Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Drehmal.In....1.exe
windows7-x64
7Drehmal.In....1.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Drehmal Installer.exe
windows7-x64
1Drehmal Installer.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1dxcompiler.dll
windows7-x64
1dxcompiler.dll
windows10-2004-x64
1dxil.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
604s -
max time network
457s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Drehmal.Installer.1.0.1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Drehmal.Installer.1.0.1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Drehmal Installer.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
Drehmal Installer.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
dxcompiler.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral13
Sample
dxcompiler.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
dxil.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ffmpeg.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
libEGL.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
libGLESv2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
Drehmal Installer.exe
-
Size
168.5MB
-
MD5
5274cbfb208ee9610d3193e4c61c35f7
-
SHA1
954257060465a7038dd94952cb3964e5a0699735
-
SHA256
869e7c9698da35ba3b45d8a456814db6926534ea5e6d80302f0aaf69283230cb
-
SHA512
f28dc65c609683b375d61f55d5f940a41c691d7c5e64335886121675faf7b23a98cac04ec7e187e28cc92eb8915d8c65dfeda1cc0d7505820358683698c8733a
-
SSDEEP
1572864:IWx5TrBkvBGddEgdqUVQAa/6MdFvokPLkKrIA5wsMj+zBujIqMIqw6ep80FQK7y3:AwmBiWD+eCIxB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Drehmal Installer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Drehmal Installer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Drehmal Installer.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Drehmal Installer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3908 Drehmal Installer.exe 3908 Drehmal Installer.exe 3908 Drehmal Installer.exe 3908 Drehmal Installer.exe 4400 Drehmal Installer.exe 4400 Drehmal Installer.exe 4400 Drehmal Installer.exe 4400 Drehmal Installer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe Token: SeShutdownPrivilege 3908 Drehmal Installer.exe Token: SeCreatePagefilePrivilege 3908 Drehmal Installer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 2684 3908 Drehmal Installer.exe 87 PID 3908 wrote to memory of 4744 3908 Drehmal Installer.exe 88 PID 3908 wrote to memory of 4744 3908 Drehmal Installer.exe 88 PID 3908 wrote to memory of 3372 3908 Drehmal Installer.exe 89 PID 3908 wrote to memory of 3372 3908 Drehmal Installer.exe 89 PID 3908 wrote to memory of 4400 3908 Drehmal Installer.exe 98 PID 3908 wrote to memory of 4400 3908 Drehmal Installer.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1704 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:22⤵PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --mojo-platform-channel-handle=2212 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2472 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3120 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD50703653a33d15f0590879e0e3aadb6d3
SHA191d3601ba31cffe428bea19a2e529c26ddf0c587
SHA256ac8b39c40e182162914a71cec4693d90beecd33f0bc9c28c7c1622e52bbdb539
SHA5125d7e8ac00a622a593e67fefaf4199115dd7ac46689cabb65b400875449f84e5ac4bf2d1c47c8eb0c3f8c4f47e1ca97f50b7d301881ff99460bca636e9aa1c2e8
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84