Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b6a95716e5...d8.dll

windows7-x64

10

b6a95716e5...d8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6a95716e500957dc3b9447faf3443d8.dll

  • Size

    688KB

  • MD5

    b6a95716e500957dc3b9447faf3443d8

  • SHA1

    efa033e42ed5c72417bb6cbe8d2dfb4705bce230

  • SHA256

    cfdf6cc09e2a199c461f5cab2c28a42e9d979cf64ac4af8e85d9ed5e97d9559a

  • SHA512

    9fb14331cd6b7a24c2ff6b0d9f196815e1774f66018af60cdb4405a1c251f9345e5c6a24172b813943f2be1e2a42c3e6d0595c9c9b5421facc6d29956e082c72

  • SSDEEP

    12288:VqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:VqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6a95716e500957dc3b9447faf3443d8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3884
  • C:\Windows\system32\ie4uinit.exe
    C:\Windows\system32\ie4uinit.exe
    1⤵
      PID:4056
    • C:\Users\Admin\AppData\Local\zcWvi\ie4uinit.exe
      C:\Users\Admin\AppData\Local\zcWvi\ie4uinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3164
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:2748
      • C:\Users\Admin\AppData\Local\WGS29Q\WFS.exe
        C:\Users\Admin\AppData\Local\WGS29Q\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2896
      • C:\Windows\system32\ddodiag.exe
        C:\Windows\system32\ddodiag.exe
        1⤵
          PID:1520
        • C:\Users\Admin\AppData\Local\Ljru\ddodiag.exe
          C:\Users\Admin\AppData\Local\Ljru\ddodiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ljru\XmlLite.dll
          Filesize

          692KB

          MD5

          f9c163574126f9fcc633087552577dd1

          SHA1

          195f1c3cd88453650635a6a96c9aee4bbafd5cf7

          SHA256

          4eee932fd53be8a1577e9b6e07061e9a9cb918aa5f090fbb0b6cf12c821db745

          SHA512

          2715d66c8a36b9a9b9ef8fdb836b9047b44ccf3570a8f9bc1a14bd7da19e875d30fb06f85d4f8c0289e81e92f3d65813d3e70aba2df3052ff669c3a1665d4271

          Download Submit

        • C:\Users\Admin\AppData\Local\Ljru\ddodiag.exe
          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          Download Submit

        • C:\Users\Admin\AppData\Local\WGS29Q\UxTheme.dll
          Filesize

          692KB

          MD5

          4ae14cdfe62f8444a4afb61b22339aee

          SHA1

          e07dbc7a2b526a60b69fc8c60c111b404d0a2b26

          SHA256

          d07b8d9dfb5765e0c38817c4e0969cf5ca8bedf1d13e74e456585f79b4638c17

          SHA512

          ca760937b2bed5a7856cc4f2702a13795f718e6ad8817070aa3dbf76b7cc2eda17e7b4dd28bd706877c2f5070471a96d635085368af8cc624174d6ea65cc59d1

          Download Submit

        • C:\Users\Admin\AppData\Local\WGS29Q\WFS.exe
          Filesize

          944KB

          MD5

          3cbc8d0f65e3db6c76c119ed7c2ffd85

          SHA1

          e74f794d86196e3bbb852522479946cceeed7e01

          SHA256

          e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

          SHA512

          26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

          Download Submit

        • C:\Users\Admin\AppData\Local\zcWvi\VERSION.dll
          Filesize

          692KB

          MD5

          0977ab176ddb15a3e1c63dcfe19331bc

          SHA1

          947c566782963212458c710e2a37f14b41b70ba7

          SHA256

          c99ed7c4e2c4a05955f03f0414db8ac3a35c4c73374bd7b071db9be1d48e6e5b

          SHA512

          aa86bfb5e9065b37fdc417ad7a49a3de9919fed2b56a9714e9d5a12d99956b33bdaa6209a08af26b61b62971d5dd7a1972114a5dd70b3c698130348e8c4515ef

          Download Submit

        • C:\Users\Admin\AppData\Local\zcWvi\ie4uinit.exe
          Filesize

          262KB

          MD5

          a2f0104edd80ca2c24c24356d5eacc4f

          SHA1

          8269b9fd9231f04ed47419bd565c69dc677fab56

          SHA256

          5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

          SHA512

          e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xkmqd.lnk
          Filesize

          1KB

          MD5

          04304ea216b17312c98f83a514a40dfd

          SHA1

          8fa9d69db849966b99cd2e2ec30d87f954b73449

          SHA256

          2b03b12ddc6eb8754300d3f7ed34e17a9f89615f2cf3f5766291b72724e28a7f

          SHA512

          18d5214ea1e5f14021befb3ea6074d7586d690bc8031d5f688b59abe4dc73077dc0cae4312b14c53ea07ae2f08d9c213330bb93a374656d7b26b352bf7bc675f

          Download Submit

        • memory/772-75-0x000001B7B1B20000-0x000001B7B1B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/772-80-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2896-59-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2896-60-0x0000028145620000-0x0000028145627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2896-64-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3164-48-0x000001E78C010000-0x000001E78C0BD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3164-45-0x000001E78C1A0000-0x000001E78C1A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3164-43-0x000001E78C010000-0x000001E78C0BD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3480-10-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-6-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-32-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-23-0x00007FF811390000-0x00007FF8113A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3480-22-0x00007FF8113A0000-0x00007FF8113B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3480-21-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-13-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-12-0x00000000008F0000-0x00000000008F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3480-11-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-4-0x00007FF80FCCA000-0x00007FF80FCCB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3480-9-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-8-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-7-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3480-3-0x0000000002400000-0x0000000002401000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3884-35-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3884-1-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3884-0-0x0000024ADD820000-0x0000024ADD827000-memory.dmp

          Filesize

          28KB

          Download