Resubmissions
28-05-2021 05:59
210528-mj2qwc9z3x 1019-05-2021 14:41
210519-khtrssqv6a 1010-05-2021 18:06
210510-ncy7w9kqte 10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-05-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
93394d6e_by_Libranalysis.dll
Resource
win7v20210410
General
-
Target
93394d6e_by_Libranalysis.dll
-
Size
588KB
-
MD5
93394d6e0ea894922267955095fabbc9
-
SHA1
38ac582b64fb09f212aceddf5e3cc13946c69985
-
SHA256
7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
-
SHA512
aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1864-60-0x0000000140000000-0x000000014009D000-memory.dmp dridex_payload behavioral1/memory/436-80-0x0000000140000000-0x00000001400D1000-memory.dmp dridex_payload behavioral1/memory/624-88-0x0000000140000000-0x000000014009E000-memory.dmp dridex_payload -
Processes:
resource yara_rule behavioral1/memory/1224-63-0x0000000003960000-0x0000000003961000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exepid Process 436 dpapimig.exe 624 DeviceDisplayObjectProvider.exe 1304 rdrleakdiag.exe -
Loads dropped DLL 7 IoCs
Processes:
dpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exepid Process 1224 436 dpapimig.exe 1224 624 DeviceDisplayObjectProvider.exe 1224 1304 rdrleakdiag.exe 1224 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srlqp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\gppQHM99IU\\DeviceDisplayObjectProvider.exe" -
Processes:
rundll32.exedpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exedpapimig.exeDeviceDisplayObjectProvider.exepid Process 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 436 dpapimig.exe 436 dpapimig.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 624 DeviceDisplayObjectProvider.exe 624 DeviceDisplayObjectProvider.exe 1224 1224 1224 1224 1224 1224 1224 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 1224 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid Process 1224 1224 1224 1224 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid Process 1224 1224 1224 1224 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1224 wrote to memory of 1684 1224 29 PID 1224 wrote to memory of 1684 1224 29 PID 1224 wrote to memory of 1684 1224 29 PID 1224 wrote to memory of 436 1224 30 PID 1224 wrote to memory of 436 1224 30 PID 1224 wrote to memory of 436 1224 30 PID 1224 wrote to memory of 1044 1224 31 PID 1224 wrote to memory of 1044 1224 31 PID 1224 wrote to memory of 1044 1224 31 PID 1224 wrote to memory of 624 1224 32 PID 1224 wrote to memory of 624 1224 32 PID 1224 wrote to memory of 624 1224 32 PID 1224 wrote to memory of 972 1224 33 PID 1224 wrote to memory of 972 1224 33 PID 1224 wrote to memory of 972 1224 33 PID 1224 wrote to memory of 1304 1224 34 PID 1224 wrote to memory of 1304 1224 34 PID 1224 wrote to memory of 1304 1224 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1864
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:1684
-
C:\Users\Admin\AppData\Local\rs2\dpapimig.exeC:\Users\Admin\AppData\Local\rs2\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:436
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:1044
-
C:\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:624
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:972
-
C:\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exeC:\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
MD5
8147e1a29aa0e169effe764cf746fd4c
SHA101d66cd88bdf551c91cf969a47056cc6a44ba216
SHA25614652d299a228c24cd8cc0f0df87233e9bd065941b5bda2adfb35e5ae386c450
SHA51238d3ff9116b0cb749f7798d0c65b082413d2dad3612413b85bac3731595bc5ed542daff3079bf629a319934340cb6b3ae69b33aad60855ac5b419be09c2f361c
-
MD5
6adc866a67e540e15910794b286de645
SHA16c0cd3d102f4edadf4e2165da5ef91e9ffe0055e
SHA2564934ddadbbe2a5163ac0e6d95a76048fdf99255ea3ce00204822d9a68cb6475f
SHA512689d4289217da71777e49f3bbcbc2ee41c4be5ffb3915ad13a974862584b2149177b1d4ddcecbad89f24c578b1f65bcd28212b631dd461801b4654fb6eafad8e
-
MD5
0e8b8abea4e23ddc9a70614f3f651303
SHA16d332ba4e7a78039f75b211845514ab35ab467b2
SHA25666fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA5124feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc
-
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
MD5
2bbd078a08fb020127481b26984d930e
SHA16f047ed048a5fd2003418f787355ddaf1f7d5bc9
SHA2565269caea977276c485ce202c4c3ac3ecb1ba2523a1e612b8d7e0d2f4cc774e53
SHA51256f6814e59e02d327eb3bbdfa194fe8fea2b1567607f67783e32d5f01ceef9496b3a7346a7af036f6fc7e8445e9e662372785f11993ece7e8c276e4d83a2bd77
-
MD5
5e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
MD5
8147e1a29aa0e169effe764cf746fd4c
SHA101d66cd88bdf551c91cf969a47056cc6a44ba216
SHA25614652d299a228c24cd8cc0f0df87233e9bd065941b5bda2adfb35e5ae386c450
SHA51238d3ff9116b0cb749f7798d0c65b082413d2dad3612413b85bac3731595bc5ed542daff3079bf629a319934340cb6b3ae69b33aad60855ac5b419be09c2f361c
-
MD5
6adc866a67e540e15910794b286de645
SHA16c0cd3d102f4edadf4e2165da5ef91e9ffe0055e
SHA2564934ddadbbe2a5163ac0e6d95a76048fdf99255ea3ce00204822d9a68cb6475f
SHA512689d4289217da71777e49f3bbcbc2ee41c4be5ffb3915ad13a974862584b2149177b1d4ddcecbad89f24c578b1f65bcd28212b631dd461801b4654fb6eafad8e
-
MD5
0e8b8abea4e23ddc9a70614f3f651303
SHA16d332ba4e7a78039f75b211845514ab35ab467b2
SHA25666fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA5124feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc
-
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
MD5
2bbd078a08fb020127481b26984d930e
SHA16f047ed048a5fd2003418f787355ddaf1f7d5bc9
SHA2565269caea977276c485ce202c4c3ac3ecb1ba2523a1e612b8d7e0d2f4cc774e53
SHA51256f6814e59e02d327eb3bbdfa194fe8fea2b1567607f67783e32d5f01ceef9496b3a7346a7af036f6fc7e8445e9e662372785f11993ece7e8c276e4d83a2bd77
-
MD5
5e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0