Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2023, 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8ed32257dd36616094c3a530967b1cb32ebe7403629935eb772832521a6c5b3.exe

  • Size

    567KB

  • MD5

    6a45adbf4e77e2df6007838e802838b1

  • SHA1

    7da554b1402dd8ab8052f5bdb7a23abc59b6f540

  • SHA256

    c8ed32257dd36616094c3a530967b1cb32ebe7403629935eb772832521a6c5b3

  • SHA512

    8a3f72eeb7e3c19fc958d6366e3f8936f31a9a99f2b07fdd6b501fc14d3113d03ee27f2f4ca6b96959899cc6258e12f805836d0f4e5039461fd443f55910e21c

  • SSDEEP

    12288:Xy90MN3UfYe3xmLJLXpXX5hYWLTu6qPihIeIGDYO5tl:Xy93qKLFX/NLKniyxGDr5tl

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8ed32257dd36616094c3a530967b1cb32ebe7403629935eb772832521a6c5b3.exe
    "C:\Users\Admin\AppData\Local\Temp\c8ed32257dd36616094c3a530967b1cb32ebe7403629935eb772832521a6c5b3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMz1889.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMz1889.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it803749.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it803749.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp046134.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp046134.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3096
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1132
          4⤵
          • Program crash
          PID:880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr259370.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr259370.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3096 -ip 3096
    1⤵
      PID:4436

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr259370.exe
      Filesize

      136KB

      MD5

      8c80b06d843bd6a7599a5be2075d9a55

      SHA1

      caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

      SHA256

      e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

      SHA512

      cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr259370.exe
      Filesize

      136KB

      MD5

      8c80b06d843bd6a7599a5be2075d9a55

      SHA1

      caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

      SHA256

      e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

      SHA512

      cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMz1889.exe
      Filesize

      413KB

      MD5

      4a0267fea81bbbfa6f3cf89b8a7ec0ab

      SHA1

      381536b1ef4a7e29e9ba8375cf06c0f077db31a7

      SHA256

      25f04461fe3b450176df18857c08ca33d45f6f66df4110be5fcb7ce8068490cf

      SHA512

      85621e4c6231dd2b48f2c0b14dd082e973d0d7de906cd2985453a329cc1477ef4470848bd55135c8cf3b341fdb37ea2482f3e4c26d922357c0707b2ba01494c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMz1889.exe
      Filesize

      413KB

      MD5

      4a0267fea81bbbfa6f3cf89b8a7ec0ab

      SHA1

      381536b1ef4a7e29e9ba8375cf06c0f077db31a7

      SHA256

      25f04461fe3b450176df18857c08ca33d45f6f66df4110be5fcb7ce8068490cf

      SHA512

      85621e4c6231dd2b48f2c0b14dd082e973d0d7de906cd2985453a329cc1477ef4470848bd55135c8cf3b341fdb37ea2482f3e4c26d922357c0707b2ba01494c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it803749.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it803749.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp046134.exe
      Filesize

      369KB

      MD5

      73b252d46dbf2b7ec140e0f1289677e9

      SHA1

      a1ce2af4a8e891d864ba55e84661fb73eeed7847

      SHA256

      9431cb58671eef413ce8b2290cca8a25d9369164f90abde9c68d82cd0bc2d964

      SHA512

      56da7c79fd18ccbb17cc305dca720da96cb34f5f8415fe527c9ebf739f0da0b7f3781ee090c88c28b9e7c8c7e0f4b95019d060d657e5aeecc7359ea5958087c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp046134.exe
      Filesize

      369KB

      MD5

      73b252d46dbf2b7ec140e0f1289677e9

      SHA1

      a1ce2af4a8e891d864ba55e84661fb73eeed7847

      SHA256

      9431cb58671eef413ce8b2290cca8a25d9369164f90abde9c68d82cd0bc2d964

      SHA512

      56da7c79fd18ccbb17cc305dca720da96cb34f5f8415fe527c9ebf739f0da0b7f3781ee090c88c28b9e7c8c7e0f4b95019d060d657e5aeecc7359ea5958087c8

      Download Submit

    • memory/2180-147-0x00000000009E0000-0x00000000009EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3096-153-0x0000000002D30000-0x0000000002D76000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3096-154-0x0000000007310000-0x00000000078B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3096-155-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-156-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-158-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-160-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-162-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-164-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-166-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-168-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-170-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-172-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-174-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-176-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-178-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-180-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-184-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-182-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-185-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-186-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-187-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-189-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-191-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-193-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-195-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-197-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-199-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-201-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-203-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-205-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-207-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-209-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-211-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-213-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-215-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-217-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-219-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-221-0x00000000078C0000-0x00000000078F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3096-950-0x0000000009DC0000-0x000000000A3D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3096-951-0x000000000A460000-0x000000000A472000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3096-952-0x000000000A480000-0x000000000A58A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3096-953-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3096-954-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-955-0x000000000A8A0000-0x000000000A906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3096-956-0x000000000AF60000-0x000000000AFF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3096-957-0x000000000B130000-0x000000000B1A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3096-958-0x000000000B1E0000-0x000000000B1FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3096-959-0x000000000B2A0000-0x000000000B2F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3096-960-0x000000000B300000-0x000000000B4C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3096-962-0x000000000B4D0000-0x000000000B9FC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3096-965-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-966-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4796-970-0x0000000000ED0000-0x0000000000EF8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4796-971-0x0000000007D20000-0x0000000007D30000-memory.dmp

      Filesize

      64KB

      Download