Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2023, 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    589f74dd5933296442d85eec9b0060a321ac8bd49569693134cf7d6c9864ea7f.exe

  • Size

    3.5MB

  • MD5

    f8d05ec22a180070e25d97e048c3cad6

  • SHA1

    e675caa4e33775a22eac968befbafb8f81cd681b

  • SHA256

    589f74dd5933296442d85eec9b0060a321ac8bd49569693134cf7d6c9864ea7f

  • SHA512

    c559ad8ae219fac02cd61e1fbe2938697a0186f1de368b0aa572dff5386b46e73ca1b808266d034495a26a684ea214342dee466b6d09b3a317a0a8a38028e749

  • SSDEEP

    49152:GICgYIBuLxcnsis7wVFEIRmQJcCT7KZLDMGLRwHyp9lcOP7UuziMddsruFXKQnLw:jYdxcnsEcI4QJhOOHyuM4u+UdJAqERL

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\589f74dd5933296442d85eec9b0060a321ac8bd49569693134cf7d6c9864ea7f.exe
    "C:\Users\Admin\AppData\Local\Temp\589f74dd5933296442d85eec9b0060a321ac8bd49569693134cf7d6c9864ea7f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobePackages-type0.4.4.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2280
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobePackages-type0.4.4.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4032
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobePackages-type0.4.4.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4704
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1" /TR "C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:3508
      • C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
        "C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 340
      2⤵
      • Program crash
      PID:664
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1352 -ip 1352
    1⤵
      PID:2800
    • C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
      C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
      1⤵
        PID:2740

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
        Filesize

        770.1MB

        MD5

        819bb3686a54c0b190cfc4020e3229a7

        SHA1

        04bf9058daa3841bf1106ba92c7e42d33436669a

        SHA256

        9632ebd3f345c199b570240958c38bf6cec7f5cac08d3e8005481fbde27a293f

        SHA512

        86ae5d4d2a4d1e90b3f98ce38c798df66f954c6bf7f4df9575c1178dd29b6108689d0757ac4dca54a0dfc6661e473f661062a5a8f011142668bf5399c7eec686

        Download Submit

      • C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
        Filesize

        807.5MB

        MD5

        1add02d63af99d97dda02de437f85913

        SHA1

        e9b7e74b3222209ee281dc049b3967f9923d4781

        SHA256

        c9c2a866659fa0404896c050f688e5e22747464c4e4ae3079cbfafcc9a23a351

        SHA512

        6d363cfff4b9143afde28c4084ce1e994e373f618b0f127d863cc241ecf03ea89b3d6511efcc51e0215b1a37336f029e14955d284c05e1811e51af827e794bac

        Download Submit

      • C:\ProgramData\AdobePackages-type0.4.4.1\AdobePackages-type0.4.4.1.exe
        Filesize

        327.0MB

        MD5

        d73e5812ede87e11a65a4021095bc5a8

        SHA1

        ea374692402f95070d0a1b0ba60dad409e7bc528

        SHA256

        4efc621759c38458d4322ffb6e60c9f27885af9ae4e11294a604c77fa26af206

        SHA512

        ee356f02bbe39a9a7e7ebf3c321936cac1577f564aa804def8753826d0876e63b8c4a352dcf517b67ea575890d561f25d418da4d493531e7efb258bedc691c55

        Download Submit

      • memory/1488-140-0x00000000058A0000-0x00000000058AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1488-141-0x0000000005880000-0x0000000005890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1488-142-0x0000000005880000-0x0000000005890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1488-143-0x0000000005880000-0x0000000005890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1488-144-0x0000000005880000-0x0000000005890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1488-133-0x0000000000F40000-0x000000000129C000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/1488-139-0x0000000005920000-0x00000000059B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1488-138-0x0000000005ED0000-0x0000000006474000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1856-152-0x00007FF7ACAF0000-0x00007FF7AD00F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/1856-154-0x00007FF7ACAF0000-0x00007FF7AD00F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/1856-156-0x00007FF7ACAF0000-0x00007FF7AD00F000-memory.dmp

        Filesize

        5.1MB

        Download