Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-12-28...id.exe

windows7-x64

10

2024-12-28...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2024, 07:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe

  • Size

    3.4MB

  • MD5

    1cdc249ceea505c723a4124922273007

  • SHA1

    3c2d4c3458e63c2e9501c02853d4b88a7d3f8b73

  • SHA256

    96a361009ebce7f300ea9eaeeb8828c1acca8c9f56a7b7366c7a90a1b0b13661

  • SHA512

    a03516c70228fcbca8dcee0ea28faa4d46f91964ce53cd7875a4709adf0bbf49cf59ac818f66e02399958f1a05b94fd0041ef157a55c5dd7f3ee3803853eb9d5

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+Wh0sABTucGDf3qN1np:Vws2ANnKXOaeOgmh01BTujrql

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1104
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2864
    • C:\Users\Admin\AppData\Local\Temp\HD_2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe
      C:\Users\Admin\AppData\Local\Temp\HD_2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2620
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:1068
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259456448.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:2436

    Network

    • flag-us
      DNS
      hackerinvasion.f3322.net
      Remote Data.exe
      Remote address:
      8.8.8.8:53
      Request
      hackerinvasion.f3322.net
      IN A
      Response
    No results found
    • 8.8.8.8:53
      hackerinvasion.f3322.net
      dns
      Remote Data.exe
      70 B
       131 B
       1
      1

      DNS Request

      hackerinvasion.f3322.net

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      2.6MB

      MD5

      71c68992a7dd458d1aa08a506111aaf4

      SHA1

      f8bc75c9a43b18e436fbfba8f9e1287311c0148f

      SHA256

      7020682a0fb10217b82c322036ca5665f8ecd51f0ac2c1294ed6d1f7f47712aa

      SHA512

      2c713c3df3e222a725758909d439c8fb8e7e1791eae903ee695d8a6f49e6f30970bce5a4650eba1a39b930cff7bd53ab8ebf09308ced84c71662e8b2c592185e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\N.exe
      Filesize

      377KB

      MD5

      4a36a48e58829c22381572b2040b6fe0

      SHA1

      f09d30e44ff7e3f20a5de307720f3ad148c6143b

      SHA256

      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

      SHA512

      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\HD_2024-12-28_1cdc249ceea505c723a4124922273007_icedid.exe
      Filesize

      900KB

      MD5

      30a0afee4aea59772db6434f1c0511ab

      SHA1

      5d5c2d9b7736e018d2b36963e834d1aa0e32af09

      SHA256

      d84149976bc94a21b21aa0bc99fcbdee9d1ad4f3387d8b62b90f805ac300ba05

      SHA512

      5e8a85e2d028ad351be255ae2c39bb518a10a4a467fd656e2472286fee504eed87afe7d4a728d7f8bc4261245c1db8577deeee2388f39eb7ee48298e37949f53

      Download Submit

    • \Users\Admin\AppData\Local\Temp\R.exe
      Filesize

      941KB

      MD5

      8dc3adf1c490211971c1e2325f1424d2

      SHA1

      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

      SHA256

      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

      SHA512

      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

      Download Submit

    • \Windows\SysWOW64\259456448.txt
      Filesize

      899KB

      MD5

      62052eddd8ffb03e53f79e1af5d56c50

      SHA1

      bdd660a394e19b79ec6ede50f32823b0a346631d

      SHA256

      be6d2eb1089e7e7f91b21612a6664082c5ab1f6e8969ec517e404051bea4a20b

      SHA512

      37f01ffeae7a39da62ba9739fb4fcee3f827f6520140652012e18950f722cc214f88897d4c46922488a1031d1ac6dfd81b942c7f1cfb2eee95b2715c667163d2

      Download Submit

    • \Windows\SysWOW64\Remote Data.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • memory/2408-21-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2408-20-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2408-19-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-38-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-45-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-41-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-49-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-35-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2436-37-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.