Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

dridex

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2023, 14:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe

  • Size

    4.9MB

  • MD5

    3e977dcb4efb8d3bd95e2211d8161a66

  • SHA1

    acff677b344b348fe1a6944830ca42ddf5c341eb

  • SHA256

    5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d

  • SHA512

    c76c9f47303eff3073542c7c3fe496627280d72eefb608e64f3b5ced92b2670bf39438368458c7b9609c0d16a882beb5ee84896f3a5a15e4eca79bf742b46190

  • SSDEEP

    98304:Rc5LyCUfJ+K0OBvdcTIjudjbaS2mCWk/lS5pXHBN+zkQZMFzriQEQYlE:WzUfJ+K0OHcIjudbh21WQlSvBAEGQYu

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe
    "C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp" /SL5="$401E6,4923723,54272,C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:3304
        • C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
          "C:\Program Files (x86)\Common Files\TVCross\TVCross.exe" -i
          3⤵
          • Executes dropped EXE
          PID:5048
        • C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
          "C:\Program Files (x86)\Common Files\TVCross\TVCross.exe" -s
          3⤵
          • Executes dropped EXE
          PID:5028
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" helpmsg 24
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 helpmsg 24
            4⤵
              PID:560

      Network

      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        71.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        59.128.231.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        59.128.231.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        17.14.97.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        17.14.97.104.in-addr.arpa
        IN PTR
        Response
        17.14.97.104.in-addr.arpa
        IN PTR
        a104-97-14-17deploystaticakamaitechnologiescom
      • flag-us
        DNS
        193.78.101.95.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        193.78.101.95.in-addr.arpa
        IN PTR
        Response
        193.78.101.95.in-addr.arpa
        IN PTR
        a95-101-78-193deploystaticakamaitechnologiescom
      • flag-us
        DNS
        152.78.101.95.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        152.78.101.95.in-addr.arpa
        IN PTR
        Response
        152.78.101.95.in-addr.arpa
        IN PTR
        a95-101-78-152deploystaticakamaitechnologiescom
      • flag-bg
        DNS
        dlvozoz.info
        TVCross.exe
        Remote address:
        88.80.147.105:53
        Request
        dlvozoz.info
        IN A
        Response
        dlvozoz.info
        IN A
        185.141.63.253
      • flag-bg
        GET
        http://dlvozoz.info/fox.php?c=de7ef49b2c006853fb383c7a6206a7423dfc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439c40c87a0c922e9d59869d35226842b4757736ce967179ccd0d6345d528fd305ff17cade
        TVCross.exe
        Remote address:
        185.141.63.253:80
        Request
        GET /fox.php?c=de7ef49b2c006853fb383c7a6206a7423dfc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439c40c87a0c922e9d59869d35226842b4757736ce967179ccd0d6345d528fd305ff17cade HTTP/1.1
        Host: dlvozoz.info
        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Fri, 24 Nov 2023 14:38:29 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Vary: Accept-Encoding
      • flag-us
        DNS
        105.147.80.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        105.147.80.88.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        253.63.141.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        253.63.141.185.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        27.178.89.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        27.178.89.13.in-addr.arpa
        IN PTR
        Response
      • 185.141.63.253:80
        http://dlvozoz.info/fox.php?c=de7ef49b2c006853fb383c7a6206a7423dfc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439c40c87a0c922e9d59869d35226842b4757736ce967179ccd0d6345d528fd305ff17cade
        http
        TVCross.exe
        477 B
         374 B
         4
        4

        HTTP Request

        GET http://dlvozoz.info/fox.php?c=de7ef49b2c006853fb383c7a6206a7423dfc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439c40c87a0c922e9d59869d35226842b4757736ce967179ccd0d6345d528fd305ff17cade

        HTTP Response

        200
      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        71.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        71.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        59.128.231.4.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        59.128.231.4.in-addr.arpa

      • 8.8.8.8:53
        146.78.124.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        146.78.124.51.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        17.14.97.104.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        17.14.97.104.in-addr.arpa

      • 8.8.8.8:53
        193.78.101.95.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        193.78.101.95.in-addr.arpa

      • 8.8.8.8:53
        152.78.101.95.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        152.78.101.95.in-addr.arpa

      • 88.80.147.105:53
        dlvozoz.info
        dns
        TVCross.exe
        58 B
         86 B
         1
        1

        DNS Request

        dlvozoz.info

        DNS Response

        185.141.63.253

      • 8.8.8.8:53
        105.147.80.88.in-addr.arpa
        dns
        72 B
         123 B
         1
        1

        DNS Request

        105.147.80.88.in-addr.arpa

      • 8.8.8.8:53
        253.63.141.185.in-addr.arpa
        dns
        73 B
         124 B
         1
        1

        DNS Request

        253.63.141.185.in-addr.arpa

      • 8.8.8.8:53
        27.178.89.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        27.178.89.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
        Filesize

        4.0MB

        MD5

        d8fb43a1267e2e61ebab8b3063b234db

        SHA1

        4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

        SHA256

        3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

        SHA512

        5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

        Download Submit

      • C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
        Filesize

        4.0MB

        MD5

        d8fb43a1267e2e61ebab8b3063b234db

        SHA1

        4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

        SHA256

        3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

        SHA512

        5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

        Download Submit

      • C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
        Filesize

        4.0MB

        MD5

        d8fb43a1267e2e61ebab8b3063b234db

        SHA1

        4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

        SHA256

        3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

        SHA512

        5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
        Filesize

        683KB

        MD5

        f507ce43ea08d1721816ad4b0e090f50

        SHA1

        e4f02bcd410bddabea4c741838d9a88386547629

        SHA256

        d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

        SHA512

        37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
        Filesize

        683KB

        MD5

        f507ce43ea08d1721816ad4b0e090f50

        SHA1

        e4f02bcd410bddabea4c741838d9a88386547629

        SHA256

        d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

        SHA512

        37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_iscrypt.dll
        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_isdecmp.dll
        Filesize

        13KB

        MD5

        a813d18268affd4763dde940246dc7e5

        SHA1

        c7366e1fd925c17cc6068001bd38eaef5b42852f

        SHA256

        e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

        SHA512

        b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_isdecmp.dll
        Filesize

        13KB

        MD5

        a813d18268affd4763dde940246dc7e5

        SHA1

        c7366e1fd925c17cc6068001bd38eaef5b42852f

        SHA256

        e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

        SHA512

        b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

        Download Submit

      • memory/3828-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3828-72-0x00000000007A0000-0x00000000007A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3828-70-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4100-69-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4100-0-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4100-2-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/5028-90-0x00000000009C0000-0x0000000000A6D000-memory.dmp

        Filesize

        692KB

        Download

      • memory/5028-100-0x00000000009C0000-0x0000000000A6D000-memory.dmp

        Filesize

        692KB

        Download

      • memory/5028-119-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-71-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-116-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-75-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-112-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-77-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-80-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-83-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-86-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-89-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-91-0x00000000009C0000-0x0000000000A6D000-memory.dmp

        Filesize

        692KB

        Download

      • memory/5028-109-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-96-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-99-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-68-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-103-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5028-106-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5048-61-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5048-76-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5048-60-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/5048-65-0x0000000000400000-0x000000000080E000-memory.dmp

        Filesize

        4.1MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.