527d98b55f1d0db232e8ea541090580950dc4028011c

                            SHA512

                            1e7a609ffb318d0e9544ba7515943a2ff76d4c8a900dc49c1f24db09642a88104aec484d0197528d1e5a272032c97bd08d33ba484410814c56540bea185a8de5

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            fe5919d85ef9cff1098175603ef548f3

                            SHA1

                            514778712b380147446d2e933cd1c6217d9ce55a

                            SHA256

                            2dda940f644d2ad35412384df8d6e370acc8f724d2958e60668b40868a21ea51

                            SHA512

                            7f532ac6b10d9b81a86b4ce0af156c4fac578dee119e12ce24bdb08b07745f252f754f76a219a6c923896abf76ad72163a64a0fd13940cefd1ad1e55aa62679c

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            ef991a7670a1197b0018a87a7cd770d2

                            SHA1

                            399977ad87f630951b03139e831f47168ea86a7a

                            SHA256

                            66a10ba658b42751b249a5229cbcd3df9076b205b3625bf7ff258150fd69c8cb

                            SHA512

                            aed44856f4c9fd943b128d72a9e56857834e1513f9c31855087d1688099e1311db327a8452135cb7f3a07dc02ca1ff10ac99ef2ccc430250de24ed0cc5ca4d76

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            11KB

                            MD5

                            1af98dfa9054475ef8ca4675bcdac8f0

                            SHA1

                            2fda68f28c26e83cfa18dc7af37175ebdf17d0b0

                            SHA256

                            9eaa3113205c05326cf9a7fa1581f97488cd4afb68ef6afe3a9073b40b956c87

                            SHA512

                            2e5025969a58a544928d2f981d7e307e95cf622e6c1a8cc3fc6de0a3bf5bd65c686c0e70d776598d72400fdaf7e6cce264c2acb7dc0ee12d9a78156374891d69

                          • C:\Users\Admin\AppData\Local\Temp\geek64.exe

                            Filesize

                            3.3MB

                            MD5

                            cc1f4b4b81bead2e01a0cbb65a5e388a

                            SHA1

                            3175cba617175e07d22b705aee27f821301a0a57

                            SHA256

                            07903001a8f50592d2e55900aed2d9c097a56a78989a66234a2ab74cb1d21e8c

                            SHA512

                            5efbe090b4fde0a48c42a0cabce9200dab9afd7535dc06e9ee1dc603b0e940a4250152815932be370e67e50aa86bd87296a88932c510fe29360b63ae842ac49c

                          • memory/4088-25-0x0000000076CB0000-0x0000000076D13000-memory.dmp

                            Filesize

                            396KB

                          • memory/4088-81-0x0000000010000000-0x0000000010030000-memory.dmp

                            Filesize

                            192KB

                          • memory/4088-128-0x0000000010000000-0x0000000010030000-memory.dmp

                            Filesize

                            192KB

                          • memory/4088-3-0x0000000010000000-0x0000000010030000-memory.dmp

                            Filesize

                            192KB

                          • memory/4088-133-0x0000000010000000-0x0000000010030000-memory.dmp

                            Filesize

                            192KB

                          • memory/4088-24-0x0000000076CC5000-0x0000000076CC6000-memory.dmp

                            Filesize

                            4KB

                          • memory/4088-28-0x0000000076CB0000-0x0000000076D13000-memory.dmp

                            Filesize

                            396KB