Resubmissions
28-05-2021 05:59
210528-mj2qwc9z3x 1019-05-2021 14:41
210519-khtrssqv6a 1010-05-2021 18:06
210510-ncy7w9kqte 10Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
93394d6e_by_Libranalysis.dll
Resource
win7v20210410
General
-
Target
93394d6e_by_Libranalysis.dll
-
Size
588KB
-
MD5
93394d6e0ea894922267955095fabbc9
-
SHA1
38ac582b64fb09f212aceddf5e3cc13946c69985
-
SHA256
7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
-
SHA512
aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3992-114-0x0000000140000000-0x000000014009D000-memory.dmp dridex_payload behavioral2/memory/3776-139-0x0000000140000000-0x000000014009E000-memory.dmp dridex_payload -
Processes:
resource yara_rule behavioral2/memory/3036-120-0x0000000000660000-0x0000000000661000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sppsvc.exeSppExtComObj.ExeCloudNotifications.exepid Process 3776 sppsvc.exe 3296 SppExtComObj.Exe 1160 CloudNotifications.exe -
Loads dropped DLL 3 IoCs
Processes:
sppsvc.exeSppExtComObj.ExeCloudNotifications.exepid Process 3776 sppsvc.exe 3296 SppExtComObj.Exe 1160 CloudNotifications.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jngmlmox = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3686645723-710336880-414668232-1000\\Yv\\SppExtComObj.Exe" -
Processes:
sppsvc.exeSppExtComObj.ExeCloudNotifications.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudNotifications.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 2 IoCs
Processes:
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 3036 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
pid Process 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3036 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid Process procid_target PID 3036 wrote to memory of 3776 3036 80 PID 3036 wrote to memory of 3776 3036 80 PID 3036 wrote to memory of 3464 3036 81 PID 3036 wrote to memory of 3464 3036 81 PID 3036 wrote to memory of 3296 3036 82 PID 3036 wrote to memory of 3296 3036 82 PID 3036 wrote to memory of 1360 3036 83 PID 3036 wrote to memory of 1360 3036 83 PID 3036 wrote to memory of 1160 3036 84 PID 3036 wrote to memory of 1160 3036 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:1516
-
C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exeC:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:3464
-
C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.ExeC:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3296
-
C:\Windows\system32\CloudNotifications.exeC:\Windows\system32\CloudNotifications.exe1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exeC:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
34dd5ef46e0ed1e9e0f0d6407fe1f47d
SHA13732cf4c4f5d09d583d69df1a27537bb52bf90ff
SHA256b075ef2148d8be0c6116fb8352719ced67bb9a647d358258ae7849ac06b07fae
SHA512ac98fcb9f39209352f01a2257c3bc8995ea2de9ff3aeed317d3710027a5aa7e690776bd3e0170b85ab28331aef578033259e23fb20d008eb974df786f7f179e2
-
MD5
0290da202d0b7ddb472d7288e9eab026
SHA115f81de524d4cf2b698718696c3d787f37f4bbef
SHA25634fd59ee0c5e75c2778273111de6bf486a0a126b31e61fb0f7430682d777630b
SHA51234b2b734273095b992a0b837bec73dc4858edffd21bc94e709cb05b88fef4d4401b63021d7e94161e5cf1bca666512edd09f9672c2ee817825a1fc42d882c9e2
-
MD5
1db8b8a8bdf4865eb03ebc4f9afc5efb
SHA12cb05e1b15950757f99af9dad2e67832f905962f
SHA2568110a8962aa78c2a4d271c5e0b3a6bf84d0e706ce347e7ded77f740b39c38dfd
SHA5128f7fdcc95158adea45e06aa8ca7de232cf1224663dbf77146585e58ae32b06bb27830a83fb31de0dafe714a79021648528a8430816c9ed0ac54b38c33254a285
-
MD5
e910861720de6edfb5cc6158ce3c7e17
SHA19b5b7c08da7cf36ca302c6e57cbc8bcfa5a69a9d
SHA256526ba8eeb9ee5312fec39753d728e05f49ad81132346a354c95d4d4938001e2b
SHA512e2a34b7e37781072494685ddab68bdb711910ae29f2ee9e05ec514442956047fb5b58ee8606110db48029f40990857184256c53f48910e8e050269f2a7aa0435
-
MD5
e60090210de2279cfb231bbb0f8812ba
SHA1c82abc966aa3e80db6401f4dc6b27d1daf66c41b
SHA256b33f102f5e51a2ae6ae6cd51f49521fcc44b7c86bfe2c36d0352cf04bf3cf3b3
SHA512668cef6ed0b77028dd68678b27c85acb723909b32c44d93dd8eb54111570c51592fc2c68ba9007a2962f232a339c11520fd22c77cf866d9a0973563f5e64e7f7
-
MD5
923824efa9f60f1ef53a467253941553
SHA16405859f261189d3dc15e6fa8040fc2cb23c6499
SHA25628b704870730b01d31e24a51502fd4bfcf23f15d2f482ea4aadc12da0f5f8065
SHA5128bc7eba28740aa2b569ce8cf57e4a5fc7230efe8251dc7d00b50a1ea7c560266d1970e48a7b1900c75eac3267ff9542fe420abd5a1e2b27380d6c4ab748eb3c3
-
MD5
0290da202d0b7ddb472d7288e9eab026
SHA115f81de524d4cf2b698718696c3d787f37f4bbef
SHA25634fd59ee0c5e75c2778273111de6bf486a0a126b31e61fb0f7430682d777630b
SHA51234b2b734273095b992a0b837bec73dc4858edffd21bc94e709cb05b88fef4d4401b63021d7e94161e5cf1bca666512edd09f9672c2ee817825a1fc42d882c9e2
-
MD5
1db8b8a8bdf4865eb03ebc4f9afc5efb
SHA12cb05e1b15950757f99af9dad2e67832f905962f
SHA2568110a8962aa78c2a4d271c5e0b3a6bf84d0e706ce347e7ded77f740b39c38dfd
SHA5128f7fdcc95158adea45e06aa8ca7de232cf1224663dbf77146585e58ae32b06bb27830a83fb31de0dafe714a79021648528a8430816c9ed0ac54b38c33254a285
-
MD5
e60090210de2279cfb231bbb0f8812ba
SHA1c82abc966aa3e80db6401f4dc6b27d1daf66c41b
SHA256b33f102f5e51a2ae6ae6cd51f49521fcc44b7c86bfe2c36d0352cf04bf3cf3b3
SHA512668cef6ed0b77028dd68678b27c85acb723909b32c44d93dd8eb54111570c51592fc2c68ba9007a2962f232a339c11520fd22c77cf866d9a0973563f5e64e7f7