Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

dridex

windows10-1703-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    65s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/03/2023, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    743977782c5875d0a2c0f83e6db721cfe26d2238dbe5955e882de77381732324.exe

  • Size

    3.4MB

  • MD5

    428320d3254f102e13b6873c5e31caed

  • SHA1

    04e28ccb707fab9c1728fa03b58772b522965813

  • SHA256

    743977782c5875d0a2c0f83e6db721cfe26d2238dbe5955e882de77381732324

  • SHA512

    bbec5f2d63f2a809fe325203623a3b11d3ea672cf9edd80770c5e141427f43cbf5a341dc74347c1be9ff0d1cea0bef88ae80779cde82e549ccf08ce3018575a4

  • SSDEEP

    98304:BfaD2xzt49ndR/hqOAX7Jhh15VRN6UnNOzFc:9t4rqN19n9

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\743977782c5875d0a2c0f83e6db721cfe26d2238dbe5955e882de77381732324.exe
    "C:\Users\Admin\AppData\Local\Temp\743977782c5875d0a2c0f83e6db721cfe26d2238dbe5955e882de77381732324.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3904
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2056
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4400
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7" /TR "C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4852
      • C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
        "C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:2388
  • C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
    C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:1512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
    Filesize

    712.2MB

    MD5

    84f1841dc3b1a96f5078161ecf0dd16e

    SHA1

    2ccdb7549986142d9c27d9a5c4845a4c42a43c59

    SHA256

    aa208a24e72782fd119d0c86ae689f6f59fee04f12b6d293a2bc13acf770fcbf

    SHA512

    279b946cf9b1ee05545adb716eb0d7fb111a729d6766ec09293c5ab2e2d28c9bf45a0f072f1ea86b38b95d48765935c30d9fdd853e483d09d308a4ffbb4d827a

    Download Submit

  • C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
    Filesize

    719.6MB

    MD5

    15f5347331ecd9f50e669a5d3399688f

    SHA1

    fb69c78ed84993cb58f902c1685565927a7ed56c

    SHA256

    e755e53e358f7c34f2d870ab6ca2a1a0116a5d2eaaca55f039215fa10b94c91a

    SHA512

    4f99eb8423ba72dbe27f47222b29f75c85f4718e3331022e19eab02c292852e50977405ce29681ea3cc1e823cf31f8bc0d2250c8294b6c264c40a4cc0e5535b2

    Download Submit

  • C:\ProgramData\regid.1991-06.com.microsoftTemplates-type9.4.6.7\regid.1991-06.com.microsoftTemplates-type9.4.6.7.exe
    Filesize

    281.3MB

    MD5

    67bbbf2ab16171eeb90011b3dac17dfd

    SHA1

    b37cb93a49c45b7a2f9b1ff813df658735e97bc3

    SHA256

    9eb8c825a92d5a5148f5c2e5b8bb5ae62f6dc0a037e2a3174b8dcfa0a5873706

    SHA512

    4e793c6e8d86ce00c804dba56e56af850e1fc7069c09917f028ca6e3afe3e03c0fba6cdc4626a29db11aa863256199ed64749a5dce2d7595959070a2819e3d5d

    Download Submit

  • memory/1512-163-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1512-162-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1512-161-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1512-160-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1512-159-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2388-152-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2388-154-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2388-155-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2388-156-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2388-157-0x00007FF7B8890000-0x00007FF7B8DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2620-134-0x0000000009940000-0x0000000009950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2620-121-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2620-133-0x0000000009940000-0x0000000009950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2620-132-0x0000000009940000-0x0000000009950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2620-131-0x0000000009940000-0x0000000009950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2620-130-0x0000000009810000-0x000000000981A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2620-129-0x0000000009710000-0x00000000097A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2620-128-0x0000000009C10000-0x000000000A10E000-memory.dmp

    Filesize

    5.0MB

    Download