Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll
Resource
win7-20241010-en
General
-
Target
69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll
-
Size
70KB
-
MD5
3f031c12c95a4b52b74e08d4b0d76830
-
SHA1
3a6443c08d8233b4e62e3ab47950061620225e75
-
SHA256
69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2
-
SHA512
ab271d995c7de00466cd8a84dc5f63b25ec866bd0c61ba0decfaa951091718bf9a35412b7b14ec046fb131d7641bcb73486f524820fd9d3d29413ce03a2e2d71
-
SSDEEP
1536:iXUu70LgnxWl7f/3jWCgiMthg8Mi3lHg9gIgmfgCjMiAOqTu/+vXWPbge96Lr4hH:iwL6W5fPKCNAXMixmHBfFzmu/mAbgwzh
Malware Config
Extracted
Extracted
icedid
497724135
ovedfromasi.top
Signatures
-
Icedid family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4080 4672 rundll32.exe 82 -
Blocklisted process makes network request 1 IoCs
flow pid Process 22 4080 rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 4672 EXCEL.EXE 4672 EXCEL.EXE 4080 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4672 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4080 rundll32.exe 4080 rundll32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE 4672 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4080 4672 EXCEL.EXE 86 PID 4672 wrote to memory of 4080 4672 EXCEL.EXE 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\Users\Admin\JetBrainsdotK.dll , DllGetClassObject2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll
Filesize70KB
MD53f031c12c95a4b52b74e08d4b0d76830
SHA13a6443c08d8233b4e62e3ab47950061620225e75
SHA25669e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2
SHA512ab271d995c7de00466cd8a84dc5f63b25ec866bd0c61ba0decfaa951091718bf9a35412b7b14ec046fb131d7641bcb73486f524820fd9d3d29413ce03a2e2d71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5fdf69aba5137783beae38241a86a9503
SHA1904a1b3b90a72a8abf2265aae7b7a2ede81f18dc
SHA2563121babdcff0c2e3ded69bebeda4f4d85bb0973226a9521393c49038c525a015
SHA512d029ad3107f445c9feb140b3cbaefec86c3740908a2ebc558fb9391b67996f573f46ea7bc49c8249b3789fdad0541058da42efb9f592af40a233dcafad6514f2
-
Filesize
38KB
MD5e0eb5ee1877137874ffa2da89ea711a4
SHA17be7d4eab05c0070ece0ca1e54b183829b227588
SHA25633656b2710aa5d69afa7402f050b8f812923743f86a5bf4d1f22f8ce29be7179
SHA512ca47e2a86edecffa9c6250d98750f7a49530dbea2bcff74678ab43d38410b2b3fdf8ea5b69bc656472ab3915fd225ff5ade64b3699d182075ed94155a56ec215