Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a4572e7d4e...94.dll

windows7-x64

10

a4572e7d4e...94.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2024, 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4572e7d4e5c1548ceb7216066e8c131a2c41b7717d6ef89f1d43c8e68816b94.dll

  • Size

    824KB

  • MD5

    afd56972bd23300ceff79144c07af499

  • SHA1

    3b28fc603adc5770fecd90803728632de3da95e0

  • SHA256

    a4572e7d4e5c1548ceb7216066e8c131a2c41b7717d6ef89f1d43c8e68816b94

  • SHA512

    ba1df4f52018052a4382521c05e114bf9e566b22d297e05ef11385ac070c8b458ff8d860b4ffd4f0b620a8ac676623f8de155e264b9cf291bc77aea00ac73517

  • SSDEEP

    12288:5Bim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:b/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4572e7d4e5c1548ceb7216066e8c131a2c41b7717d6ef89f1d43c8e68816b94.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2584
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:1760
    • C:\Users\Admin\AppData\Local\Yvt6M78\rdpclip.exe
      C:\Users\Admin\AppData\Local\Yvt6M78\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2796
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:1608
      • C:\Users\Admin\AppData\Local\BFZ\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\BFZ\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1788
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:2692
        • C:\Users\Admin\AppData\Local\7bMixVCI\wermgr.exe
          C:\Users\Admin\AppData\Local\7bMixVCI\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:2812
        • C:\Windows\system32\consent.exe
          C:\Windows\system32\consent.exe
          1⤵
            PID:2168
          • C:\Users\Admin\AppData\Local\0iEOzHpt\consent.exe
            C:\Users\Admin\AppData\Local\0iEOzHpt\consent.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0iEOzHpt\WINSTA.dll
            Filesize

            832KB

            MD5

            f893c1874a023061e407d65a82041b9f

            SHA1

            79a8772884055ec07cea48d597b60ced549a9c67

            SHA256

            bb71bc310416b18545d14d3852fc0fe339873cb2296927c7ea60a6cff9d06a17

            SHA512

            432a6735006cbfdde92fafd24ce7fcce77376fcdc1e1c074d35f3db19c67ec8d0c34177fcbe47858b6b660816e4cf53a48fde44598ccf117e1155a1da585757c

            Download Submit

          • C:\Users\Admin\AppData\Local\0iEOzHpt\consent.exe
            Filesize

            109KB

            MD5

            0b5511674394666e9d221f8681b2c2e6

            SHA1

            6e4e720dfc424a12383f0b8194e4477e3bc346dc

            SHA256

            ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

            SHA512

            00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

            Download Submit

          • C:\Users\Admin\AppData\Local\7bMixVCI\wermgr.exe
            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

            Download Submit

          • C:\Users\Admin\AppData\Local\BFZ\OptionalFeatures.exe
            Filesize

            95KB

            MD5

            eae7af6084667c8f05412ddf096167fc

            SHA1

            0dbe8aba001447030e48e8ad5466fd23481e6140

            SHA256

            01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

            SHA512

            172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

            Download Submit

          • C:\Users\Admin\AppData\Local\BFZ\appwiz.cpl
            Filesize

            828KB

            MD5

            1563d3b21fd974b41842701f07dfce13

            SHA1

            515db92b79d88d3ff3d52f085e40a617ea07f085

            SHA256

            f9e994165bf0825df4e5afcc122e80f5fed1de06484c0899dcfaf761c72f392f

            SHA512

            741693274db0a05f4e29b376b30449fa723004180b2238e60ecad5061c2353ad02b7328f7e594108cd80ea9a36bc3390c743bdeed3af596da3e0174d796fb931

            Download Submit

          • C:\Users\Admin\AppData\Local\Yvt6M78\WINSTA.dll
            Filesize

            832KB

            MD5

            9e204dcc154082d20d2157b196b6ff22

            SHA1

            e2f5430a72b861db00592af021bec61c8aa030c0

            SHA256

            3d6400b17e857cdf8c4b123437aaad85ea79875e0df6849a0df0eb5aa7ed5013

            SHA512

            646dbf5a70ece7edfd78d94472b368b09eb4f69c507234baf877200bdbe558534a08ae486839add76dcd6227c54d2c3ca06429a507f5d7a1e114d7e3c38085ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Yvt6M78\rdpclip.exe
            Filesize

            206KB

            MD5

            25d284eb2f12254c001afe9a82575a81

            SHA1

            cf131801fdd5ec92278f9e0ae62050e31c6670a5

            SHA256

            837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

            SHA512

            7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk
            Filesize

            1KB

            MD5

            c135fd267998a171d70b1d477afc9cfb

            SHA1

            962f0a2066f3d7f3e77dc11f2f06cbfa376ec117

            SHA256

            f1556cd6e03ab5bd15eaa08a2ee518963086e2568be67b357568e20181e63837

            SHA512

            ebf034410ac02307dd41874e336c4484fe65e273380612e245a5fc02b7bc3f87f76925b6abcd6512cf3cdd1467a95f50c850703a1555aa897582ae6b151c66b5

            Download Submit

          • memory/1200-17-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-11-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-40-0x0000000077B80000-0x0000000077B82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1200-39-0x0000000077B50000-0x0000000077B52000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1200-38-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-37-0x0000000002EA0000-0x0000000002EA7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1200-30-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-29-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-28-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-27-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-26-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-25-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-23-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-22-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-21-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-20-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-19-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-18-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-13-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-16-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-15-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-14-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-12-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-24-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-9-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-8-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-51-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-50-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-3-0x00000000778E6000-0x00000000778E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-6-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-7-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1200-93-0x00000000778E6000-0x00000000778E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-10-0x0000000140000000-0x00000001400CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1788-83-0x0000000000100000-0x0000000000107000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1788-84-0x000007FEF7320000-0x000007FEF73EF000-memory.dmp

            Filesize

            828KB

            Download

          • memory/1788-88-0x000007FEF7320000-0x000007FEF73EF000-memory.dmp

            Filesize

            828KB

            Download

          • memory/2584-58-0x000007FEF7870000-0x000007FEF793E000-memory.dmp

            Filesize

            824KB

            Download

          • memory/2584-0-0x000007FEF7870000-0x000007FEF793E000-memory.dmp

            Filesize

            824KB

            Download

          • memory/2584-2-0x0000000000220000-0x0000000000227000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2796-68-0x0000000000180000-0x0000000000187000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2796-66-0x000007FEF7940000-0x000007FEF7A10000-memory.dmp

            Filesize

            832KB

            Download

          • memory/2796-71-0x000007FEF7940000-0x000007FEF7A10000-memory.dmp

            Filesize

            832KB

            Download

          • memory/2944-111-0x000007FEF7320000-0x000007FEF73F0000-memory.dmp

            Filesize

            832KB

            Download

          • memory/2944-115-0x000007FEF7320000-0x000007FEF73F0000-memory.dmp

            Filesize

            832KB

            Download