Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
33667344.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
33667344.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
INV87162.txt.lnk
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
INV87162.txt.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
UFbjRkMGfw.ps1
Resource
win7-20241010-en
General
-
Target
UFbjRkMGfw.ps1
-
Size
59B
-
MD5
219543beb2dbd3dd4a38133cb4cf5d62
-
SHA1
a9f3bca1e95a8013e54a327ab471fa90f4d6fdec
-
SHA256
ff4878fee00d54134fffa5ca90af7ec4892d7397dafe5ad8a319ab83f9b594ae
-
SHA512
adfc8567036636ebcbd46d860eacdf55edaff7a56af5a65f0c4695fe2698fa8bc5c7afa1b75126450417516851b500bb3b8d1a1211dae279d6ef95c1621aab26
Malware Config
Extracted
icedid
1842176049
carismortht.com
Signatures
-
Icedid family
-
pid Process 4332 powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings powershell.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3484 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4332 powershell.exe 4332 powershell.exe 4416 rundll32.exe 4416 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4332 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4332 wrote to memory of 3484 4332 powershell.exe 83 PID 4332 wrote to memory of 3484 4332 powershell.exe 83 PID 4332 wrote to memory of 4416 4332 powershell.exe 84 PID 4332 wrote to memory of 4416 4332 powershell.exe 84
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\UFbjRkMGfw.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notice.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3484
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" 33667344.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82