Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

daae9ef556...9d.dll

windows7-x64

10

daae9ef556...9d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll

  • Size

    964KB

  • MD5

    0dfedfa7857af79c50d589c2dc966f39

  • SHA1

    f60eb9042e405ccc3065b64cbae1e8f069c85edc

  • SHA256

    daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d

  • SHA512

    1821ce0b21df31b09011fe9852b10de17fd0c440ba861cbec712206c6a9663a5d49302acb70cff9d79cd532a18feb0dffe179253ee9f49156f479de43ea37ebf

  • SSDEEP

    12288:xfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4skZIy:RdAE81W381Wk8jnYz3dsPEb4s9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\daae9ef5569b1a800270b09adb162b719f77c0594a792c78220074945a1b9a9d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2708
  • C:\Windows\system32\sessionmsg.exe
    C:\Windows\system32\sessionmsg.exe
    1⤵
      PID:4172
    • C:\Users\Admin\AppData\Local\bKPuMz\sessionmsg.exe
      C:\Users\Admin\AppData\Local\bKPuMz\sessionmsg.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3988
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:1380
      • C:\Users\Admin\AppData\Local\JdLpi72x\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\JdLpi72x\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2584
      • C:\Windows\system32\cmstp.exe
        C:\Windows\system32\cmstp.exe
        1⤵
          PID:3536
        • C:\Users\Admin\AppData\Local\pfLbjojbB\cmstp.exe
          C:\Users\Admin\AppData\Local\pfLbjojbB\cmstp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5104

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\JdLpi72x\SYSDM.CPL
          Filesize

          968KB

          MD5

          c75a3457bd1b6f8b9370f87cc8766cec

          SHA1

          bd513f15243ace36004c8bb1ce2f8b84b4821d53

          SHA256

          dee315c60e669caf297eea4f48ea40950c7b5945bf973d6a917d75a53bc76ee7

          SHA512

          ffa943be65f27fe1e2533564e7b25c470571ff8436a386fa385fa407fed5b6732e55f8a6df44a84d283b4e1123378fd0c0dde2a139701b6ef2fbeff13a4a2126

          Download Submit

        • C:\Users\Admin\AppData\Local\JdLpi72x\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Local\bKPuMz\DUser.dll
          Filesize

          972KB

          MD5

          652af3292e9efaec658cd70cfe501ffd

          SHA1

          d654a2d2fbde6a071e625e41712d8d6bcc7f552c

          SHA256

          82cde6ccb0b80fb1cf95f7ddef0961768bfc36af25c046b9fa215e8c3d67b992

          SHA512

          87726833ff50d8c63e1ffed653941f4be9abf905aadc16440ef45f51721d1b181fe70390e78c979369bd1b373339bac73c20411fab893ee8eeb119210583b45b

          Download Submit

        • C:\Users\Admin\AppData\Local\bKPuMz\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit

        • C:\Users\Admin\AppData\Local\pfLbjojbB\VERSION.dll
          Filesize

          968KB

          MD5

          cc37094f2d05b7a6d4baa365455d04d3

          SHA1

          27d5d37932bce0b66ce27ce2423c79c27bb9026b

          SHA256

          5992245f202d7cd964f8e799ac43e7db7931662a01564209e761d738e5b11d79

          SHA512

          5671f72c4adca39b75587dab0551769a631238fef62bdc5f537082959c7be2351896e01947421f7969e37be2511794e90819e5ec80c5e7cf70c1ce33a0e3d85b

          Download Submit

        • C:\Users\Admin\AppData\Local\pfLbjojbB\cmstp.exe
          Filesize

          96KB

          MD5

          4cc43fe4d397ff79fa69f397e016df52

          SHA1

          8fd6cf81ad40c9b123cd75611860a8b95c72869c

          SHA256

          f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

          SHA512

          851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
          Filesize

          1KB

          MD5

          1cc3a7486968190095431f4cc092b9b5

          SHA1

          47cde51876c891aea8fbb36883802594b62e6d89

          SHA256

          aaf5fa1f1605ead35f29a4b7876835df93b83938b7160bb77d33b3bb88858f33

          SHA512

          385ed803525e2277dcf4333e90749414d6aaaa974e4e40b9e4b0efe69c65d900182ecd499746bcdaf1a5f532c90263d71ca79367a6af7b46979a6b332ba5a32b

          Download Submit

        • memory/2584-66-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2584-61-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2584-63-0x0000027D813C0000-0x0000027D813C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-2-0x000001EF67090000-0x000001EF67097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-0-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2708-38-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-8-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-15-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-9-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-11-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-7-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-6-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-24-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-35-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-25-0x00007FFDF0DA0000-0x00007FFDF0DB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-4-0x00007FFDF0B2A000-0x00007FFDF0B2B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-3-0x0000000003710000-0x0000000003711000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-12-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-26-0x00007FFDF0D90000-0x00007FFDF0DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-13-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-14-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3488-23-0x00000000036F0000-0x00000000036F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3488-10-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3988-50-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3988-47-0x000001945BF50000-0x000001945BF57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3988-45-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/5104-82-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download