Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe
-
Size
2.7MB
-
MD5
7b7f19d6d192923fbd6f91878d7a9370
-
SHA1
d7b269bb4a6994b0e96daaaa96fe4b540136bdaf
-
SHA256
de3b549c955350b574bf9074cacedb097b0a7195e065a59cf7a77295b3726fe1
-
SHA512
3b66bcb7fece93e1a8bb736931cefd9caf05e50b1751da69ec63504134b3f565c48d6ba096e38e4fcec4bbb8cfb31653710a4d9eab6c741b0db626783f93edca
-
SSDEEP
49152:MzewFQU04nOSem7VjKtnbVkjuuNw6tLf:MzB0SOStj2kF5N
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 3020 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt regini.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: conhost.exe File opened (read-only) \??\S: conhost.exe File opened (read-only) \??\T: conhost.exe File opened (read-only) \??\U: conhost.exe File opened (read-only) \??\X: conhost.exe File opened (read-only) \??\Y: conhost.exe File opened (read-only) \??\Z: conhost.exe File opened (read-only) \??\E: conhost.exe File opened (read-only) \??\G: conhost.exe File opened (read-only) \??\H: conhost.exe File opened (read-only) \??\O: conhost.exe File opened (read-only) \??\P: conhost.exe File opened (read-only) \??\R: conhost.exe File opened (read-only) \??\V: conhost.exe File opened (read-only) \??\I: conhost.exe File opened (read-only) \??\J: conhost.exe File opened (read-only) \??\K: conhost.exe File opened (read-only) \??\N: conhost.exe File opened (read-only) \??\Q: conhost.exe File opened (read-only) \??\W: conhost.exe File opened (read-only) \??\M: conhost.exe -
pid Process 2936 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2084 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 2384 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1444 net.exe 1308 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2384 NETSTAT.EXE 1964 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2940 systeminfo.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile regini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt regini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile regini.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 NETSTAT.EXE Token: SeDebugPrivilege 2084 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2576 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 29 PID 1200 wrote to memory of 2576 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 29 PID 1200 wrote to memory of 2576 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 29 PID 1200 wrote to memory of 2576 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 29 PID 1200 wrote to memory of 3020 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 32 PID 1200 wrote to memory of 3020 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 32 PID 1200 wrote to memory of 3020 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 32 PID 1200 wrote to memory of 3020 1200 2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe 32 PID 3020 wrote to memory of 2728 3020 conhost.exe 33 PID 3020 wrote to memory of 2728 3020 conhost.exe 33 PID 3020 wrote to memory of 2728 3020 conhost.exe 33 PID 3020 wrote to memory of 2728 3020 conhost.exe 33 PID 3020 wrote to memory of 2584 3020 conhost.exe 35 PID 3020 wrote to memory of 2584 3020 conhost.exe 35 PID 3020 wrote to memory of 2584 3020 conhost.exe 35 PID 3020 wrote to memory of 2584 3020 conhost.exe 35 PID 2584 wrote to memory of 2052 2584 cmd.exe 37 PID 2584 wrote to memory of 2052 2584 cmd.exe 37 PID 2584 wrote to memory of 2052 2584 cmd.exe 37 PID 2584 wrote to memory of 2052 2584 cmd.exe 37 PID 2052 wrote to memory of 2180 2052 net.exe 38 PID 2052 wrote to memory of 2180 2052 net.exe 38 PID 2052 wrote to memory of 2180 2052 net.exe 38 PID 2052 wrote to memory of 2180 2052 net.exe 38 PID 2584 wrote to memory of 1320 2584 cmd.exe 39 PID 2584 wrote to memory of 1320 2584 cmd.exe 39 PID 2584 wrote to memory of 1320 2584 cmd.exe 39 PID 2584 wrote to memory of 1320 2584 cmd.exe 39 PID 1320 wrote to memory of 2476 1320 net.exe 40 PID 1320 wrote to memory of 2476 1320 net.exe 40 PID 1320 wrote to memory of 2476 1320 net.exe 40 PID 1320 wrote to memory of 2476 1320 net.exe 40 PID 2584 wrote to memory of 2580 2584 cmd.exe 41 PID 2584 wrote to memory of 2580 2584 cmd.exe 41 PID 2584 wrote to