Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
-
Size
701KB
-
MD5
4ce45967d04ff90903c7eb800df624cf
-
SHA1
1a3f3beb160652aa88b457c4459065e6be5dbb55
-
SHA256
77d9ef1d64864561d053dc7e2cd982abc8a21048f21df6cd6d49661906645790
-
SHA512
935d5fc6c393d091067ae7524f5af47edd5bb64debe3f3570176e754117d71c599d4f8e3d76cda9e3750f01b6dca0f69efca3009a70273c890cabd524fcad4f9
-
SSDEEP
12288:37bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:nHnmlJblvSdFP8THlhqe1kh7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2576 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2388 fdlaunchersa.exe 1520 fdlaunchersa.exe -
Loads dropped DLL 3 IoCs
pid Process 2388 fdlaunchersa.exe 2388 fdlaunchersa.exe 1520 fdlaunchersa.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3032 set thread context of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 2388 set thread context of 1520 2388 fdlaunchersa.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdlaunchersa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdlaunchersa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 3032 wrote to memory of 1200 3032 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 30 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 2388 wrote to memory of 1520 2388 fdlaunchersa.exe 32 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33 PID 1200 wrote to memory of 2576 1200 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\7272.vbs"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2576
-
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5f34ef67b8a81f416090cd307be788ca4
SHA1dc23e34cc13aae7e527fb0e6c34307f805ada9f3
SHA25689f922b7ba7bfffdd20aeff3615d2b8cb550699204e88b15dd1a593282692dd2
SHA512c44ce3674d04b9c373817a48dada31bf69c1f12051f78f19a67ccddeca4587f5261a9a69c6427539151873ac6cc1b0abdb7a88bfad710c38c293afd758805ac9
-
Filesize
43.7MB
MD5c8629c5e9eecfa3372e2b7095db618d9
SHA10b12e8b304813f7b797c8786adb0e67630f3c6d9
SHA25690652f5aa4dab14131da197695f734a9e8d1b357f5503904f8a8675732aedd37
SHA512a7e7fdd465b77a024780132cbc96e4ac891e90373b60d3ba827db26d076efe53efe4f727811b97d231cc73c9f8dcac750c9ea2e796cc14bf3b32ea4ba94d3c72