Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll

  • Size

    73KB

  • MD5

    82cda6dff0369daf45c2d87fc255b17e

  • SHA1

    7df4aca8422e249dc8c6a62411f13d8c41a5f3ab

  • SHA256

    27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1

  • SHA512

    702035147472943c34734386394262331a3b3c82fe95f819c9f3ee48abcf213328db0a0c625abbcbe8ceafa5325641c2c132c11f61207ffcb946db9608dc0185

  • SSDEEP

    1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGChK5O:awsAik1a4pGChK5O

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\ProgramData\dC9nH\NfsRL2.exe
        "C:\ProgramData\dC9nH\NfsRL2.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4316
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c echo.>c:\xxxx.ini
          4⤵
            PID:4416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\dC9nH\Edge.jpg
      Filesize

      358KB

      MD5

      88dc5511d1e562702be62538fa689250

      SHA1

      fb57c4bd0834c3d383206b06ef26446ddadbf5b2

      SHA256

      4164667986e2d6279a8061b0f2c376af7ff56c475d687f821b6a4e476b09c749

      SHA512

      170f7ecc158746721105eacfca89b52e03198a0f0d7b38a5829cf3bd1b71117aa565ed0abd9bd4925ecd817fb92fafb5b0dda3effb8e46be587fe197de84ee2e

      Download Submit

    • C:\ProgramData\dC9nH\NfsRL2.dat
      Filesize

      132KB

      MD5

      29748a35652b7141564bb12bfe0c1518

      SHA1

      22185dfc9fd96cfe31e8c366873f0579123c907b

      SHA256

      eed2dee4085add557bcc6d695a1296bd00671c8a453ab13a6ae075d02aba7384

      SHA512

      1ec1459dc1ea8497c3e44ce17110ebcc272a7ceea72f59f44083e3872f8999e0ac7eb58953fc0d57d00f331e5884c3c4b3d1307193379abff94fbb51c73056dc

      Download Submit

    • C:\ProgramData\dC9nH\NfsRL2.exe
      Filesize

      525KB

      MD5

      6a1a6f99898c8e80ba2dcc123d94dcee

      SHA1

      5ffeb81a5699d75eef7157017ca5cc5b5441e27e

      SHA256

      796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471

      SHA512

      702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909

      Download Submit

    • C:\ProgramData\dC9nH\NfsRL2.exe
      Filesize

      525KB

      MD5

      6a1a6f99898c8e80ba2dcc123d94dcee

      SHA1

      5ffeb81a5699d75eef7157017ca5cc5b5441e27e

      SHA256

      796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471

      SHA512

      702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909

      Download Submit

    • C:\ProgramData\dC9nH\NfsRL2.exe
      Filesize

      525KB

      MD5

      6a1a6f99898c8e80ba2dcc123d94dcee

      SHA1

      5ffeb81a5699d75eef7157017ca5cc5b5441e27e

      SHA256

      796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471

      SHA512

      702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909

      Download Submit

    • C:\ProgramData\dC9nH\edge.xml
      Filesize

      76KB

      MD5

      f53a690dbef87549d32c96d072c5de6c

      SHA1

      76b5496fcada2ceca09eb105408854ab06f67e2f

      SHA256

      442dc3f6a6205a0c90ee7df342d18bbd73380b7a1ecc465800dff662bb58e9e6

      SHA512

      0d16a47e536f4070d6484599adece2e997f29d4a10e602fa81f0d5ec7c95780b000ea3170e119c279fad4cc337153f4843434cd5c34c728e2b62d73cd8b6bc29

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
      Filesize

      36KB

      MD5

      f6bf82a293b69aa5b47d4e2de305d45a

      SHA1

      4948716616d4bbe68be2b4c5bf95350402d3f96f

      SHA256

      6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

      SHA512

      edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

      Download Submit

    • memory/4316-41-0x0000000003670000-0x0000000003671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4316-39-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4316-44-0x00000000038C0000-0x00000000038D7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4316-46-0x0000000010000000-0x0000000010061000-memory.dmp

      Filesize

      388KB

      Download

    • memory/4316-18-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4316-58-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4316-61-0x00000000038C0000-0x00000000038D7000-memory.dmp

      Filesize

      92KB

      Download