Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14fee377c9a92fd05ebc6acc171df29ccd9d8be2d687e6e19c84981d0806b650.exe

  • Size

    479KB

  • MD5

    76e49216d90ba4d73372e49290622655

  • SHA1

    736ac86f3e7624d881f4c508775ffa2e2f411622

  • SHA256

    14fee377c9a92fd05ebc6acc171df29ccd9d8be2d687e6e19c84981d0806b650

  • SHA512

    c109790e23c9652cdc77b2188970f88eab1f36136810ac601a5af742ad750b232f34ab4ff02b09967a416cad83f321cc988297c4b7a6f93ccd7290d67e0b8771

  • SSDEEP

    12288:qMrKy90uC1kKtvvA1H4Eb0a3wgl6/eOWxng:MyQt3pEoaRlkec

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14fee377c9a92fd05ebc6acc171df29ccd9d8be2d687e6e19c84981d0806b650.exe
    "C:\Users\Admin\AppData\Local\Temp\14fee377c9a92fd05ebc6acc171df29ccd9d8be2d687e6e19c84981d0806b650.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9276471.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9276471.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7450300.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7450300.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4824
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0429342.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0429342.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8695130.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8695130.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:3676
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2512
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:1484
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:2108
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2468
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:3756
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:456

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8695130.exe
                Filesize

                207KB

                MD5

                d8a60597147d116ef42a1bde13474e9f

                SHA1

                72fadf1185d7dda89236cf41ed5b52246c796f98

                SHA256

                8ec75321652f076cbc7f4850c98c346afe2a64cda689423b0f9c9edc42148594

                SHA512

                8e549d19740cb25ef4ae28545ecd5c46b7f85badaf4d8fc8b7718c2561896e62b64c6ec595dd9c46633e739342f0e56b0bc09cee4d65c21f3db7b9100d2a5933

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8695130.exe
                Filesize

                207KB

                MD5

                d8a60597147d116ef42a1bde13474e9f

                SHA1

                72fadf1185d7dda89236cf41ed5b52246c796f98

                SHA256

                8ec75321652f076cbc7f4850c98c346afe2a64cda689423b0f9c9edc42148594

                SHA512

                8e549d19740cb25ef4ae28545ecd5c46b7f85badaf4d8fc8b7718c2561896e62b64c6ec595dd9c46633e739342f0e56b0bc09cee4d65c21f3db7b9100d2a5933

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9276471.exe
                Filesize

                308KB

                MD5

                bf301f530d6521a39feb6d69410be5bd

                SHA1

                64cdc5371f1d4dc1314570092896765cdc2e5aa1

                SHA256

                b68bcf5003cb4337b8a9beb5ea7ddef6c959215d8940ec06d6560dec6724eeb5

                SHA512

                44644a0d768c99d8be35184cf1372cf8bc914824632d2cb610c1589aff765483b3d41355b27db469cdf676821bf042cacd186bf257c32ec7ba2387938c8e17ae

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9276471.exe
                Filesize

                308KB

                MD5

                bf301f530d6521a39feb6d69410be5bd

                SHA1

                64cdc5371f1d4dc1314570092896765cdc2e5aa1

                SHA256

                b68bcf5003cb4337b8a9beb5ea7ddef6c959215d8940ec06d6560dec6724eeb5

                SHA512

                44644a0d768c99d8be35184cf1372cf8bc914824632d2cb610c1589aff765483b3d41355b27db469cdf676821bf042cacd186bf257c32ec7ba2387938c8e17ae

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7450300.exe
                Filesize

                136KB

                MD5

                55d976d275eaa33cff253ca9508a0ab6

                SHA1

                a3e19c215079990a0df2087afe201099178e5a47

                SHA256

                7e67bc108417e28ceee02c549a5e6f8a6ad23cd6ccd28d735e2305d8b138d6d4

                SHA512

                fd8cd3e82ba08a4c76f86771b70a1f37b65bc53182055941fa8ea1455fd576021ce14ca47fce5c96d8db83d580133eed8c217fbab45637381a4b67dd178bb385

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7450300.exe
                Filesize

                136KB

                MD5

                55d976d275eaa33cff253ca9508a0ab6

                SHA1

                a3e19c215079990a0df2087afe201099178e5a47

                SHA256

                7e67bc108417e28ceee02c549a5e6f8a6ad23cd6ccd28d735e2305d8b138d6d4

                SHA512

                fd8cd3e82ba08a4c76f86771b70a1f37b65bc53182055941fa8ea1455fd576021ce14ca47fce5c96d8db83d580133eed8c217fbab45637381a4b67dd178bb385

