Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

data.dll

windows7-x64

10

data.dll

windows10-2004-x64

10

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 02:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    2KB

  • MD5

    c754f3d9cdca9c58f7b9d0a486e4d388

  • SHA1

    078f05b78e7a83ab17d9b35edf195c10f0d5750c

  • SHA256

    a689b27afa67609b9b73465c47f927a12c470b32d8a340552d5f85499501a757

  • SHA512

    cc4af4a8994da26f6daacf1243bb85df0995eccb90159df66e94af0e4e9fd3df401e35a57254efe9bc10a45867dbbdcb3335391f4d5da8b2dcfbe31980e23ebf

Score
10/10
icedid1101171172bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1101171172

C2

hdtrenity.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Icedid family
    icedid
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start regsvr32.exe data.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe data.dll
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        PID:1940

Network

  • flag-us
    DNS
    hdtrenity.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    hdtrenity.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    hdtrenity.com
    dns
    regsvr32.exe
    59 B
     132 B
     1
    1

    DNS Request

    hdtrenity.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-36-0x00000000002F0000-0x00000000002FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1940-37-0x00000000002F0000-0x00000000002FE000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.