Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
-
Size
639KB
-
MD5
8a2df8050fc8bdfd46a3efe7893f2951
-
SHA1
de03161e09d8b8ab3c8099873db9f0d6ed7bc017
-
SHA256
7e8e9bf6ef003cf53c3f036315acb51ba792bf827aade73adf131ef95f56e9ab
-
SHA512
07e07abec0ec68a3d171b2dee064e07d0039934c586c1dff55e0c4b7b27f2f79992b06c413c3a8e2b0c76b0c9a540ca0e9fb7e793a3fa84a5a253876316bcd04
-
SSDEEP
12288:/WBasotvO7uknSY7J1o3xIamffkReBiNo+L7NSDAkiOolkV:eBasowSg1ohSkROMo+f1kZolG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1900 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2384 AhnSvc.exe -
Loads dropped DLL 2 IoCs
pid Process 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3052 set thread context of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AhnSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 2384 AhnSvc.exe 2384 AhnSvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3052 wrote to memory of 3056 3052 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 30 PID 3056 wrote to memory of 2384 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 31 PID 3056 wrote to memory of 2384 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 31 PID 3056 wrote to memory of 2384 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 31 PID 3056 wrote to memory of 2384 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 31 PID 3056 wrote to memory of 1900 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 32 PID 3056 wrote to memory of 1900 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 32 PID 3056 wrote to memory of 1900 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 32 PID 3056 wrote to memory of 1900 3056 2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\ProgramData\AhnLab\AhnSvc.exe"C:\ProgramData\AhnLab\AhnSvc.exe" /run3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe" >> NUL3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD500eb548b5643e141f85d6538f1162f88
SHA18f7827f2f96b9677196656e0fe47ca19b72114ef
SHA2562b05d140fbd1ece5314be2b8f2285545565cdb798cee3f26d5aa072dbe98c6b5
SHA5121bc815182f10fe1c1acc9d51ecf436b47b99bcd5b4bdb808b985addb7f3f77eaa52487e3df3b68c41fb9e1c86efbf641bfbe5d24eb712f424cc5801d6780d90c