Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c90f118364...18.dll

windows7-x64

10

c90f118364...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c90f1183641a387ea5575b5e9cfc3823_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c90f1183641a387ea5575b5e9cfc3823

  • SHA1

    7f54137d178f58adab7e50adaf3c2d48dc5b4607

  • SHA256

    849f991381c28c420499f0dd6871940f7074637575f5dc3c6e5826962c87351d

  • SHA512

    977c1b03b575156862324347ba97d88f8dc3fdd46ef1b6b7e7e6ba933cd22151af2609e87ff13e9655b131b839ca8efd67aa9406e9d34e2cded8e51b6676938b

  • SSDEEP

    24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N2:O9cKrUqZWLAcUO

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c90f1183641a387ea5575b5e9cfc3823_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2448
  • C:\Windows\system32\xpsrchvw.exe
    C:\Windows\system32\xpsrchvw.exe
    1⤵
      PID:2536
    • C:\Users\Admin\AppData\Local\0s7H\xpsrchvw.exe
      C:\Users\Admin\AppData\Local\0s7H\xpsrchvw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2572
    • C:\Windows\system32\vmicsvc.exe
      C:\Windows\system32\vmicsvc.exe
      1⤵
        PID:2896
      • C:\Users\Admin\AppData\Local\9vhB\vmicsvc.exe
        C:\Users\Admin\AppData\Local\9vhB\vmicsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3024
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:572
        • C:\Users\Admin\AppData\Local\N6B\wbengine.exe
          C:\Users\Admin\AppData\Local\N6B\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0s7H\xpsrchvw.exe
          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

          Download Submit

        • C:\Users\Admin\AppData\Local\9vhB\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          dbf2e72968541bc35e987fcdf60cf9f3

          SHA1

          cf2a497cc13da5c5d8cc88f4ccbcddf2ef2b6b58

          SHA256

          7d19625ec7008202d1e4cd88f628339015a0f908ba1556606191aa2125766a5f

          SHA512

          61e4dbd68a512553504b7e52d3ac3d63fe6c9595a827a7c3faf0d23a5d12ba8349a0b815137f66b73c9d1742b26f6aec580f70114c8bff94e04935f9e78f0752

          Download Submit

        • C:\Users\Admin\AppData\Local\N6B\XmlLite.dll
          Filesize

          1.2MB

          MD5

          8e7415df451e6b4f9cc898f995f0403e

          SHA1

          c5bc6fddce5d2283af174208fa73ddb35e6384c0

          SHA256

          4ab345bcdcbeb7e20530946bf82a3598deb9bf3fedfd392c5faa2d2c099f66c5

          SHA512

          de00fa441ac954a138c1be4b9cd50e3dd42faaabcc2f749901e915d322ab236aa7f675fb1da536b3717cbcac5c3c51e8617b8e49e779d6456388c7f9921ff671

          Download Submit

        • C:\Users\Admin\AppData\Local\N6B\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk
          Filesize

          1KB

          MD5

          f2d17e5efcc740641a27b5dd072a3275

          SHA1

          5841fb1a4b217c80345491b5618c1657f2613445

          SHA256

          8028d1b108871e34533c120435fc08df31b12c71d13a6e237d500fb89bac6698

          SHA512

          71f8041c75c7783de0bee8bbac53320172d4858a9955ef0364e594cbfad92ae608482d2a4ca5dd2d56a5a16772ef06c6df3d94320930303ae13f58386f180edf

          Download Submit

        • \Users\Admin\AppData\Local\0s7H\WINMM.dll
          Filesize

          1.2MB

          MD5

          362f7196ca911ce9d9a107654d1d0a65

          SHA1

          d6f4a4576fa409a70a9fb362d78ddb82f834d706

          SHA256

          a3e690bfea81d262f7ff97e652294c5169d45769554aa97ce84457822cc5a3f4

          SHA512

          ab9b7262f1d3583ecc1d84e3325fca72aa83551c67d9848d4b4681a70e2b29bae509176167dc37a5e65b92f64a4ba2a3f7022ea7cd39c6f194e9589c13f3b765

          Download Submit

        • \Users\Admin\AppData\Local\9vhB\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • memory/768-95-0x000007FEF7E30000-0x000007FEF7F62000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-27-0x0000000077B81000-0x0000000077B82000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-28-0x0000000077D10000-0x0000000077D12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x0000000077976000-0x0000000077977000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-25-0x0000000002B80000-0x0000000002B87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-26-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2448-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2448-46-0x000007FEF7E20000-0x000007FEF7F51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2448-1-0x000007FEF7E20000-0x000007FEF7F51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-60-0x000007FEF7DC0000-0x000007FEF7EF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-54-0x000007FEF7DC0000-0x000007FEF7EF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-57-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3024-72-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3024-73-0x000007FEF7E30000-0x000007FEF7F62000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3024-78-0x000007FEF7E30000-0x000007FEF7F62000-memory.dmp

          Filesize

          1.2MB

          Download