Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

dridex

windows10-1703-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/03/2023, 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03ae9ce1d91d2afb78307f0239b44e22f72ebe5ed6ee6d6ca0606135ed2e824f.exe

  • Size

    4.6MB

  • MD5

    0159db1069b8ddc9a12f348ab04cf5c2

  • SHA1

    8fdd5b120f5be3272a8f9b32dcc8b47ecdedf3b2

  • SHA256

    03ae9ce1d91d2afb78307f0239b44e22f72ebe5ed6ee6d6ca0606135ed2e824f

  • SHA512

    58881ae7157988155f0bbe3cdd6e453a1a6226cc03d26ab05f0fb57228625dffa5c7fae3afaa4f1d40932e211bf81782d6193bab8d12a645ea22a9e4de68218a

  • SSDEEP

    49152:8yP31N0xewXOBD4GaacfSG0K4ubh1992ZccWWF6ybP5XVvdDbNtOL4cCZtey+4t4:XojKDtNkS8CRNdDJLcwZ+419RlmItbDg

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ae9ce1d91d2afb78307f0239b44e22f72ebe5ed6ee6d6ca0606135ed2e824f.exe
    "C:\Users\Admin\AppData\Local\Temp\03ae9ce1d91d2afb78307f0239b44e22f72ebe5ed6ee6d6ca0606135ed2e824f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2992
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2972
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3004
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0" /TR "C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4472
      • C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
        "C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Executes dropped EXE
        PID:1240
  • C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
    C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
    1⤵
    • Executes dropped EXE
    PID:4208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
    Filesize

    701.7MB

    MD5

    dceb1e1bb55903aebdff1a47b8394dad

    SHA1

    0791df9c33d4701818f5fa87ad0c18f78de32959

    SHA256

    d858fb768f96cec231e30df3250eb7a2a3255268a3eea042562467c32bdcaac4

    SHA512

    5ce8d0a1f6d6732001b8d950e99e6f4cbb146be470c65296641008dc916a55018e174195412f71fc971864dd9359689716313f8f6ecc381ef7ca3855ffcf1b9e

    Download Submit

  • C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
    Filesize

    701.7MB

    MD5

    dceb1e1bb55903aebdff1a47b8394dad

    SHA1

    0791df9c33d4701818f5fa87ad0c18f78de32959

    SHA256

    d858fb768f96cec231e30df3250eb7a2a3255268a3eea042562467c32bdcaac4

    SHA512

    5ce8d0a1f6d6732001b8d950e99e6f4cbb146be470c65296641008dc916a55018e174195412f71fc971864dd9359689716313f8f6ecc381ef7ca3855ffcf1b9e

    Download Submit

  • C:\ProgramData\DocumentsUSOPrivate-type6.5.4.0\DocumentsUSOPrivate-type6.5.4.0.exe
    Filesize

    610.9MB

    MD5

    e73349cdbe6d8dce1714555de7dd05f9

    SHA1

    ba413ab9b145982af7b9efb493bb50af051621b8

    SHA256

    4642ad2408025a97c4eb178445b5df3dd1d9a6f13f0568bcc54c2dd04c644894

    SHA512

    a2f008d3dfc612730982d46b4438c72b737b52a60f3867efd24a346d60b58c4476ebd20611b7d9b2c95d2d11fb15713f88bd944e653d9673dc2f17bdb8bf54ea

    Download Submit

  • memory/3940-120-0x0000000004B00000-0x0000000004F8C000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3940-127-0x0000000009810000-0x0000000009D0E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3940-128-0x00000000093B0000-0x0000000009442000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3940-129-0x0000000009380000-0x000000000938A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3940-130-0x0000000009350000-0x0000000009360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-131-0x0000000009350000-0x0000000009360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3940-132-0x0000000009350000-0x0000000009360000-memory.dmp

    Filesize

    64KB

    Download