Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe
-
Size
2.3MB
-
MD5
5736baf5cf78eb5887894c4cce25781f
-
SHA1
7e9193c8c5a8ccf1ee26c1d98cfafb8113ed82a9
-
SHA256
aa4a398bd43817f8f010e61a9cd8bbd9b0bd378db634f42376933feb169eb45a
-
SHA512
e5171b6903ea2e03efec9f37fcf5f18e3da1940ac63ac571bb81287e3ba7e70f5980382206e182bb6ec6d82b6ca5bbe0d352425641ab83820321ead6f7eba79e
-
SSDEEP
49152:RlIe3PyF7Y4UHJitsFEnyowKnvaNnuAlxsz64xucBT2+b/:RlI7M4UpiBnHwKnvaNnuAlg64xuU
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2496 EnclosureDelude.exe 2212 EnclosureDelude.exe -
Loads dropped DLL 4 IoCs
pid Process 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification \??\f:\$recycle.bin\s-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini EnclosureDelude.exe File opened for modification \??\f:\$recycle.bin\s-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini EnclosureDelude.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\ProtractSinge\SartorialTardy.exe EnclosureDelude.exe File opened for modification C:\Program Files\ProtractSinge\SartorialTardy.exe EnclosureDelude.exe File created C:\Program Files\SartorialTardy\AverHypotenuse.exe EnclosureDelude.exe File opened for modification C:\Program Files\SartorialTardy\AverHypotenuse.exe EnclosureDelude.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SUGUZEFHWD.dll 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EnclosureDelude.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EnclosureDelude.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 regsvr32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 2496 EnclosureDelude.exe 2496 EnclosureDelude.exe 2212 EnclosureDelude.exe 2212 EnclosureDelude.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2312 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 30 PID 2336 wrote to memory of 2496 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 31 PID 2336 wrote to memory of 2496 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 31 PID 2336 wrote to memory of 2496 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 31 PID 2336 wrote to memory of 2496 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 31 PID 2336 wrote to memory of 2212 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 32 PID 2336 wrote to memory of 2212 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 32 PID 2336 wrote to memory of 2212 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 32 PID 2336 wrote to memory of 2212 2336 2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-14_5736baf5cf78eb5887894c4cce25781f_icedid.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\EnclosureDelude.exe"C:\Users\Admin\AppData\Local\Temp\EnclosureDelude.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\EnclosureDelude.exeC:\Users\Admin\AppData\Local\Temp\EnclosureDelude.exe2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD55736baf5cf78eb5887894c4cce25781f
SHA17e9193c8c5a8ccf1ee26c1d98cfafb8113ed82a9
SHA256aa4a398bd43817f8f010e61a9cd8bbd9b0bd378db634f42376933feb169eb45a
SHA512e5171b6903ea2e03efec9f37fcf5f18e3da1940ac63ac571bb81287e3ba7e70f5980382206e182bb6ec6d82b6ca5bbe0d352425641ab83820321ead6f7eba79e
-
Filesize
28KB
MD5619b4cf619eaebe531bb252e99cdd23b
SHA175131437e0039afc65aca67a7a54885b58b8054e
SHA256cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA51240a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3
-
Filesize
2.3MB
MD5aee40bc051ad8c031fb4eef90db2fa1e
SHA12d4404791b075a55a80a08c3e6067f982e55ddaa
SHA256b43d40ecd8a22011c28f16581a7df82dc69f769f09f03dc2e065202cbf8d41dc
SHA51204f6beec0f87c17ec7314b9dea5fa700f07d24137e35f188b7cd3716aa49f52e1e3cc065b7adbf10dd9651bdce79d663a50f20fa718390133025c1cc512552fa