Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    44s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2022, 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2623a6e8b5f94511e9e12aead13543b219fac8879e292988919a42519571c87e.exe

  • Size

    726KB

  • MD5

    f406f57b64abe345b8f970fe0ce01ab7

  • SHA1

    c9417d6bc8485b9658b04294d2346b48d4c7bddc

  • SHA256

    2623a6e8b5f94511e9e12aead13543b219fac8879e292988919a42519571c87e

  • SHA512

    74198959c8d113437b1baaba739f1bb8c2a7476ec44d2b39ac927b8b7a8d308242b2b5f9b7c6b93f64b4a5ce8ba06b29140c0611c3868623264c29ad800c6242

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2623a6e8b5f94511e9e12aead13543b219fac8879e292988919a42519571c87e.exe
    "C:\Users\Admin\AppData\Local\Temp\2623a6e8b5f94511e9e12aead13543b219fac8879e292988919a42519571c87e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:4808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4384
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4828
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4548
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            4⤵
            • Creates scheduled task(s)
            PID:3740
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:3944
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:3816
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:5068
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3500
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:388
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:4320
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:3264
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1428
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:2604
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:1012
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4304
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:1080
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:2304
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3871" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:1840
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3871" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:3680
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4502" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:3932
                      • C:\Windows\SysWOW64\schtasks.exe
                        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4502" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:3184
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk613" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      3⤵
                        PID:1484
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6202" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        3⤵
                          PID:2636
                          • C:\Windows\SysWOW64\schtasks.exe
                            SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6202" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            4⤵
                            • Creates scheduled task(s)
                            PID:1784
                    • C:\Windows\system32\dwm.exe
                      "dwm.exe"
                      1⤵
                        PID:4912
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 3344 -s 1572
                        1⤵
                        • Program crash
                        PID:2752
                      • C:\Windows\system32\dwm.exe
                        "dwm.exe"
                        1⤵
                          PID:4112
                        • C:\Windows\system32\dwm.exe
                          "dwm.exe"
                          1⤵
                            PID:2304
                          • C:\Windows\system32\dwm.exe
                            "dwm.exe"
                            1⤵
                              PID:3740

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\Dllhost\dllhost.exe
                              Filesize

                              929KB

                              MD5

                              094e383b6c9768692b55ffb62d0ff3f5

                              SHA1

                              768536a17ddcdf194431aa5e0b7969fa81d78b8a

                              SHA256

                              4e7cedff1c19e2a657b1b2609eecba31a494b0b96b60be69c7ae0e3bf48e76c6

                              SHA512

                              2bcb4bfdee4d95b017dc1255fc7e04a8a59301df257b61b6768fc8e511f0b9f2ea34da4d017c28cf24555fc15f174d69644dd32e530e29f8c6ec4726a39172ba

                              Download Submit

                            • C:\ProgramData\Dllhost\dllhost.exe
                              Filesize

                              929KB

                              MD5

                              094e383b6c9768692b55ffb62d0ff3f5

                              SHA1

                              768536a17ddcdf194431aa5e0b7969fa81d78b8a

                              SHA256

                              4e7cedff1c19e2a657b1b2609eecba31a494b0b96b60be69c7ae0e3bf48e76c6

                              SHA512

                              2bcb4bfdee4d95b017dc1255fc7e04a8a59301df257b61b6768fc8e511f0b9f2ea34da4d017c28cf24555fc15f174d69644dd32e530e29f8c6ec4726a39172ba

                              Download Submit

                            • C:\ProgramData\HostData\logs.uce
                              Filesize

                              497B

                              MD5

                              13fda2ab01b83a5130842a5bab3892d3

                              SHA1

                              6e18e4b467cde054a63a95d4dfc030f156ecd215

                              SHA256

                              76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                              SHA512

                              c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              968cb9309758126772781b83adb8a28f

                              SHA1

                              8da30e71accf186b2ba11da1797cf67f8f78b47c

                              SHA256

                              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                              SHA512

                              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              18KB

                              MD5

                              8631e77c97edfa0e172db6fc687674ff

                              SHA1

                              b9e608d3acf0c9031b4441917d20c002471de9e0

                              SHA256

                              3f3c744ae6ff7be30f1f0d9793905a068f97e6187297be4d7c3da03830c56b4a

                              SHA512

                              e8ff77c7e59bd318aff161d62057076b848e4bbc4bd0d830bb79bbe56397b99b988cfe0cbf301db9b47f32b9182a9e7d4145b58d5468ef4c518349a7a73aa2ec

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              18KB

                              MD5

                              a219a29849d975c02639a133f4b69e80

                              SHA1

                              cd46ab7a957ea128869fdcc526e8d3f7fbcbf82f

                              SHA256

                              b7e6ddec5df9b1b4f18a9619297fed03c5122e5fc1cf2b7446195f5771023092

                              SHA512

                              4f05084bf127294e065f8725107ede805506ad9f2371b03c39ccdf703da7e57a3042c642ec3cf64e4370e90fb64796576656b78777a03fc24b8355717ca1fa24

                              Download Submit

                            • memory/2840-135-0x0000000005040000-0x000000000504A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2840-133-0x0000000005580000-0x0000000005B24000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/2840-134-0x0000000005070000-0x0000000005102000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/2840-132-0x00000000005E0000-0x0000000000688000-memory.dmp

                              Filesize

                              672KB

                              Download

                            • memory/2840-136-0x0000000005270000-0x00000000052D6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/3592-165-0x0000000000E40000-0x0000000000EF0000-memory.dmp

                              Filesize

                              704KB

                              Download

                            • memory/4384-146-0x00000000700F0000-0x000000007013C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/4384-144-0x0000000005B70000-0x0000000005B8E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/4384-140-0x0000000002230000-0x0000000002266000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/4384-141-0x0000000004E60000-0x0000000005488000-memory.dmp

                              Filesize

                              6.2MB

                              Download

                            • memory/4384-142-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/4384-154-0x0000000007110000-0x0000000007118000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4384-153-0x00000000071D0000-0x00000000071EA000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/4384-152-0x00000000070D0000-0x00000000070DE000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/4384-151-0x0000000007130000-0x00000000071C6000-memory.dmp

                              Filesize

                              600KB

                              Download

                            • memory/4384-150-0x0000000006F00000-0x0000000006F0A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/4384-143-0x0000000004C50000-0x0000000004CB6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/4384-149-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/4384-148-0x0000000007510000-0x0000000007B8A000-memory.dmp

                              Filesize

                              6.5MB

                              Download

                            • memory/4384-147-0x0000000006140000-0x000000000615E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/4384-145-0x0000000006160000-0x0000000006192000-memory.dmp

                              Filesize

                              200KB

                              Download

                            • memory/4548-161-0x00000000700F0000-0x000000007013C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/4828-158-0x00000000700F0000-0x000000007013C000-memory.dmp

                              Filesize

                              304KB

                              Download