Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d4d9ff1993...7d.dll

windows7-x64

10

d4d9ff1993...7d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 02:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d.dll

  • Size

    780KB

  • MD5

    3fa092a0e0ea8a296e20322bcbdc38c4

  • SHA1

    78a2adda053686d8a2ddba3ccd3a5e0f1672575b

  • SHA256

    d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d

  • SHA512

    f6b3df5593d62e42f289d59896082d5a4d2a093f01d31e3d790a07223e2ee8728942c5c0b3570fcdfbf79554db89f1c8affdadd42aa5dec2e409878785bd605a

  • SSDEEP

    12288:kbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQn:kbe42XV7KWgmjDR/T4a/Mdjmi

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1548
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:3908
    • C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe
      C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2644
    • C:\Windows\system32\tabcal.exe
      C:\Windows\system32\tabcal.exe
      1⤵
        PID:4748
      • C:\Users\Admin\AppData\Local\cFq\tabcal.exe
        C:\Users\Admin\AppData\Local\cFq\tabcal.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4768
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:3188
        • C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe
          C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1868

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          167.173.78.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          167.173.78.104.in-addr.arpa
          IN PTR
          Response
          167.173.78.104.in-addr.arpa
          IN PTR
          a104-78-173-167deploystaticakamaitechnologiescom
        • flag-us
          DNS
          154.239.44.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          154.239.44.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          212.20.149.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          212.20.149.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          18.31.95.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.31.95.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          167.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          167.190.18.2.in-addr.arpa
          IN PTR
          Response
          167.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-167deploystaticakamaitechnologiescom
        • flag-us
          DNS
          13.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.227.111.52.in-addr.arpa
          IN PTR
          Response
        No results found
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          14.160.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          14.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          167.173.78.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          167.173.78.104.in-addr.arpa

        • 8.8.8.8:53
          154.239.44.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          154.239.44.20.in-addr.arpa

        • 8.8.8.8:53
          212.20.149.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          212.20.149.52.in-addr.arpa

        • 8.8.8.8:53
          18.31.95.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          18.31.95.13.in-addr.arpa

        • 8.8.8.8:53
          167.190.18.2.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          167.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          13.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          13.227.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\6eclfqMj\WINSTA.dll
          Filesize

          788KB

          MD5

          af00a5e82fe9d76265441a08f662d1d3

          SHA1

          fdc51b8518ed830018b5f4b43464f79fbc322f78

          SHA256

          7d7edfe3ee99bf23d3b69662c6d7fdeb7b47012092e29cae787b770ee52d9051

          SHA512

          e8cdc856548df1c2db414f4c4b4fac5c6831e100e6d06da98c85a8b5a3cf9da941a39d7417d3d17dfd856e97405644cc8a3cf1b9e6086f13f073a17018304b5c

          Download Submit

        • C:\Users\Admin\AppData\Local\EvRzTewJB\DUI70.dll
          Filesize

          1.0MB

          MD5

          749b4dfae5773f39589c055546402a0f

          SHA1

          c1cc36ae7e1e3cbf17e8cbe563db2d4c599dbc36

          SHA256

          ff54a5e3d82084a7b8bc53ffa90edc3e4a9e13397aa484eb62f11d4cf4d42262

          SHA512

          5d12a436584c736f2a194d8d41db02482a2c4c9c10caff83d44daa9bba67816241c512fa9f0af07d55073288ed32a49f332f04b7b898e4e46180aeaef2f4041d

          Download Submit

        • C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe
          Filesize

          123KB

          MD5

          a117edc0e74ab4770acf7f7e86e573f7

          SHA1

          5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

          SHA256

          b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

          SHA512

          72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

          Download Submit

        • C:\Users\Admin\AppData\Local\cFq\HID.DLL
          Filesize

          784KB

          MD5

          735c2c6307438e421b74f6cfb88e1116

          SHA1

          0c0d85762e77f4b3d549a0422fd591138c0b9534

          SHA256

          1ec4e31d8c9db0620d925d600700207c4b848d6107cf2cc0241f6eff77f1dc93

          SHA512

          945fee40b9db681a915d5b5ead8aebbc6af4571eff6897fa23c904b82b8a01d5b4ed3c4ff9af28d7d04baa43032af73334c64318a9a42409ce208cc0628b597b

          Download Submit

        • C:\Users\Admin\AppData\Local\cFq\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          c63ab2cf72603b1f62d548781e8f4885

          SHA1

          0d424a5329731847fa8b6f5a61ac258d4052ce14

          SHA256

          2a4d9ebfc16460e995f380e2aeb2d3e79fc47a8b37a88a9c59da0b1e11000513

          SHA512

          74eddde003598e353eda18346ea271ad30d7548d017bc4a0e404ab48f59e5666db24470cfd4743ca917be7b0aec0e0fef1607248a714cb489d456880427bccb7

          Download Submit

        • memory/1548-1-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1548-0-0x000002A6CE680000-0x000002A6CE687000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1548-14-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1868-84-0x0000000140000000-0x0000000140109000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1868-83-0x0000026C3FE30000-0x0000026C3FE37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1868-79-0x0000000140000000-0x0000000140109000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2644-50-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2644-44-0x0000024769810000-0x0000024769817000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2644-45-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3456-33-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-22-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-13-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-12-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-6-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-7-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-9-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-8-0x00007FF925EAA000-0x00007FF925EAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-15-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-10-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-26-0x00007FF927800000-0x00007FF927810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-11-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-35-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3456-25-0x00000000024C0000-0x00000000024C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4768-67-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4768-64-0x0000027FA9710000-0x0000027FA9717000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4768-61-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.