Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-22.04-amd64

8

The-MALWAR...caa742

ubuntu-22.04-amd64

8

The-MALWAR...c1a732

ubuntu-24.04-amd64

8

The-MALWAR...57c046

ubuntu-24.04-amd64

8

The-MALWAR...4cde86

ubuntu-24.04-amd64

8

The-MALWAR...460a01

ubuntu-24.04-amd64

8

The-MALWAR...ece0c5

ubuntu-20.04-amd64

8

The-MALWAR...257619

ubuntu-24.04-amd64

8

The-MALWAR...fbcc59

ubuntu-22.04-amd64

8

The-MALWAR...54f69c

ubuntu-24.04-amd64

8

The-MALWAR...d539a6

ubuntu-22.04-amd64

8

The-MALWAR...4996dd

ubuntu-24.04-amd64

8

The-MALWAR...8232d5

ubuntu-18.04-amd64

8

The-MALWAR...66b948

ubuntu-24.04-amd64

8

The-MALWAR...f9db86

ubuntu-24.04-amd64

8

The-MALWAR...ea2485

ubuntu-24.04-amd64

8

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2144
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    1⤵
      PID:3056
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\zu2.cmd
      1⤵
        PID:2720
      • C:\Windows\system32\sethc.exe
        C:\Windows\system32\sethc.exe
        1⤵
          PID:2128
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bIN5iE.cmd
          1⤵
          • Drops file in System32 directory
          PID:1152
        • C:\Windows\System32\eventvwr.exe
          "C:\Windows\System32\eventvwr.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\VIL3ZE.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Qerotbmqykaobme" /TR C:\Windows\system32\QPYl\sethc.exe /SC minute /MO 60 /RL highest
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1580
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Qerotbmqykaobme"
            2⤵
              PID:2888
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Qerotbmqykaobme"
              2⤵
                PID:2032
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2320
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Qerotbmqykaobme"
                2⤵
                  PID:2456
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2436
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Qerotbmqykaobme"
                  2⤵
                    PID:908
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1380
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Qerotbmqykaobme"
                    2⤵
                      PID:1776
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qerotbmqykaobme"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3028
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Qerotbmqykaobme"
                      2⤵
                        PID:2252

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\G7A6E.tmp
                      Filesize

                      836KB

                      MD5

                      a932cba2556314b80c218a722c57913d

                      SHA1

                      338bf5fa17f83dec33759c135050b7b2a5fa36c0

                      SHA256

                      ddb6617732d73282474b94df90f086cfe117e11e1193fd7d129f5ae179b965cf

                      SHA512

                      500f0bb2c113afd4f488c144c0822b967eacd19e37410dbc7b3e0258ac58c12b7d1db9f9f820252fe8ff916dbd3d74b9fae498333437722febef49bc262c8d17

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\VIL3ZE.cmd
                      Filesize

                      129B

                      MD5

                      634fe50a5dfd2763e13988ca4eaacac7

                      SHA1

                      440305e0518ea65a54ec1a3056114bd991303729

                      SHA256

                      02c5dc0eaaa05a99d3689ef51114398ff129ccb64a92a006443d9867f5be2d3e

                      SHA512

                      cf95108c48ffdb9d4d8c4994adb2d250aab1f378e5b677d20c65be31662c2bf6cec7a0bd336e4860e648ee0aead7fe2fe75d5bc6eb753290e0b85a278a4d4e31

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\bIN5iE.cmd
                      Filesize

                      188B

                      MD5

                      debac87be2251048c6c70a136887dd99

                      SHA1

                      0eec75831ac2ee7462a4361886b550e6eede3257

                      SHA256

                      235f63d2fa9f472ed018043cb9323946e64794df52a617ab6cf633c8564f0e5e

                      SHA512

                      2b4c8392eb16d385478167b2427f616b85674f08dfcab6d082a4a54bfb869d6f8bc0d39ef7d1d103753f5e3c10eb0be38da85671a18e824df4045082fa951303

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\eRE51B8.tmp
                      Filesize

                      628KB

                      MD5

                      cec15dc6ac39f6e554da97efdab3b39b

                      SHA1

                      a2805cb2e65c3890a4ea8b6cf88a6e27057d1e71

                      SHA256

                      c04502bafcbf640128e3e8abd9a8287dca8e7495e8a27706b011439284658a4f

                      SHA512

                      037d5ce04c710494e95c56d79e257e63bcadfded8eafc71eee0a1754ff7709b2533b1a9ae5df78e72a363056936ad922e22bfc8886315134d737597ddab01c61

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\zu2.cmd
                      Filesize

                      225B

                      MD5

                      185e0ab001214a73e006636cd50dd720

                      SHA1

                      8d064037d2f795df7ad07747b01a697610c3ce41

                      SHA256

                      8bac83d7c129ac80217af7f92e1e7ed567e33e8d4cf27eebadde6edec7926118

                      SHA512

                      da54a4d22c7a96e54cb4e812d64d6423c4cc8fa80929f2f91f138ec27b5fe36c707527be399b68d884b0c6e914d638f6346d1e8f553d1c8103d35dd65a5ace38

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gazvzzjnt.lnk
                      Filesize

                      870B

                      MD5

                      538c3b55b417976a7a58ef223869e7fa

                      SHA1

                      4c3c783afbb4876f2c3799eed0c586095a24b1e1

                      SHA256

                      4fe29bd5a7c42f38112912a476b3d691f46d9ec748cd8e00e820570d3f67de80

                      SHA512

                      3c064b77a2e13c0a81634a3f0d35a42e609558decd2381800ccab8b68fe7691c850981b4f1d5c1c5195370fb6bb182908c799cf124fb58169874e4a501eb5399

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Nkbs\cttune.exe
                      Filesize

                      314KB

                      MD5

                      7116848fd23e6195fcbbccdf83ce9af4

                      SHA1

                      35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

                      SHA256

                      39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

                      SHA512

                      e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

                      Download Submit

                    • memory/1208-7-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-38-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-13-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-12-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-10-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-9-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-8-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-4-0x0000000002120000-0x0000000002121000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1208-22-0x0000000077C81000-0x0000000077C82000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1208-23-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1208-32-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-14-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-37-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-33-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-43-0x0000000077A76000-0x0000000077A77000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1208-21-0x0000000002100000-0x0000000002107000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/1208-20-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-11-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1208-3-0x0000000077A76000-0x0000000077A77000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2144-2-0x0000000000390000-0x0000000000397000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/2144-0-0x000007FEF8060000-0x000007FEF80FD000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/2144-6-0x000007FEF8060000-0x000007FEF80FD000-memory.dmp

                      Filesize

                      628KB

                      Download