Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

dridex

windows10-1703-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/12/2023, 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.exe

  • Size

    7.5MB

  • MD5

    e168005e1c5bd800d95c60e1e362b6d6

  • SHA1

    f8ea6822bb72246a640a3d6257164a12e2ff19d0

  • SHA256

    91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558

  • SHA512

    8bee9359454259e0c948cdab9d7f7e0372f90f7163351821d658857e70e9fb935c6e4ac049d2fc8837b122d90b135ffff78a18d304bd6ff828b55a00a303d227

  • SSDEEP

    196608:kxm58iQeIvIULCbMPJh/xL9xLB8K8eNF93FgAfMuAGErzj:WiQvfLCbM3xvLBh8eNF9VgAUuA9rzj

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 63 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.exe
    "C:\Users\Admin\AppData\Local\Temp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\is-TM3NV.tmp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TM3NV.tmp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.tmp" /SL5="$D0048,7631459,121856,C:\Users\Admin\AppData\Local\Temp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:4760
        • C:\Program Files (x86)\GIFMount\gifmon.exe
          "C:\Program Files (x86)\GIFMount\gifmon.exe" -i
          3⤵
          • Executes dropped EXE
          PID:524
        • C:\Program Files (x86)\GIFMount\gifmon.exe
          "C:\Program Files (x86)\GIFMount\gifmon.exe" -s
          3⤵
          • Executes dropped EXE
          PID:3024
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" helpmsg 12
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 helpmsg 12
            4⤵
              PID:3496

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\GIFMount\gifmon.exe
        Filesize

        2.1MB

        MD5

        e19b632cdd2284cabfc91530144f5f28

        SHA1

        3c6358d0b769c2a11c5cd0999dd4f408322a959a

        SHA256

        80c620e5db3edfe8d971bb5f4a641995f921c73002e3c68690dfd2620ab73038

        SHA512

        47d793a4b8a35edcbc56dd977f239d3b5aa9d262494c2508846b6e26ba95b1f13bc50c39f4ebe1be7097dc6ad8c3bb42e38bf4d4b0d3f2eab730a2d45bb89a04

        Download Submit

      • C:\Program Files (x86)\GIFMount\gifmon.exe
        Filesize

        1.6MB

        MD5

        0def34af57c1aa9d6f5c8d7a4bc936f5

        SHA1

        95e078edfe36e6eb56ea698970f5fd488180c8d9

        SHA256

        7a323e64c74f50a1fbce0f4ceac688392e1e5ac1ebda1573d6ab97f9810137d8

        SHA512

        f2e3a56d51f4a088f15d5aae9550889a7746e4a04b94f5ff1773e18cc56c87335d48103a5206039dd2b007e089c82b6b3569f2b8867fc1e088aa55e234acc507

        Download Submit

      • C:\Program Files (x86)\GIFMount\gifmon.exe
        Filesize

        902KB

        MD5

        beb32fdbc43da6cb4fb23f721e933579

        SHA1

        9cf5643eaba15a1c9666d6e8678bf0a880b9d315

        SHA256

        b9d1216a118ef89f217d4e30ae2cee7dd43773cb90eca549273b14616c3cbc62

        SHA512

        2b6efe13d3fe87a5dcb2407343c833fd5a51ea2206bd48a2fe809cf339e995c21d665917736ce79cf3b3f41413067b51a7f934053f5d829b13c95d92550f92f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-TM3NV.tmp\91e77926b426bd21c5747610b9a12a0b1db7e8fcfda54d281125450de7f9c558.tmp
        Filesize

        687KB

        MD5

        f448d7f4b76e5c9c3a4eaff16a8b9b73

        SHA1

        31808f1ffa84c954376975b7cdb0007e6b762488

        SHA256

        7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

        SHA512

        f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-8PGAP.tmp\_isetup\_iscrypt.dll
        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-8PGAP.tmp\_isetup\_isdecmp.dll
        Filesize

        19KB

        MD5

        3adaa386b671c2df3bae5b39dc093008

        SHA1

        067cf95fbdb922d81db58432c46930f86d23dded

        SHA256

        71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

        SHA512

        bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

        Download Submit

      • memory/444-163-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/444-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/444-161-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/524-151-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/524-154-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/524-152-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/524-155-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/1556-0-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/1556-2-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/1556-160-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3024-173-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-180-0x00000000008C0000-0x000000000095E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/3024-159-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-166-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-167-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-170-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-157-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-176-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-179-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-162-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-185-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-188-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-191-0x00000000008C0000-0x000000000095E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/3024-192-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-195-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-198-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-201-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-204-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3024-208-0x0000000000400000-0x0000000000669000-memory.dmp

        Filesize

        2.4MB

        Download