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0429342.exe
                Filesize

                175KB

                MD5

                455df9ee4431ae2c07f47355a47b0570

                SHA1

                0a9a6a26daffc046a658a76a5962c99095d8884a

                SHA256

                3cc8e7faf937c09cb2defaa001b5e56ad50ce708b5eef0c5aa4251c8c7f544e9

                SHA512

                6a5584fcd2c5f29b72d903a45d4c005be1c3814462f3cc907bb4827ec0d1124fff62fe735ca98ed36a25b36c85ed253e0f4f10243199529e41c868f15a611f2a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0429342.exe
                Filesize

                175KB

                MD5

                455df9ee4431ae2c07f47355a47b0570

                SHA1

                0a9a6a26daffc046a658a76a5962c99095d8884a

                SHA256

                3cc8e7faf937c09cb2defaa001b5e56ad50ce708b5eef0c5aa4251c8c7f544e9

                SHA512

                6a5584fcd2c5f29b72d903a45d4c005be1c3814462f3cc907bb4827ec0d1124fff62fe735ca98ed36a25b36c85ed253e0f4f10243199529e41c868f15a611f2a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                207KB

                MD5

                d8a60597147d116ef42a1bde13474e9f

                SHA1

                72fadf1185d7dda89236cf41ed5b52246c796f98

                SHA256

                8ec75321652f076cbc7f4850c98c346afe2a64cda689423b0f9c9edc42148594

                SHA512

                8e549d19740cb25ef4ae28545ecd5c46b7f85badaf4d8fc8b7718c2561896e62b64c6ec595dd9c46633e739342f0e56b0bc09cee4d65c21f3db7b9100d2a5933

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                207KB

                MD5

                d8a60597147d116ef42a1bde13474e9f

                SHA1

                72fadf1185d7dda89236cf41ed5b52246c796f98

                SHA256

                8ec75321652f076cbc7f4850c98c346afe2a64cda689423b0f9c9edc42148594

                SHA512

                8e549d19740cb25ef4ae28545ecd5c46b7f85badaf4d8fc8b7718c2561896e62b64c6ec595dd9c46633e739342f0e56b0bc09cee4d65c21f3db7b9100d2a5933

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                207KB

                MD5

                d8a60597147d116ef42a1bde13474e9f

                SHA1

                72fadf1185d7dda89236cf41ed5b52246c796f98

                SHA256

                8ec75321652f076cbc7f4850c98c346afe2a64cda689423b0f9c9edc42148594

                SHA512

                8e549d19740cb25ef4ae28545ecd5c46b7f85badaf4d8fc8b7718c2561896e62b64c6ec595dd9c46633e739342f0e56b0bc09cee4d65c21f3db7b9100d2a5933

                Download Submit

              • memory/2852-187-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-193-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-198-0x00000000005F0000-0x0000000000600000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2852-197-0x00000000005F0000-0x0000000000600000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2852-196-0x00000000005F0000-0x0000000000600000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2852-195-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-191-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-189-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-183-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-185-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-166-0x00000000005F0000-0x0000000000600000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2852-167-0x00000000005F0000-0x0000000000600000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2852-168-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-169-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-171-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-175-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-173-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-177-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-179-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2852-181-0x0000000002510000-0x0000000002522000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4824-159-0x0000000008410000-0x0000000008460000-memory.dmp

                Filesize

                320KB

                Download

              • memory/4824-151-0x0000000007310000-0x000000000734C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4824-152-0x0000000007630000-0x0000000007640000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4824-161-0x0000000009340000-0x000000000986C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/4824-160-0x0000000008630000-0x00000000087F2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4824-155-0x0000000008210000-0x00000000082A2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4824-154-0x0000000007630000-0x0000000007640000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4824-157-0x0000000008170000-0x00000000081E6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/4824-153-0x00000000076B0000-0x0000000007716000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4824-156-0x0000000008860000-0x0000000008E04000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4824-158-0x0000000004E50000-0x0000000004E6E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4824-150-0x00000000073E0000-0x00000000074EA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4824-149-0x00000000072B0000-0x00000000072C2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4824-148-0x0000000007840000-0x0000000007E58000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4824-147-0x00000000005A0000-0x00000000005C8000-memory.dmp

                Filesize

                160KB

                Download