Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b58179d287...3c.dll

windows7-x64

10

b58179d287...3c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b58179d2876272ed58a6e2d6c328be3c.dll

  • Size

    848KB

  • MD5

    b58179d2876272ed58a6e2d6c328be3c

  • SHA1

    2d8a3a857491b3523f93b08e0611e741925be9ac

  • SHA256

    548a21178bd299e07a0b0bb0957decd17f937a37b8fe4fbc8125e360bb1f0679

  • SHA512

    ea4162f81987df295e7c1a568dc98ad440b34d2d17eaffa74250513199b33d873279a6b4af2c1df8805f61afadbc20c508b4bce3b7d6fcca239e89ac4dda24cc

  • SSDEEP

    12288:4kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:4kbHkWfzZ5adwLNGeStHntqN7v

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 13 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2064
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2136
    • C:\Users\Admin\AppData\Local\cMc6V\TpmInit.exe
      C:\Users\Admin\AppData\Local\cMc6V\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2604
    • C:\Windows\system32\unregmp2.exe
      C:\Windows\system32\unregmp2.exe
      1⤵
        PID:2868
      • C:\Users\Admin\AppData\Local\blwL\unregmp2.exe
        C:\Users\Admin\AppData\Local\blwL\unregmp2.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2216
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:320
        • C:\Users\Admin\AppData\Local\iHYsYhrY\mmc.exe
          C:\Users\Admin\AppData\Local\iHYsYhrY\mmc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1928
        • C:\Windows\system32\raserver.exe
          C:\Windows\system32\raserver.exe
          1⤵
            PID:1872
          • C:\Users\Admin\AppData\Local\VqCfdS\raserver.exe
            C:\Users\Admin\AppData\Local\VqCfdS\raserver.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1656

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\VqCfdS\WTSAPI32.dll
            Filesize

            852KB

            MD5

            1ab8e59b989828910915b2ce98dec339

            SHA1

            029779de896d87268a21b95346f2929f3f0b9097

            SHA256

            de1691dae460f67ae71974250e5587ac038ecdc654d6a6e361050b7563058581

            SHA512

            fb8f5f59ea04ced739bec8096e7785db4b5eea190207338f45d17c9fb53f6f80834c40021353da0f217cb7a3634f6f9f77d762e35ac01d1da21416a50104f236

            Download Submit

          • C:\Users\Admin\AppData\Local\blwL\slc.dll
            Filesize

            852KB

            MD5

            d8073c3ae06011f96d1270727de13a0b

            SHA1

            47fde93d1e1746fc7b7896d4701923628ba109ce

            SHA256

            46f07fda77900f702dce14f92b4c6b5e16989d590494a03af08ebf96c8caa378

            SHA512

            2e885ffe8a2f89dbc2aede7bf941264f38fe6a18fcb3f3765e74cfbb2b53c8b44c07b711d90eb6fd04e5fde9fb91ffa47d3041dee3f3dddf29f2bd7568064cf3

            Download Submit

          • C:\Users\Admin\AppData\Local\blwL\unregmp2.exe
            Filesize

            316KB

            MD5

            64b328d52dfc8cda123093e3f6e4c37c

            SHA1

            f68f45b21b911906f3aa982e64504e662a92e5ab

            SHA256

            7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

            SHA512

            e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

            Download Submit

          • C:\Users\Admin\AppData\Local\cMc6V\ACTIVEDS.dll
            Filesize

            852KB

            MD5

            fed5912662eaf991bfcd67973225349f

            SHA1

            0973e6c1b3d7f1003371cfabf8cbf9e72e0235b4

            SHA256

            7f0fc12e54787fff1135f21a5ad282828d92c3327ba3ca28bf612a085301a0d2

            SHA512

            bcefea4c8855d86abaaf952af617ab7ab5b008b554c562e8357a1c059f1c739bdab4e2f2995439a3e74ed81fdb1634842d543fbcc6edf5432c44efa775bf88c3

