Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/12/2024, 16:42
Static task
static1
Behavioral task
behavioral1
Sample
core/cmd.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
core/cmd.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
core/hungry-.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
core/hungry-.dll
Resource
win10v2004-20241007-en
General
-
Target
core/cmd.bat
-
Size
187B
-
MD5
f9024ea7ab8f15514c195828d99fbd8f
-
SHA1
fd6647533ddd5dc904c88e57e8c00101d8636863
-
SHA256
9772b3d6906d3c7a2ec38a5b14da55bd9e744ec4359f601da5eeba013bbda65b
-
SHA512
a0f837d981c592ca4d39b34997e3c97b4189ffeb9fe10a90ed488c3c8ac6dadbf08cca360edce2ee2a009ed64624db4533fe88e71753da59082878a1204237ae
Malware Config
Extracted
icedid
Extracted
icedid
3984935437
footballer.bid
2kilozhiraffe.club
aristomosuga.top
viryigamaps.top
-
auth_var
3
-
url_path
/news/
Signatures
-
Icedid family
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2672 3068 cmd.exe 31 PID 3068 wrote to memory of 2672 3068 cmd.exe 31 PID 3068 wrote to memory of 2672 3068 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\hungry-.tmp,update /i:"license.dat"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD53c6263a9c4117c78d26fc4380af014f2
SHA1eca410dd57af16227220e08067c1895c258eb92b
SHA25629d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
SHA5120969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a