Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

dridex

windows10-2004-x64

6

Analysis

  • max time kernel
    62s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe

  • Size

    946KB

  • MD5

    aa458100cfa6220e85e05293066d67cd

  • SHA1

    34371dab7a694c8510a2c4cfb608c15de08306d5

  • SHA256

    060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c

  • SHA512

    8f8f801f81c346d2f9cc400d3f0abd29ad3caa82a2f430cd6c9bf07996e0787237f919ea4e5d18cc61c62235f0e3fc6a320dd73a87ef69c0837ba856a1b3ff38

  • SSDEEP

    768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe
    "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
      2⤵
        PID:3668
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:380
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4228
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4196
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5913" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5913" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4192
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk436" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk436" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1904
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8574" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8574" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4068
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8448" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8448" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
        2⤵
          PID:4124
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\060c50b4ef3e0f9e9d07f9294d3fb248682f9bc1ba060b2f05630c2086ce7a6c.exe"
            3⤵
            • Creates scheduled task(s)
            PID:4012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1372
          2⤵
          • Program crash
          PID:1720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5064 -ip 5064
        1⤵
          PID:4848

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/5064-135-0x0000000004A70000-0x0000000004A7A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5064-134-0x0000000004A90000-0x0000000004B22000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5064-133-0x0000000004FA0000-0x0000000005544000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5064-132-0x0000000000010000-0x00000000000C0000-memory.dmp

          Filesize

          704KB

          Download