Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

138cd54735...77.dll

windows7-x64

10

138cd54735...77.dll

windows10-2004-x64

10

Resubmissions

27/01/2025, 12:58

250127-p7vptazqcp 10

27/01/2025, 03:53

250127-efybhsyrh1 10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.dll

  • Size

    984KB

  • MD5

    89f99b617454ae1d26f9c5614f19fd30

  • SHA1

    43194372fae7b50a95e00580ce5d64134e4c1b7d

  • SHA256

    138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277

  • SHA512

    fb0445aba4301466b7c5d8dea9afbf87e0ab5d0bbbcee924d22af97700370f0dd13a80691ab322ffabbbb16e287df160344f5f7a54b1834be2b0fda0089470a3

  • SSDEEP

    24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijg:1nuVMK6vx2RsIKNrj

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1904
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2784
    • C:\Users\Admin\AppData\Local\gQIY9vvPD\TpmInit.exe
      C:\Users\Admin\AppData\Local\gQIY9vvPD\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2392
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2676
      • C:\Users\Admin\AppData\Local\D1PDH\tcmsetup.exe
        C:\Users\Admin\AppData\Local\D1PDH\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2808
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:1932
        • C:\Users\Admin\AppData\Local\DYOCi8X\mblctr.exe
          C:\Users\Admin\AppData\Local\DYOCi8X\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2596

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\D1PDH\TAPI32.dll
          Filesize

          992KB

          MD5

          bb585e95c2e54153402082e310886bc2

          SHA1

          22a8af6601f1327ea204503b38dea61d6974033c

          SHA256

          42aaea33fb307e82f04356303a6661daf1bde7ddff85e9e02178754c94a8de4f

          SHA512

          a262cbbe6c655f1894e14c3785bba34841eddef060cd719e266cbec22e8fdbc390e36456adf4ef247eb97425e2f3feb171ffe5293fb0ad453a966cfec6828962

          Download Submit

        • C:\Users\Admin\AppData\Local\DYOCi8X\WINMM.dll
          Filesize

          992KB

          MD5

          13da53f121f31924506b52561178497c

          SHA1

          b3bcb3b10c81437d20f0f3a3d69ed8a6c05e2ac8

          SHA256

          2602b723570b42d88bd98ffb0ed48fe96746634f37fdf2c40258672fea036eef

          SHA512

          ead8adba2417399100ceceada041e4892febbfe0514a254ed3441f946189eb5d17637441250f54b92def273f9e3c83638236ceb7b3d3b4a180988f4a0729f1c7

          Download Submit

        • C:\Users\Admin\AppData\Local\DYOCi8X\mblctr.exe
          Filesize

          935KB

          MD5

          fa4c36b574bf387d9582ed2c54a347a8

          SHA1

          149077715ee56c668567e3a9cb9842284f4fe678

          SHA256

          b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

          SHA512

          1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

          Download Submit

        • C:\Users\Admin\AppData\Local\gQIY9vvPD\ACTIVEDS.dll
          Filesize

          984KB

          MD5

          fa8ec014ef855310d55ccb6568f6a99d

          SHA1

          fdee2af52e87290dbcfcf68cc1e18c112c3673bd

          SHA256

          38a10adb5f66def5e863a1bd7557eb02c4057aa687b0f418f13fc71dab346d31

          SHA512

          f9784ac1e0a862e83d7a45575bc5fd72b141c966f0cf1654b5cafad57296b611e415edece99db4742fca74e4ecac63e416955101f33415b6b907e612c4515a65

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          c8cc4b02aa13f543fad89cb497319bd8

          SHA1

          05b2d4f46d3dac017d65a6d3ad79524aee387bb3

          SHA256

          81a19588f1a527ae1cb2a916a92bd35f365e7f82c35372ba9565990b04d515a4

          SHA512

          caa25164e873d58182a805eb6fef45d1dad9cf27ad2b9098fc8d2a150ed76bcf266c2571865ac845886b71678c64203b0f8560ca497120ec48c9ddbeae31f0dc

          Download Submit

        • \Users\Admin\AppData\Local\D1PDH\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • \Users\Admin\AppData\Local\gQIY9vvPD\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • memory/1152-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-20-0x0000000002E60000-0x0000000002E67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1152-107-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-4-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-23-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-24-0x0000000077241000-0x0000000077242000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-25-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1152-34-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-40-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-41-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-14-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1152-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1904-9-0x000007FEF6B20000-0x000007FEF6C16000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1904-3-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1904-0-0x000007FEF6B20000-0x000007FEF6C16000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2392-58-0x000007FEF7110000-0x000007FEF7206000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2392-57-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2392-52-0x000007FEF7110000-0x000007FEF7206000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2596-93-0x000007FEF6B20000-0x000007FEF6C18000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2808-70-0x000007FEF6B20000-0x000007FEF6C18000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2808-75-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2808-76-0x000007FEF6B20000-0x000007FEF6C18000-memory.dmp

          Filesize

          992KB

          Download