Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll
Resource
win7-20240903-en
General
-
Target
daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll
-
Size
964KB
-
MD5
0dfedfa7857af79c50d589c2dc966f39
-
SHA1
f60eb9042e405ccc3065b64cbae1e8f069c85edc
-
SHA256
daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d
-
SHA512
1821ce0b21df31b09011fe9852b10de17fd0c440ba861cbec712206c6a9663a5d49302acb70cff9d79cd532a18feb0dffe179253ee9f49156f479de43ea37ebf
-
SSDEEP
12288:xfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4skZIy:RdAE81W381Wk8jnYz3dsPEb4s9
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3488-3-0x0000000003710000-0x0000000003711000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral2/memory/2708-0-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/3488-35-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/3488-24-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/2708-38-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/3988-45-0x0000000140000000-0x00000001400F3000-memory.dmp dridex_payload behavioral2/memory/3988-50-0x0000000140000000-0x00000001400F3000-memory.dmp dridex_payload behavioral2/memory/2584-61-0x0000000140000000-0x00000001400F2000-memory.dmp dridex_payload behavioral2/memory/2584-66-0x0000000140000000-0x00000001400F2000-memory.dmp dridex_payload behavioral2/memory/5104-82-0x0000000140000000-0x00000001400F2000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 3988 sessionmsg.exe 2584 SystemPropertiesDataExecutionPrevention.exe 5104 cmstp.exe -
Loads dropped DLL 4 IoCs
pid Process 3988 sessionmsg.exe 2584 SystemPropertiesDataExecutionPrevention.exe 5104 cmstp.exe 5104 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\DBvBiMMFto\\SystemPropertiesDataExecutionPrevention.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found 3488 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3488 Process not Found Token: SeCreatePagefilePrivilege 3488 Process not Found Token: SeShutdownPrivilege 3488 Process not Found Token: SeCreatePagefilePrivilege 3488 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3488 Process not Found 3488 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3488 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3488 wrote to memory of 4172 3488 Process not Found 98 PID 3488 wrote to memory of 4172 3488 Process not Found 98 PID 3488 wrote to memory of 3988 3488 Process not Found 99 PID 3488 wrote to memory of 3988 3488 Process not Found 99 PID 3488 wrote to memory of 1380 3488 Process not Found 100 PID 3488 wrote to memory of 1380 3488 Process not Found 100 PID 3488 wrote to memory of 2584 3488 Process not Found 101 PID 3488 wrote to memory of 2584 3488 Process not Found 101 PID 3488 wrote to memory of 3536 3488 Process not Found 102 PID 3488 wrote to memory of 3536 3488 Process not Found 102 PID 3488 wrote to memory of 5104 3488 Process not Found 103 PID 3488 wrote to memory of 5104 3488 Process not Found 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:4172
-
C:\Users\Admin\AppData\Local\bKPuMz\sessionmsg.exeC:\Users\Admin\AppData\Local\bKPuMz\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3988
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:1380
-
C:\Users\Admin\AppData\Local\JdLpi72x\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\JdLpi72x\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2584
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:3536
-
C:\Users\Admin\AppData\Local\pfLbjojbB\cmstp.exeC:\Users\Admin\AppData\Local\pfLbjojbB\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
968KB
MD5c75a3457bd1b6f8b9370f87cc8766cec
SHA1bd513f15243ace36004c8bb1ce2f8b84b4821d53
SHA256dee315c60e669caf297eea4f48ea40950c7b5945bf973d6a917d75a53bc76ee7
SHA512ffa943be65f27fe1e2533564e7b25c470571ff8436a386fa385fa407fed5b6732e55f8a6df44a84d283b4e1123378fd0c0dde2a139701b6ef2fbeff13a4a2126
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
972KB
MD5652af3292e9efaec658cd70cfe501ffd
SHA1d654a2d2fbde6a071e625e41712d8d6bcc7f552c
SHA25682cde6ccb0b80fb1cf95f7ddef0961768bfc36af25c046b9fa215e8c3d67b992
SHA51287726833ff50d8c63e1ffed653941f4be9abf905aadc16440ef45f51721d1b181fe70390e78c979369bd1b373339bac73c20411fab893ee8eeb119210583b45b
-
Filesize
85KB
MD5480f710806b68dfe478ca1ec7d7e79cc
SHA1b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA2562416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA51229d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db
-
Filesize
968KB
MD5cc37094f2d05b7a6d4baa365455d04d3
SHA127d5d37932bce0b66ce27ce2423c79c27bb9026b
SHA2565992245f202d7cd964f8e799ac43e7db7931662a01564209e761d738e5b11d79
SHA5125671f72c4adca39b75587dab0551769a631238fef62bdc5f537082959c7be2351896e01947421f7969e37be2511794e90819e5ec80c5e7cf70c1ce33a0e3d85b
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
1KB
MD51cc3a7486968190095431f4cc092b9b5
SHA147cde51876c891aea8fbb36883802594b62e6d89
SHA256aaf5fa1f1605ead35f29a4b7876835df93b83938b7160bb77d33b3bb88858f33
SHA512385ed803525e2277dcf4333e90749414d6aaaa974e4e40b9e4b0efe69c65d900182ecd499746bcdaf1a5f532c90263d71ca79367a6af7b46979a6b332ba5a32b