Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe
-
Size
1.2MB
-
MD5
6389289e278fab460b50e3812733a7e8
-
SHA1
94330496e842f4982d1aaa8828e7044020cbfe3f
-
SHA256
cee9a05b97c15977e3a0ea0137a933177ee039b965488af9a315ed6af6ff0695
-
SHA512
7f5662a5285041c354b03c13591fefb20e08b26b23dc86d8f53161548ab0822b3712efdaf8edb152a3caba26a85fbec4778dd38dfe8477ea1f9c478a094031fa
-
SSDEEP
12288:Qz5opEKHx4ChrtbrRSXatB+Toklhg6K1B13qYRFQu1kVPE8CjxEnNY3wN:Qz5oPhrNrEXOBOolH1kVP5qEne3w
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\vpncmd.exe 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\SoftEther VPN Bridge\vpn_bridge.config 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2812 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 32 PID 2412 wrote to memory of 2812 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 32 PID 2412 wrote to memory of 2812 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 32 PID 2412 wrote to memory of 2812 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 32 PID 2812 wrote to memory of 2900 2812 cmd.exe 34 PID 2812 wrote to memory of 2900 2812 cmd.exe 34 PID 2812 wrote to memory of 2900 2812 cmd.exe 34 PID 2812 wrote to memory of 2900 2812 cmd.exe 34 PID 2900 wrote to memory of 2952 2900 net.exe 35 PID 2900 wrote to memory of 2952 2900 net.exe 35 PID 2900 wrote to memory of 2952 2900 net.exe 35 PID 2900 wrote to memory of 2952 2900 net.exe 35 PID 2412 wrote to memory of 2648 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 36 PID 2412 wrote to memory of 2648 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 36 PID 2412 wrote to memory of 2648 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 36 PID 2412 wrote to memory of 2648 2412 2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe 36 PID 2648 wrote to memory of 2552 2648 cmd.exe 38 PID 2648 wrote to memory of 2552 2648 cmd.exe 38 PID 2648 wrote to memory of 2552 2648 cmd.exe 38 PID 2648 wrote to memory of 2552 2648 cmd.exe 38 PID 2552 wrote to memory of 2580 2552 net.exe 39 PID 2552 wrote to memory of 2580 2552 net.exe 39 PID 2552 wrote to memory of 2580 2552 net.exe 39 PID 2552 wrote to memory of 2580 2552 net.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6389289e278fab460b50e3812733a7e8_hijackloader_icedid.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net start "SoftEther VPN Bridge"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net.exenet start "SoftEther VPN Bridge"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "SoftEther VPN Bridge"4⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "SoftEther VPN Server"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net.exenet stop "SoftEther VPN Server"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SoftEther VPN Server"4⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-