Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4052ea9b3c...cd.dll

windows7-x64

10

4052ea9b3c...cd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2024, 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4052ea9b3c06054603457627da4cae9a63458f725fb8c5b017fc406b7b03fccd.dll

  • Size

    820KB

  • MD5

    09a70175b2dac63c54bdca38cf4262e8

  • SHA1

    1791add74d6e0cc4e3a2f3727a55abaab8ab0463

  • SHA256

    4052ea9b3c06054603457627da4cae9a63458f725fb8c5b017fc406b7b03fccd

  • SHA512

    99e09a0df392d62f34dcef06f210b897670bbc45cc5589957f339fe63f96f5d92168948a9aa515ecfa235aff981ddb9be4629a36f28b11122152dcb6811111f0

  • SSDEEP

    12288:uBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdND:6/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4052ea9b3c06054603457627da4cae9a63458f725fb8c5b017fc406b7b03fccd.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1016
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:2076
    • C:\Users\Admin\AppData\Local\SWv56RnJq\unregmp2.exe
      C:\Users\Admin\AppData\Local\SWv56RnJq\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3740
    • C:\Windows\system32\SppExtComObj.Exe
      C:\Windows\system32\SppExtComObj.Exe
      1⤵
        PID:4928
      • C:\Users\Admin\AppData\Local\KKimKcer\SppExtComObj.Exe
        C:\Users\Admin\AppData\Local\KKimKcer\SppExtComObj.Exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4860
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:5040
        • C:\Users\Admin\AppData\Local\mue\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\mue\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KKimKcer\ACTIVEDS.dll
          Filesize

          824KB

          MD5

          41617a2716125313346eb795a7cfeb63

          SHA1

          b09f46fe89ce8b2f7177c8e1b7c0b3860ef79c94

          SHA256

          c004eab8efe0d44531302693fee30822fad9a23d151fcf818cbad0f3c61b23b1

          SHA512

          811a04594c550ed1337fe9b3e2e5cfdb27b173dfd1cb434e95013fecd51c73ba7c1de0055cdc3c7eb522a1d932b6eed31e115a63c685167fb5b9ddd7d3a9ac70

          Download Submit

        • C:\Users\Admin\AppData\Local\KKimKcer\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit

        • C:\Users\Admin\AppData\Local\SWv56RnJq\VERSION.dll
          Filesize

          824KB

          MD5

          c367fad7c8678b6a55c4d020c8b97e50

          SHA1

          6236e8bfef6ef413bf0d93ba1f4f08d24ff71238

          SHA256

          acc5144c8d744dfd9e4a526f1734b44eb1e5b5db8ffdaed87af917296bacf0cd

          SHA512

          3dbc71c0ad0bd34317f8ccad859755d089fc286c2c3ab6a9434802816e95aac88845a6afaccb27c1c8d1e9a22f32b3b13e82f7a514d2d4e92a51192484c0325c

          Download Submit

        • C:\Users\Admin\AppData\Local\SWv56RnJq\unregmp2.exe
          Filesize

          259KB

          MD5

          a6fc8ce566dec7c5873cb9d02d7b874e

          SHA1

          a30040967f75df85a1e3927bdce159b102011a61

          SHA256

          21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

          SHA512

          f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

          Download Submit

        • C:\Users\Admin\AppData\Local\mue\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\mue\MFC42u.dll
          Filesize

          848KB

          MD5

          d533c269d1118d2da185fd90fa817c0d

          SHA1

          40c9fb5aea843f3eef12ba44334ddbe869ac9722

          SHA256

          45b1b2a76bc3c34c82e6daf4266e76c640c24e27735fcddc861e74aea02c0d61

          SHA512

          c35809784f651acebd5e0fd4c1fb0809e908204a16b6936ba92124ccfa7170783498a33decc67b11cc2d68a64dc2a8bc57750e60afa6aae5b2044df93b3bd032

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Urqdyypzfxj.lnk
          Filesize

          1KB

          MD5

          7efd75d6a53c1154ff13cc0f9092e26b

          SHA1

          d701657cf78db49b0bc6eab4f1e6a487a4f85af3

          SHA256

          969a1ae928dc1709f90565d8544ba1559bf8913cf9f2db30025ffc23cfae85fd

          SHA512

          4a4735454fe28328b2bdaf1e191db81bb6da56b4e3842b1bcd84e233516099c12f6743f0f467b3aee989f50e0f233d4e12a7c432229efdcf200f5fb885836a66

          Download Submit

        • memory/1016-2-0x0000000001350000-0x0000000001357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1016-0-0x00007FFFADBB0000-0x00007FFFADC7D000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1016-51-0x00007FFFADBB0000-0x00007FFFADC7D000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1452-94-0x00007FFFAD1A0000-0x00007FFFAD274000-memory.dmp

          Filesize

          848KB

          Download

        • memory/1452-90-0x00007FFFAD1A0000-0x00007FFFAD274000-memory.dmp

          Filesize

          848KB

          Download

        • memory/3428-14-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-8-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-25-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-24-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-23-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-22-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-21-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-20-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-18-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-17-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-16-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-15-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-27-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-13-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-12-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-11-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-9-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-26-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-7-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-28-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-6-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-37-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-38-0x00007FFFBC440000-0x00007FFFBC450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-48-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-3-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-5-0x00007FFFBA5AA000-0x00007FFFBA5AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-10-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-39-0x00007FFFBC430000-0x00007FFFBC440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-36-0x0000000000E90000-0x0000000000E97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-19-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3428-29-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/3740-63-0x00007FFFAD1B0000-0x00007FFFAD27E000-memory.dmp

          Filesize

          824KB

          Download

        • memory/3740-60-0x000001BB389F0000-0x000001BB389F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3740-58-0x00007FFFAD1B0000-0x00007FFFAD27E000-memory.dmp

          Filesize

          824KB

          Download

        • memory/4860-79-0x00007FFFAD1B0000-0x00007FFFAD27E000-memory.dmp

          Filesize

          824KB

          Download

        • memory/4860-74-0x00000210EA5C0000-0x00000210EA5C7000-memory.dmp

          Filesize

          28KB

          Download