Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

15410936b4...18.dll

windows7-x64

10

15410936b4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15410936b47cef7dec131527c79b6f17_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    15410936b47cef7dec131527c79b6f17

  • SHA1

    34f01700b66c8e13d358c5ef4d93a3b15a7a0cb1

  • SHA256

    5267301c0c47dcaaa430b438ee7498235950f67cbcb1042dc0a69a9912a736ee

  • SHA512

    13116d07c0e0aacff8ac9358b1e634f81ae0b8101c49b25f2a66b2cac4b672eb0c8d5238ca7d8df50fc159d839dd33f16e7887fc1f6b0fef6f02365f2a20bf3e

  • SSDEEP

    24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\15410936b47cef7dec131527c79b6f17_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4828
  • C:\Windows\system32\BitLockerWizardElev.exe
    C:\Windows\system32\BitLockerWizardElev.exe
    1⤵
      PID:1480
    • C:\Users\Admin\AppData\Local\cZ1IfRy\BitLockerWizardElev.exe
      C:\Users\Admin\AppData\Local\cZ1IfRy\BitLockerWizardElev.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4612
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:4960
      • C:\Users\Admin\AppData\Local\I85290p\MoUsoCoreWorker.exe
        C:\Users\Admin\AppData\Local\I85290p\MoUsoCoreWorker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1788
      • C:\Windows\system32\bdeunlock.exe
        C:\Windows\system32\bdeunlock.exe
        1⤵
          PID:3908
        • C:\Users\Admin\AppData\Local\ihmd\bdeunlock.exe
          C:\Users\Admin\AppData\Local\ihmd\bdeunlock.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3352

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\I85290p\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\I85290p\XmlLite.dll
          Filesize

          1.2MB

          MD5

          643f0a79bab95a4c49743e9249ecd575

          SHA1

          7d5acaa2b7158fc88b179882dfe4ab54e8a711e6

          SHA256

          b49a86ae37967ad4a2b92210ded82a5de67100854765b15205921ccd14d31a65

          SHA512

          47aa844addebf3cd9462f962266701b5020552efe7ff038b88943461e2d08159315d7a5cd09221812ce6297a7165a24a34491fc5b82a006e1c9ed05340228a3c

          Download Submit

        • C:\Users\Admin\AppData\Local\cZ1IfRy\BitLockerWizardElev.exe
          Filesize

          100KB

          MD5

          8ac5a3a20cf18ae2308c64fd707eeb81

          SHA1

          31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

          SHA256

          803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

          SHA512

          85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

          Download Submit

        • C:\Users\Admin\AppData\Local\cZ1IfRy\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          000a530bdbe1ad5cf094bb5b5fc9a562

          SHA1

          ad96b8a36be06cb3ce65df47c73350fc2003d8e6

          SHA256

          5fd62540c89f7c7d7a625a0a5fc6c7dfe1ef848cfaca9e473ac44c7fe00d4d78

          SHA512

          44b0d5f350f116d54edd7adc9c42c9d38f5c07a64bf9c5c725ca443efd1cfa74b0394fec1e4b295a89cfd4164a82eb2a8c2d4df1ab539b19274e528b22bdc9d7

          Download Submit

        • C:\Users\Admin\AppData\Local\ihmd\DUser.dll
          Filesize

          1.2MB

          MD5

          3f8c428091d4f081a82dad0c67814058

          SHA1

          dd1449b096e737dc03c11d699d97375180fd1e4b

          SHA256

          7eaf10e5ef9b8b4cfa8b580e9a1e3542ded8e65395658146484e1774a2bf4a2a

          SHA512

          557b4f226a2f1fdc626b0959c339ea7202d00f45727c7ac89445ffd6277d770fe84c52676c7a55492da6596b46c74b3da5cfca2ab2e64e8ac3c09d42ec994a9b

          Download Submit

        • C:\Users\Admin\AppData\Local\ihmd\bdeunlock.exe
          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lwudczt.lnk
          Filesize

          1KB

          MD5

          fc092c9dad427b294edad3430d2d5778

          SHA1

          e173221ebbddfb75d972fe92787085e3b2d5564b

          SHA256

          9d850133303b9326f9762dca2a47877ef17db9050e819284f79566e41bd28ba6

          SHA512

          c17895d9ac5f4eb9c7c32074eb08581215626c7b092bc4d93228e6f6681b8cdafdd6cfdd8877392abbf59cb56cd6c75feb941b1c4caf27bd55eb7c485e96edeb

          Download Submit

        • memory/1788-69-0x00007FFF92490000-0x00007FFF925C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1788-66-0x0000020B6C9E0000-0x0000020B6C9E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3352-86-0x00007FFF920E0000-0x00007FFF92213000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3352-83-0x000001742B8E0000-0x000001742B8E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3352-80-0x00007FFF920E0000-0x00007FFF92213000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-34-0x00007FFFA0CD0000-0x00007FFFA0CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-32-0x00007FFF9F24A000-0x00007FFF9F24B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-33-0x0000000002C70000-0x0000000002C77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4612-52-0x00007FFF92490000-0x00007FFF925C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4612-49-0x00000249DED50000-0x00000249DED57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4612-46-0x00007FFF92490000-0x00007FFF925C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4828-39-0x00007FFF92490000-0x00007FFF925C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4828-0-0x0000016702AA0000-0x0000016702AA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4828-1-0x00007FFF92490000-0x00007FFF925C1000-memory.dmp

          Filesize

          1.2MB

          Download