Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    69s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/06/2023, 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7effb59980b70b29a2658ab0644081b2fc09cbe6df21a986b478a7256107f2a.exe

  • Size

    753KB

  • MD5

    bfcfb45e9b4520f8426f9644c824d754

  • SHA1

    33113504dfa7fee76fd4e1a271cd4648fe8b8c5c

  • SHA256

    a7effb59980b70b29a2658ab0644081b2fc09cbe6df21a986b478a7256107f2a

  • SHA512

    4ae7dc2c24be99b73f50d5f92da46406e6f8e7f872b679f0589283eb83e3ddc18ae5547a69c209458959fc47493965d7379c885f04cc111dfedd0374c8d9761f

  • SSDEEP

    12288:EMrvy90FUfUD5D3JqLsYc+JGz3/MeUS4ppZI141oO3ITPMy1dM3vlmzqUpa9MO5f:LySlpZqYJPM5SGZ34zbg9l5v

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7effb59980b70b29a2658ab0644081b2fc09cbe6df21a986b478a7256107f2a.exe
    "C:\Users\Admin\AppData\Local\Temp\a7effb59980b70b29a2658ab0644081b2fc09cbe6df21a986b478a7256107f2a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0275036.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0275036.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9238026.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9238026.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5537667.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5537667.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4196
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3822198.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3822198.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4084
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 212
              6⤵
              • Program crash
              PID:3664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0275036.exe
    Filesize

    539KB

    MD5

    0fc047b3ebb692bb34d3743a5876e3bf

    SHA1

    fd444fddd8810ebbdd08e3c2372d49cd99b80573

    SHA256

    8321a4804914062cddb660ca3fb089cae00137c302d13fedee402e901c18f270

    SHA512

    96c13100db24dc0ac04efc56fab0b0912b156cba41171f1a527c95ee45fee4da2e502cdeb609f01d3fd86e171b08a8690f3e772ead125c970e79d2a15daa3c2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0275036.exe
    Filesize

    539KB

    MD5

    0fc047b3ebb692bb34d3743a5876e3bf

    SHA1

    fd444fddd8810ebbdd08e3c2372d49cd99b80573

    SHA256

    8321a4804914062cddb660ca3fb089cae00137c302d13fedee402e901c18f270

    SHA512

    96c13100db24dc0ac04efc56fab0b0912b156cba41171f1a527c95ee45fee4da2e502cdeb609f01d3fd86e171b08a8690f3e772ead125c970e79d2a15daa3c2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9238026.exe
    Filesize

    366KB

    MD5

    815e479538050de898a01bf1935d8612

    SHA1

    8e7a8ad2cfb7e92d1a98e4717acb17dadf61627d

    SHA256

    7d8e8ee7d4e3845f4b10df7245a55d36b53dc90ea4ef7cfbe3d7fd13ecb5311e

    SHA512

    b6009560dbe68262d08e13f7aec1ba264ac0eb1b58f735a841f5fa8d8e8674275d8f0bac487d377953f15d4d5a83e9df478640c22246e6bd33de7c20b224f341

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9238026.exe
    Filesize

    366KB

    MD5

    815e479538050de898a01bf1935d8612

    SHA1

    8e7a8ad2cfb7e92d1a98e4717acb17dadf61627d

    SHA256

    7d8e8ee7d4e3845f4b10df7245a55d36b53dc90ea4ef7cfbe3d7fd13ecb5311e

    SHA512

    b6009560dbe68262d08e13f7aec1ba264ac0eb1b58f735a841f5fa8d8e8674275d8f0bac487d377953f15d4d5a83e9df478640c22246e6bd33de7c20b224f341

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5537667.exe
    Filesize

    211KB

    MD5

    4d8d5d77e16974815492f7ac7e221b24

    SHA1

    98d7ee2b5aaaebca5fd62477ee1a12fcc6cc11fa

    SHA256

    a73127df1e0f56aec914899ed5a443d93fc0587af39168f4e8bbd5c114432316

    SHA512

    d5fcf97dc1550da8190977efa1247ed87f39df22996fd83e5bad9b922803244a9004a5cc137a821feffb38f74302c41ee112f73d4d8e264cb32e15d1dbc5c604

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5537667.exe
    Filesize

    211KB

    MD5

    4d8d5d77e16974815492f7ac7e221b24

    SHA1

    98d7ee2b5aaaebca5fd62477ee1a12fcc6cc11fa

    SHA256

    a73127df1e0f56aec914899ed5a443d93fc0587af39168f4e8bbd5c114432316

    SHA512

    d5fcf97dc1550da8190977efa1247ed87f39df22996fd83e5bad9b922803244a9004a5cc137a821feffb38f74302c41ee112f73d4d8e264cb32e15d1dbc5c604

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3822198.exe
    Filesize

    121KB

    MD5

    8727156bedee52d5b9d257e5375794e3

    SHA1

    f46e22d4f2be7c5c5d95dde60fa9305eb74d2b15

    SHA256

    2e936aaf5a8064745dad99c63b5b37f8429d89b3246ff5ca754392f9f80202b6

    SHA512

    ec9ff15fe026408c246933d240d2328f5672815b8b11c561c1a94f6cb3070bc63aa2bced89d310b3293d2160da1d72ed981dbf5683530ffec26aad135813c78d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3822198.exe
    Filesize

    121KB

    MD5

    8727156bedee52d5b9d257e5375794e3

    SHA1

    f46e22d4f2be7c5c5d95dde60fa9305eb74d2b15

    SHA256

    2e936aaf5a8064745dad99c63b5b37f8429d89b3246ff5ca754392f9f80202b6

    SHA512

    ec9ff15fe026408c246933d240d2328f5672815b8b11c561c1a94f6cb3070bc63aa2bced89d310b3293d2160da1d72ed981dbf5683530ffec26aad135813c78d

    Download Submit

  • memory/4084-149-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download