            Download Submit

          • C:\Users\Admin\AppData\Local\iHYsYhrY\MFC42u.dll
            Filesize

            876KB

            MD5

            129f1ffcb8df0d7a5047635eeec63ec4

            SHA1

            e916078aec1960a67b1ccb80e8a6373dcde7f604

            SHA256

            540c6a9713aecbf18a445b57aa01b3f47f9883f5f67a56ff0f95a79f4f65e0e0

            SHA512

            a06c3c09da370f8fe42b4107a1cc76f84f921b669852602d78071e29531bacdc74c109b42fc071592e1f7d137feb71b63e8737ad2c980f8153b24e220f2051a1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
            Filesize

            1KB

            MD5

            de1364cfe562492778abca26d66a9d96

            SHA1

            5eb366c7dc347ea67de623e6066e439b05319317

            SHA256

            5580fae46fbbf6d3ee40e96409711eb3a1738c7483c230b8a896d50130453b56

            SHA512

            963d99ec46099c273976e458bd752237eb2704e4be09a30fce3c2c9ef8e99657ca55977742dfe8c684def55c8252cdbddf02afef8f78030e634966ad1ec6cb04

            Download Submit

          • \Users\Admin\AppData\Local\VqCfdS\raserver.exe
            Filesize

            123KB

            MD5

            cd0bc0b6b8d219808aea3ecd4e889b19

            SHA1

            9f8f4071ce2484008e36fdfd963378f4ebad703f

            SHA256

            16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

            SHA512

            84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

            Download Submit

          • \Users\Admin\AppData\Local\cMc6V\TpmInit.exe
            Filesize

            112KB

            MD5

            8b5eb38e08a678afa129e23129ca1e6d

            SHA1

            a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

            SHA256

            4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

            SHA512

            a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

            Download Submit

          • \Users\Admin\AppData\Local\iHYsYhrY\mmc.exe
            Filesize

            2.0MB

            MD5

            9fea051a9585f2a303d55745b4bf63aa

            SHA1

            f5dc12d658402900a2b01af2f018d113619b96b8

            SHA256

            b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

            SHA512

            beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

            Download Submit

          • memory/1224-38-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-11-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-13-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-17-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-16-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-15-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-14-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-20-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-19-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1224-18-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-27-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-28-0x0000000077850000-0x0000000077852000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1224-29-0x0000000077880000-0x0000000077882000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1224-3-0x00000000775E6000-0x00000000775E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1224-39-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1224-12-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-10-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-6-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-7-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-81-0x00000000775E6000-0x00000000775E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1224-9-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1224-8-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

            Download

          • memory/1656-107-0x000007FEF6780000-0x000007FEF6855000-memory.dmp

            Filesize

            852KB

            Download

          • memory/1656-103-0x0000000000090000-0x0000000000097000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1928-90-0x0000000000180000-0x0000000000187000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1928-92-0x000007FEF6780000-0x000007FEF685B000-memory.dmp

            Filesize

            876KB

            Download

          • memory/1928-89-0x000007FEF6780000-0x000007FEF685B000-memory.dmp

            Filesize

            876KB

            Download

          • memory/2064-2-0x0000000000390000-0x0000000000397000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2064-47-0x000007FEF6780000-0x000007FEF6854000-memory.dmp

            Filesize

            848KB

            Download

          • memory/2064-0-0x000007FEF6780000-0x000007FEF6854000-memory.dmp

            Filesize

            848KB

            Download

          • memory/2216-72-0x000007FEF6780000-0x000007FEF6855000-memory.dmp

            Filesize

            852KB

            Download

          • memory/2216-76-0x000007FEF6780000-0x000007FEF6855000-memory.dmp

            Filesize

            852KB

            Download

          • memory/2604-55-0x000007FEF6E60000-0x000007FEF6F35000-memory.dmp

            Filesize

            852KB

            Download

          • memory/2604-56-0x0000000000100000-0x0000000000107000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2604-60-0x000007FEF6E60000-0x000007FEF6F35000-memory.dmp

            Filesize

            852KB

            Download