memory of 2580 2584 cmd.exe 41 PID 2584 wrote to memory of 2580 2584 cmd.exe 41 PID 2580 wrote to memory of 2500 2580 net.exe 42 PID 2580 wrote to memory of 2500 2580 net.exe 42 PID 2580 wrote to memory of 2500 2580 net.exe 42 PID 2580 wrote to memory of 2500 2580 net.exe 42 PID 2584 wrote to memory of 2384 2584 cmd.exe 43 PID 2584 wrote to memory of 2384 2584 cmd.exe 43 PID 2584 wrote to memory of 2384 2584 cmd.exe 43 PID 2584 wrote to memory of 2384 2584 cmd.exe 43 PID 2584 wrote to memory of 2084 2584 cmd.exe 44 PID 2584 wrote to memory of 2084 2584 cmd.exe 44 PID 2584 wrote to memory of 2084 2584 cmd.exe 44 PID 2584 wrote to memory of 2084 2584 cmd.exe 44 PID 2584 wrote to memory of 1964 2584 cmd.exe 46 PID 2584 wrote to memory of 1964 2584 cmd.exe 46 PID 2584 wrote to memory of 1964 2584 cmd.exe 46 PID 2584 wrote to memory of 1964 2584 cmd.exe 46 PID 2584 wrote to memory of 2936 2584 cmd.exe 47 PID 2584 wrote to memory of 2936 2584 cmd.exe 47 PID 2584 wrote to memory of 2936 2584 cmd.exe 47 PID 2584 wrote to memory of 2936 2584 cmd.exe 47 PID 2584 wrote to memory of 2940 2584 cmd.exe 48 PID 2584 wrote to memory of 2940 2584 cmd.exe 48 PID 2584 wrote to memory of 2940 2584 cmd.exe 48 PID 2584 wrote to memory of 2940 2584 cmd.exe 48 PID 2584 wrote to memory of 2536 2584 cmd.exe 50 PID 2584 wrote to memory of 2536 2584 cmd.exe 50 PID 2584 wrote to memory of 2536 2584 cmd.exe 50 PID 2584 wrote to memory of 2536 2584 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-01_7b7f19d6d192923fbd6f91878d7a9370_icedid_nymaim.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\regini.exeregini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx2⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeC:\Users\Admin\AppData\Local\Temp\conhost.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\regini.exeregini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx3⤵
- Modifies registry class
PID:2728
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\must.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1964
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2940
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\net.exenet view4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1444
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1308
-
-
C:\Windows\SysWOW64\net.exenet user /domain4⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /domain5⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
-
-
C:\Windows\SysWOW64\regini.exeregini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx3⤵PID:1228
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Account Manipulation
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562B
MD5def72a2e815d36d1b207e69c53a0dfb6
SHA108c091cafbc4627d3e1953adeed04a4c0791f755
SHA256f71e998458a6ffbf157edd7c4d7bf5dcf2df92f769f459b1adb901e13d5d2a00
SHA5127c5755b82d4320000cc84bc1fdb1fdff2c4244b0849ee4eebc0529a9757e73cd1b3878255571ad00f0855ffc82dac4d6d43dc28e0b32151d4a97a122b81ab9ce
-
Filesize
135B
MD515e7eafedbdbb2788c5fde53e9d045e3
SHA1b868931638b4b3ea9c44821e7ade2ffd3255ef2b
SHA2564f1c84c3f30c5f8be30326254148b597568c0ce6ad45bd8fbddc6c9600505361
SHA512e0f21948299de152d17f6f8fd49d01223d19ce605ba77b5896d200e58abfcf49241c949b38120e84aa329d5469ac69067466d81c5260db741cfdcbcf4f0c0423
-
Filesize
70B
MD520eb0bd9744f943aff13206338fdfca8
SHA1b2f64c9fddeee998f2c52b9685c87fdaeed768fe
SHA2566efe03d7c079a715fa4b6bcd52332f08b1f89e840c10a220adfe7b8318626613
SHA512b674ac8a06a11be27bfac4a12785d0b85b8bc42f70ac519df0150d940914135cdd42450103131ef276be7e27a7213a3d640dead3168cf2e6cef8ccf7e2ddbb64
-
Filesize
10KB
MD530cee1b7c487f04a821b55b7a6ccc753
SHA1f370a605c6f514e80a09a0d622b035e21bea1ff7
SHA25677d09d6e938cd3cebfab7136554c04acb272b8e2f361309de19226ac7200ce2d
SHA5125e50072e517c13eb6618da4c32620d6ce3e855c26f1e9b200d9d62120c516611acdd3cb685ae4b4b54b43d64c423282f9ff2bf66048739ab716b16b31db82438
-
Filesize
2.7MB
MD57b7f19d6d192923fbd6f91878d7a9370
SHA1d7b269bb4a6994b0e96daaaa96fe4b540136bdaf
SHA256de3b549c955350b574bf9074cacedb097b0a7195e065a59cf7a77295b3726fe1
SHA5123b66bcb7fece93e1a8bb736931cefd9caf05e50b1751da69ec63504134b3f565c48d6ba096e38e4fcec4bbb8cfb31653710a4d9eab6c741b0db626783f93edca