Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
planet64.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
planet64.dll
Resource
win10v2004-20241007-en
General
-
Target
core.bat
-
Size
184B
-
MD5
4da584cc0a5ded0c902627093ab8721b
-
SHA1
a6bb30b50718813a72cbd58ba148bc3c9a17c3f0
-
SHA256
bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c
-
SHA512
d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804
Malware Config
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
-
auth_var
1
-
url_path
/news/
Extracted
icedid
Signatures
-
Icedid family
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2308 wrote to memory of 3280 2308 cmd.exe 83 PID 2308 wrote to memory of 3280 2308 cmd.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD57eb64145636d2e8343d9077f15c11022
SHA1c0b221ca05431092bc1c789a33d199124c8fec1c
SHA25696e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a
SHA51253171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6