Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    110s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/09/2023, 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be6882a4b0bacccc0975f14f068d005259d1497139a05dd5cd44a4a387ba48eb.exe

  • Size

    933KB

  • MD5

    94c5ab840e8b4e75489f701e195c577b

  • SHA1

    1f2c8492b75888b26cf4a3906a9d546abaf41627

  • SHA256

    be6882a4b0bacccc0975f14f068d005259d1497139a05dd5cd44a4a387ba48eb

  • SHA512

    e4594d8ca8375f3ac35b0bda42f7002ced3b558ff4832bf9407b4cee05366de0b497b5f0c28a13421926dcd7cb464315eb7186bc243917e599817ba592f62651

  • SSDEEP

    24576:nyTDuksQFdmbrNhScd7PHWKP6diY8FCR2:yfuSFwbrNhS2z2CjYDR

Score
10/10
healerdropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be6882a4b0bacccc0975f14f068d005259d1497139a05dd5cd44a4a387ba48eb.exe
    "C:\Users\Admin\AppData\Local\Temp\be6882a4b0bacccc0975f14f068d005259d1497139a05dd5cd44a4a387ba48eb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2704231.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2704231.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0551435.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0551435.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3848
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5295163.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5295163.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801733.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801733.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1348
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2284
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 552
              6⤵
              • Program crash
              PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2704231.exe
    Filesize

    831KB

    MD5

    4360209e1ec2907230dfbfe08d584c7d

    SHA1

    9de6f56cc2d20356741740ff7b5c67e1be59cfa6

    SHA256

    3509269a32378a661f2a41e986badd3b82fcfcd1256171f7f144d449dfb459c0

    SHA512

    cf58b6514611f0d0f1f499f72154946594673f46660a8ad0f04adc66a1ea28eaefecd71baf4fa078379db82a8cf4a5fde2f93ba13fbc69c6cb8ac1eb550c38b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2704231.exe
    Filesize

    831KB

    MD5

    4360209e1ec2907230dfbfe08d584c7d

    SHA1

    9de6f56cc2d20356741740ff7b5c67e1be59cfa6

    SHA256

    3509269a32378a661f2a41e986badd3b82fcfcd1256171f7f144d449dfb459c0

    SHA512

    cf58b6514611f0d0f1f499f72154946594673f46660a8ad0f04adc66a1ea28eaefecd71baf4fa078379db82a8cf4a5fde2f93ba13fbc69c6cb8ac1eb550c38b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0551435.exe
    Filesize

    604KB

    MD5

    e4ca384a062d569f5b3db636e77780d4

    SHA1

    396c01b235a0a4c4021d40e33704d4ab0b369da7

    SHA256

    e30e3900960f2f17a33f245fc16b1667cec5c2c70c6782c296b8477e1d60be49

    SHA512

    cafb149f316a6f8e2ad17f6eab18307686dea4082d5fd19dd4a428b0d902faaa5e8f1735faad8728094851035ab40fdebf4f9d1bfae97f165a72da8e6670d8ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0551435.exe
    Filesize

    604KB

    MD5

    e4ca384a062d569f5b3db636e77780d4

    SHA1

    396c01b235a0a4c4021d40e33704d4ab0b369da7

    SHA256

    e30e3900960f2f17a33f245fc16b1667cec5c2c70c6782c296b8477e1d60be49

    SHA512

    cafb149f316a6f8e2ad17f6eab18307686dea4082d5fd19dd4a428b0d902faaa5e8f1735faad8728094851035ab40fdebf4f9d1bfae97f165a72da8e6670d8ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5295163.exe
    Filesize

    344KB

    MD5

    3302cb96f2e78df45b5a285ad5ab93e0

    SHA1

    72c22273ca9737e5fef7523ea53fb10f8ae1505a

    SHA256

    de91757813fb9795ca7799ff71534d0254681682e2a50b721d63ce7a45e70ac0

    SHA512

    e627c4b91cce00bc05b044885145436f79a961b139c92caa4f55515fa1cb120d0201e365984d6eebf47f6b05dacd28212437732174d083408bccded0bb06ba4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5295163.exe
    Filesize

    344KB

    MD5

    3302cb96f2e78df45b5a285ad5ab93e0

    SHA1

    72c22273ca9737e5fef7523ea53fb10f8ae1505a

    SHA256

    de91757813fb9795ca7799ff71534d0254681682e2a50b721d63ce7a45e70ac0

    SHA512

    e627c4b91cce00bc05b044885145436f79a961b139c92caa4f55515fa1cb120d0201e365984d6eebf47f6b05dacd28212437732174d083408bccded0bb06ba4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801733.exe
    Filesize

    220KB

    MD5

    320ff3fc99045974a3e3b00c1b4211fe

    SHA1

    cca91a54907e0adea094f9f1576d20eda155f70c

    SHA256

    6d8db0bb44a86151647b1f1164e2b2c015b62f1f8af86b35db4e95ff32707c40

    SHA512

    b676425b5fe86e951235c973d8a1732161cdf89b16b673f2bb457a8eb497cdaadeaa6f06d59861eb7478739a1ce0d1fcc5ffea6e3e26f978778a219b501bf15d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801733.exe
    Filesize

    220KB

    MD5

    320ff3fc99045974a3e3b00c1b4211fe

    SHA1

    cca91a54907e0adea094f9f1576d20eda155f70c

    SHA256

    6d8db0bb44a86151647b1f1164e2b2c015b62f1f8af86b35db4e95ff32707c40

    SHA512

    b676425b5fe86e951235c973d8a1732161cdf89b16b673f2bb457a8eb497cdaadeaa6f06d59861eb7478739a1ce0d1fcc5ffea6e3e26f978778a219b501bf15d

    Download Submit

  • memory/2284-28-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2284-32-0x0000000072F80000-0x000000007366E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2284-41-0x0000000072F80000-0x000000007366E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2284-56-0x0000000072F80000-0x000000007366E000-memory.dmp

    Filesize

    6.9MB

    Download