Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

dridex

windows10-1703-x64

6

Analysis

  • max time kernel
    55s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/10/2022, 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe

  • Size

    959KB

  • MD5

    cbc0500085652afbdff4fad4fa062359

  • SHA1

    a2980547287691054a85183632526ef255990e13

  • SHA256

    f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909

  • SHA512

    fbd1e1d3cf7ba813bb0ae123abe66e2ac6c5c1c39f42dcd25f8ba2206e1b1e9f477f83263fc2ce0654052b4c34214ee897fa24bbe902b2cf80afb67582b9eed2

  • SSDEEP

    768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe
    "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2264
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
      2⤵
        PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
        2⤵
          PID:1568
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4796
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            3⤵
            • Creates scheduled task(s)
            PID:4236
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            3⤵
            • Creates scheduled task(s)
            PID:2248
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:64
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            3⤵
            • Creates scheduled task(s)
            PID:4252
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8454" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4272
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8454" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            3⤵
            • Creates scheduled task(s)
            PID:4264
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7480" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
          2⤵
            PID:4844
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1935" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4340
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1935" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
              3⤵
              • Creates scheduled task(s)
              PID:8
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7086" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7086" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
              3⤵
              • Creates scheduled task(s)
              PID:4368
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
            2⤵
              PID:4328
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5080
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\f8eb7fb3ecd598b2fe087bcbc70d813b40ee34e736f01943d924f5aa6ec12909.exe"
                3⤵
                • Creates scheduled task(s)
                PID:4456
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1320
              2⤵
              • Program crash
              PID:1572

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1568-188-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1568-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1568-184-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2136-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2136-186-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2136-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2136-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-149-0x0000000000FB0000-0x0000000001060000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2668-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-153-0x0000000005E60000-0x000000000635E000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/2668-154-0x0000000005960000-0x00000000059F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2668-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-170-0x0000000005880000-0x000000000588A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2668-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2668-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4644-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4644-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4644-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4644-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4796-185-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4816-189-0x00000000779A0000-0x0000000077B2E000-memory.dmp

            Filesize

            1.6MB

            Download