Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3dffdf9e09...2d.dll

windows7-x64

10

3dffdf9e09...2d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2024, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dffdf9e09ce072d12ff2e1a69fe7aaef98a2bb4728ca08f164be06408acdd2d.dll

  • Size

    824KB

  • MD5

    6651d9c2fbf38bce55c461d94c2cf433

  • SHA1

    133be7fe7e9f7f580df12bccb7f7ae14d1c26fc9

  • SHA256

    3dffdf9e09ce072d12ff2e1a69fe7aaef98a2bb4728ca08f164be06408acdd2d

  • SHA512

    01f284c09ac85fe1dbc2415fed87c48a4b61f5dbadb7ff17cfbe628f1d99202bca9cdabbc413c7c3c6cae87cb0adc0c6f6cd5e0f7182016685b3b61af1630416

  • SSDEEP

    12288:dBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:f/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dffdf9e09ce072d12ff2e1a69fe7aaef98a2bb4728ca08f164be06408acdd2d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1536
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:2476
    • C:\Users\Admin\AppData\Local\0R1AB7\psr.exe
      C:\Users\Admin\AppData\Local\0R1AB7\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4656
    • C:\Windows\system32\Narrator.exe
      C:\Windows\system32\Narrator.exe
      1⤵
        PID:1632
      • C:\Users\Admin\AppData\Local\xnvoGRrjM\Narrator.exe
        C:\Users\Admin\AppData\Local\xnvoGRrjM\Narrator.exe
        1⤵
        • Executes dropped EXE
        PID:3508
      • C:\Windows\system32\ProximityUxHost.exe
        C:\Windows\system32\ProximityUxHost.exe
        1⤵
          PID:924
        • C:\Users\Admin\AppData\Local\RQWPzXh\ProximityUxHost.exe
          C:\Users\Admin\AppData\Local\RQWPzXh\ProximityUxHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2220
        • C:\Windows\system32\BitLockerWizardElev.exe
          C:\Windows\system32\BitLockerWizardElev.exe
          1⤵
            PID:2600
          • C:\Users\Admin\AppData\Local\QdPhB\BitLockerWizardElev.exe
            C:\Users\Admin\AppData\Local\QdPhB\BitLockerWizardElev.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2836

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0R1AB7\VERSION.dll
            Filesize

            828KB

            MD5

            870717d7605ff07f0194c9c1a057c18a

            SHA1

            69dcf030234e8531208f72eeaeb014f8423714e5

            SHA256

            1d935ef8e2eb5e05d4a1d6fac3d88572e488799d93b54af0736bc3f78980acfc

            SHA512

            fc093dbe6d87e81796a41970cc78ff4af8c506935e7955d6edcc59aefd80be1222341f121e2acb818a3c00033372a8d09737b3c6794736a09acb7ad972c21ded

            Download Submit

          • C:\Users\Admin\AppData\Local\0R1AB7\psr.exe
            Filesize

            232KB

            MD5

            ad53ead5379985081b7c3f1f357e545a

            SHA1

            6f5aa32c1d15fbf073558fadafd046d97b60184e

            SHA256

            4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

            SHA512

            433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

            Download Submit

          • C:\Users\Admin\AppData\Local\QdPhB\BitLockerWizardElev.exe
            Filesize

            100KB

            MD5

            8ac5a3a20cf18ae2308c64fd707eeb81

            SHA1

            31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

            SHA256

            803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

            SHA512

            85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

            Download Submit

          • C:\Users\Admin\AppData\Local\QdPhB\FVEWIZ.dll
            Filesize

            828KB

            MD5

            eee617357a272f23a788683117951e01

            SHA1

            d564dc21a0cf9410046564b9398af2493ff2aa0e

            SHA256

            4c39be249483bd0c49b08c04ecac1d42c0075d0228671a48db45f0d76a8c83ec

            SHA512

            8904bfe37551fbe4bed00570e8a1cc9fa576c802506181186360813146e1956e89aff9d91903703f1131acb3be3ce459a401f7c1acbd5ad1df0b6e880945ff0c

            Download Submit

          • C:\Users\Admin\AppData\Local\RQWPzXh\DUI70.dll
            Filesize

            1.1MB

            MD5

            dca9ee3d17ce58fcdbdfb46c6ed0039e

            SHA1

            5b446b25aec534134ec3c2c6388dd0cbe319d1c5

            SHA256

            7dac2796f02f88a02c8ce3da74b30a8eff2abcdb93f988a910b56776ac2f9f46

            SHA512

            543edee1e165164ba3480898ebb267aa60eb898eed4ff0614ef971321722fe6d65c0d7b7a785bfde0bfa784e1a890551acbe0598068550b12a90b3daae24ce83

            Download Submit

          • C:\Users\Admin\AppData\Local\RQWPzXh\ProximityUxHost.exe
            Filesize

            263KB

            MD5

            9ea326415b83d77295c70a35feb75577

            SHA1

            f8fc6a4f7f97b242f35066f61d305e278155b8a8

            SHA256

            192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

            SHA512

            2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

            Download Submit

          • C:\Users\Admin\AppData\Local\xnvoGRrjM\Narrator.exe
            Filesize

            521KB

            MD5

            d92defaa4d346278480d2780325d8d18

            SHA1

            6494d55b2e5064ffe8add579edfcd13c3e69fffe

            SHA256

            69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

            SHA512

            b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txrhelfambrw.lnk
            Filesize

            1KB

            MD5

            a26f174241119847c72e6a2fe1175bc0

            SHA1

            857758895a13d830f4e109112201d081b21a1847

            SHA256

            0f15374f0c96dfa74b6400225f5c7cdc85734d907ebaa5bca63f7ccc0bb35cdc

            SHA512

            e3a89d1bc925c45c5550944d030326c959a41b12d37b48985ad6c751c66e2ff5de301bfe5d2a337aae7a79a2d9022ea8cd200be953b9620bccb6abd4d0a04f88

            Download Submit

          • memory/1536-2-0x00000221995F0000-0x00000221995F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1536-52-0x00007FFEA4A90000-0x00007FFEA4B5E000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1536-1-0x00007FFEA4A90000-0x00007FFEA4B5E000-memory.dmp

            Filesize

            824KB

            Download

          • memory/2220-88-0x00007FFE956E0000-0x00007FFE957F4000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2220-83-0x000001D1ED3F0000-0x000001D1ED3F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2220-84-0x00007FFE956E0000-0x00007FFE957F4000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2836-103-0x00007FFE95730000-0x00007FFE957FF000-memory.dmp

            Filesize

            828KB

            Download

          • memory/3476-28-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-26-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-22-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-21-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-20-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-18-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-17-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-16-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-15-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-14-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-12-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-11-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-10-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-9-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-8-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-7-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-6-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-23-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-5-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-24-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-25-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-27-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-3-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3476-13-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-19-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-36-0x00007FFEB302A000-0x00007FFEB302B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3476-49-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-38-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/3476-39-0x00007FFEB3700000-0x00007FFEB3710000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3476-40-0x00007FFEB36F0000-0x00007FFEB3700000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3476-37-0x0000000000FB0000-0x0000000000FB7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3476-29-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/4656-64-0x00007FFE95730000-0x00007FFE957FF000-memory.dmp

            Filesize

            828KB

            Download

          • memory/4656-61-0x000002354D5F0000-0x000002354D5F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4656-59-0x00007FFE95730000-0x00007FFE957FF000-memory.dmp

            Filesize

            828KB

            Download