Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/01/2025, 00:46
General
-
Target
2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
-
Size
2.0MB
-
MD5
6ad6bb9ff2600d6e03aeea4d5aaae235
-
SHA1
e5c72c1a2a35e01b1e9d64cf7991d86abc88cce5
-
SHA256
047b76675a633db72c428f5c79a6b5ca5c7b3a6fbebbb7de5ec495e4cb1857af
-
SHA512
d3da5954fb81e8d4f50fc16ff89c5627de0c3e7e2e393b3dbd4d27293ba3e1b388e92a0585a5dd9df6a10561fcd519f014b90a5257d7c2c606de21fc001db770
-
SSDEEP
24576:SGyEQkGMex01TGQ0U7dr0hYmwFRbKOdzzmh3xtJ5GfsZOu17s:SGrdomllYOpcxckfs
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
-
Stormkitty family
-
Drops startup file 3 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe"C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAADF.tmp.cmd""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 45⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\HeartSender.exe"C:\Users\Admin\AppData\Roaming\HeartSender.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD55277dc204a744e096688aa68ff7da2ea
SHA1e5ab7cb0a84dc64816a80b672d7ae58283d43913
SHA256d59d217d9de2798c4b01395f72bd3da3be7ff4f9c95b8510525d6b8a62bbcd11
SHA51253b1d422a8e1ce421a9fed11d6bdac0bdad317baae22fdae7c8b16b6627fbb3681f185c07fddd98d018f3be6948fb625b15b4e5d123102899cf1b307ac552e58
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.5MB
MD51e76fc77d50b65268097301c482f005e
SHA1ee2e94c47fd73cc14b26ece4dcae61a5d38e2c94
SHA256ac0cdd2e2d793cb81fe898e457f357aac93a69410369bf35b5a3c6ff3beb0f02
SHA512e19187da74d592fd958ac7d7c05efc81fb79f0cd90e53efeb9324cd54ed572d4e72a7e79a22adee097341269e19c64a6ff46083c6bef115dbfd16c72cca1f771
-
Filesize
107KB
MD5e70a3009a59897bcceaf38d617eaa267
SHA1fcd5f23e4f8ab3238e62a4c42327ee0634bbca72
SHA256f23e22277e90ee4423c480a5d778bc3fe7daed8d906e252aaa46938fcd0566dd
SHA512661e6a4b8059afe33c800ff98cff76012447952a3afa1c7e63763d019906116cc9f32d7201b56f7120e32ce6073895166157d5d122cb6f243c7e26d47f613173
-
Filesize
461KB
MD5c3a6f6cdb3188010a0b230ddc987c01e
SHA1c267acc2bf367a7ad783a5536b79528911e92fee
SHA256f23c10b8274afc4aaf02bdacaa8f4f1db375cb221c12a1d3c3cec993dc00561a
SHA5123861517e38e16160e976ba05af87c8c808c182fc47b4de93202b5822cbb0be01bcb62290503871061b3774222f00c748f743eb5febb86064e642c66fc8393eac
-
Filesize
267KB
MD586de666b0ad8dbc41cd8bde7edf2eaf1
SHA1bd1739f2affb80835793ef2a7f1a0a4d92d57947
SHA256606ddedb2de122911f04e14e584729f3b44852814c936f540ec00fde47ed4092
SHA512c5259c56d0b4defe9af7be4f6ac4fea2d9052509041fac0a577f59ab362862079c8e39b27e3e04542b6255b6ef506138fded25fc09952524084e973e333a50a3
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
32KB
-
Filesize
1.0MB
-
Filesize
1.5MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
296KB