Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2023, 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eda4697e1503a46b8f6841b5ece45481a8104ef8a828074d9a3eaef80d043e5a.exe

  • Size

    3.4MB

  • MD5

    8265925a6b84148f317ee552ed4c5c15

  • SHA1

    52741f4a85f7f2c0b4f489ca44aa80dca8657447

  • SHA256

    eda4697e1503a46b8f6841b5ece45481a8104ef8a828074d9a3eaef80d043e5a

  • SHA512

    93fc15bd25142a7556717d73e0b0fccde154ead91d3abb7cf60bb847c67522b9d21583b64858ca7175300b9bfd29b5e6a9b7c2736f48d94386178c662a57f649

  • SSDEEP

    98304:SDaD2xzt49ndR/hqOAX7Jhh15VRN6UnNOzFt:ot4rqN19nI

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eda4697e1503a46b8f6841b5ece45481a8104ef8a828074d9a3eaef80d043e5a.exe
    "C:\Users\Admin\AppData\Local\Temp\eda4697e1503a46b8f6841b5ece45481a8104ef8a828074d9a3eaef80d043e5a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshPackages-type0.1.2.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2856
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshPackages-type0.1.2.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4156
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshPackages-type0.1.2.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3720
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "sshPackages-type0.1.2.5\sshPackages-type0.1.2.5" /TR "C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:1624
      • C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
        "C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 152
      2⤵
      • Program crash
      PID:112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
    1⤵
      PID:1936
    • C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
      C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
      Filesize

      683.4MB

      MD5

      863ce87912571dd1ef4dfb4322678d21

      SHA1

      4c7cfc2dce1de4daf5979d53795cea9430bfafa9

      SHA256

      bc5f7545c0f365ab9aaf22382130327550d607cdc18e58a61149faf7787f0709

      SHA512

      290416fc18320643575676fde95f472df4160233dff93a62e41513facd21dea490edf8f3bf70d20eb4f94f6776764fb6a67027ad5459cc1ce921dc76dee82cc3

      Download Submit

    • C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
      Filesize

      625.9MB

      MD5

      40fa7a8d7c7e0472a934087638c16330

      SHA1

      9d357048601e0b123976f851e3363ca961eeb421

      SHA256

      038e8970dd09129f30b311d16b2d676cb7073e5d4f5b39fe28e2b1057b4bc483

      SHA512

      449bcfc56d4b9b169a09ada9b8c202fd101467e0564ed046c89c59229673a427905b6591e1b3b6c5b83b1605179ea8680511b1325a4900aba48637cc798403ad

      Download Submit

    • C:\ProgramData\sshPackages-type0.1.2.5\sshPackages-type0.1.2.5.exe
      Filesize

      303.3MB

      MD5

      f10cd537aec96e5a1d8546c8bbd5f3af

      SHA1

      5ea5b98a36fda999b25c593f84ecafd3cc4f44c2

      SHA256

      dc7ec962ad2bdff87a3dc83a480e313f0c443093dd32ce75fc76c2e272dc1aae

      SHA512

      11130bfea3340c77d48c5ffd43671cf355ae5764805c206e9e67cc55e93d7b6fe1702ce3f02e1785fee2690fba67f0963e95ad6f089be4d6be7d4c816666ac64

      Download Submit

    • memory/772-151-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/772-152-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/772-150-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/772-149-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2772-144-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2772-140-0x00000000059A0000-0x00000000059AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-139-0x00000000059C0000-0x0000000005A52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2772-143-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2772-142-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2772-133-0x0000000000400000-0x000000000075C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2772-141-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2772-138-0x0000000005F70000-0x0000000006514000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4548-154-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4548-156-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4548-157-0x00007FF7955A0000-0x00007FF795ABF000-memory.dmp

      Filesize

      5.1MB

      Download