Resubmissions
28-05-2021 05:59
210528-mj2qwc9z3x 1019-05-2021 14:41
210519-khtrssqv6a 1010-05-2021 18:06
210510-ncy7w9kqte 10Analysis
-
max time kernel
600s -
max time network
598s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-05-2021 14:41
Static task
static1
General
-
Target
93394d6e_by_Libranalysis.dll
-
Size
588KB
-
MD5
93394d6e0ea894922267955095fabbc9
-
SHA1
38ac582b64fb09f212aceddf5e3cc13946c69985
-
SHA256
7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
-
SHA512
aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1832-114-0x0000000140000000-0x000000014009D000-memory.dmp dridex_ldr behavioral1/memory/2988-139-0x0000000140000000-0x000000014009E000-memory.dmp dridex_ldr -
Executes dropped EXE 3 IoCs
pid Process 2988 DeviceEnroller.exe 3576 LockScreenContentServer.exe 1796 Netplwiz.exe -
Loads dropped DLL 3 IoCs
pid Process 2988 DeviceEnroller.exe 3576 LockScreenContentServer.exe 1796 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\RvETQpHvO\\LockScreenContentServer.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceEnroller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LockScreenContentServer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 Process not Found -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3024 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3024 wrote to memory of 3876 3024 Process not Found 78 PID 3024 wrote to memory of 3876 3024 Process not Found 78 PID 3024 wrote to memory of 2988 3024 Process not Found 79 PID 3024 wrote to memory of 2988 3024 Process not Found 79 PID 3024 wrote to memory of 732 3024 Process not Found 80 PID 3024 wrote to memory of 732 3024 Process not Found 80 PID 3024 wrote to memory of 3576 3024 Process not Found 81 PID 3024 wrote to memory of 3576 3024 Process not Found 81 PID 3024 wrote to memory of 3852 3024 Process not Found 82 PID 3024 wrote to memory of 3852 3024 Process not Found 82 PID 3024 wrote to memory of 1796 3024 Process not Found 83 PID 3024 wrote to memory of 1796 3024 Process not Found 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
C:\Windows\system32\DeviceEnroller.exeC:\Windows\system32\DeviceEnroller.exe1⤵PID:3876
-
C:\Users\Admin\AppData\Local\mlbHTZS\DeviceEnroller.exeC:\Users\Admin\AppData\Local\mlbHTZS\DeviceEnroller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2988
-
C:\Windows\system32\LockScreenContentServer.exeC:\Windows\system32\LockScreenContentServer.exe1⤵PID:732
-
C:\Users\Admin\AppData\Local\VW8ILl\LockScreenContentServer.exeC:\Users\Admin\AppData\Local\VW8ILl\LockScreenContentServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3576
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:3852
-
C:\Users\Admin\AppData\Local\EZ1\Netplwiz.exeC:\Users\Admin\AppData\Local\EZ1\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796