Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
-
Size
701KB
-
MD5
4ce45967d04ff90903c7eb800df624cf
-
SHA1
1a3f3beb160652aa88b457c4459065e6be5dbb55
-
SHA256
77d9ef1d64864561d053dc7e2cd982abc8a21048f21df6cd6d49661906645790
-
SHA512
935d5fc6c393d091067ae7524f5af47edd5bb64debe3f3570176e754117d71c599d4f8e3d76cda9e3750f01b6dca0f69efca3009a70273c890cabd524fcad4f9
-
SSDEEP
12288:37bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:nHnmlJblvSdFP8THlhqe1kh7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Deletes itself 1 IoCs
pid Process 1608 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2164 fdlaunchersa.exe 2140 fdlaunchersa.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2296 set thread context of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2164 set thread context of 2140 2164 fdlaunchersa.exe 94 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdlaunchersa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdlaunchersa.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2720 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 2720 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2296 wrote to memory of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2296 wrote to memory of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2296 wrote to memory of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2296 wrote to memory of 2720 2296 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 83 PID 2164 wrote to memory of 2140 2164 fdlaunchersa.exe 94 PID 2164 wrote to memory of 2140 2164 fdlaunchersa.exe 94 PID 2164 wrote to memory of 2140 2164 fdlaunchersa.exe 94 PID 2164 wrote to memory of 2140 2164 fdlaunchersa.exe 94 PID 2164 wrote to memory of 2140 2164 fdlaunchersa.exe 94 PID 2720 wrote to memory of 1608 2720 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 95 PID 2720 wrote to memory of 1608 2720 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 95 PID 2720 wrote to memory of 1608 2720 2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\2024-08-29_4ce45967d04ff90903c7eb800df624cf_icedid.exe
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\8827.vbs"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5f34ef67b8a81f416090cd307be788ca4
SHA1dc23e34cc13aae7e527fb0e6c34307f805ada9f3
SHA25689f922b7ba7bfffdd20aeff3615d2b8cb550699204e88b15dd1a593282692dd2
SHA512c44ce3674d04b9c373817a48dada31bf69c1f12051f78f19a67ccddeca4587f5261a9a69c6427539151873ac6cc1b0abdb7a88bfad710c38c293afd758805ac9
-
Filesize
43.7MB
MD5c8629c5e9eecfa3372e2b7095db618d9
SHA10b12e8b304813f7b797c8786adb0e67630f3c6d9
SHA25690652f5aa4dab14131da197695f734a9e8d1b357f5503904f8a8675732aedd37
SHA512a7e7fdd465b77a024780132cbc96e4ac891e90373b60d3ba827db26d076efe53efe4f727811b97d231cc73c9f8dcac750c9ea2e796cc14bf3b32ea4ba94d3c72