Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 02:22 UTC

General

  • Target

    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe

  • Size

    784KB

  • MD5

    544feca0515d819bc19521d3361678c4

  • SHA1

    b54d059d4ecac9d6a8e1535b7ad7a62ea292d310

  • SHA256

    aade0eae2708f2874909f2b7c63345b383d9d3273a668166aa5b5105351c6745

  • SHA512

    9b19241e56e3f1a7b8c8f0cec00b40ea50367ae56988a2e52b948e5ece8e3a8831082c4496880356715e4309ed6ba629f19cf30818ca5ec78cd37db64c678b87

  • SSDEEP

    12288:sOps+brP/VgjVbK2rOhkfq8eKYmC3LC2wv5op3xNwnYYdV9PQ/DWwBaHswwpUxug:zs+vPN0buywLC2wvHZdV1MfT8n

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

88.153.35.32:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

67.170.250.203:443

121.124.124.40:7080

103.86.49.11:8080

74.214.230.200:80

194.187.133.160:443

172.104.97.173:8080

172.91.208.86:80

200.116.145.225:443

202.134.4.216:8080

172.105.13.66:443

190.164.104.62:80

50.35.17.13:80

176.111.60.55:8080

201.241.127.190:80

66.76.12.94:8080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet family
  • Emotet payload 3 IoCs

    Detects Emotet payload in memory.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1080

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • 88.153.35.32:80
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    5
  • 107.170.146.252:8080
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    5
  • 173.212.214.235:7080
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    5
  • 167.114.153.111:8080
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    5
  • 67.170.250.203:443
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    5
  • 121.124.124.40:7080
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    260 B
    200 B
    5
    5
  • 103.86.49.11:8080
    2025-01-14_544feca0515d819bc19521d3361678c4_icedid.exe
    208 B
    4
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    60.153.16.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1080-9-0x0000000002280000-0x00000000022B0000-memory.dmp

    Filesize

    192KB

  • memory/1080-6-0x0000000002820000-0x0000000002851000-memory.dmp

    Filesize

    196KB

  • memory/1080-2-0x0000000002480000-0x00000000024B3000-memory.dmp

    Filesize

    204KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.