Resubmissions
28-05-2021 05:59
210528-mj2qwc9z3x 1019-05-2021 14:41
210519-khtrssqv6a 1010-05-2021 18:06
210510-ncy7w9kqte 10Analysis
-
max time kernel
299s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-05-2021 05:59
Static task
static1
General
-
Target
93394d6e_by_Libranalysis.dll
-
Size
588KB
-
MD5
93394d6e0ea894922267955095fabbc9
-
SHA1
38ac582b64fb09f212aceddf5e3cc13946c69985
-
SHA256
7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
-
SHA512
aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/772-62-0x0000000000280000-0x0000000000287000-memory.dmp DridexV4 -
resource yara_rule behavioral1/memory/772-60-0x0000000140000000-0x000000014009D000-memory.dmp dridex_payload behavioral1/memory/292-80-0x0000000140000000-0x00000001400A4000-memory.dmp dridex_payload behavioral1/memory/268-90-0x00000000001B0000-0x000000000024E000-memory.dmp dridex_payload behavioral1/memory/1568-98-0x0000000140000000-0x000000014009E000-memory.dmp dridex_payload -
resource yara_rule behavioral1/memory/1288-63-0x00000000021C0000-0x00000000021C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 292 shrpubw.exe 268 WFS.exe 1568 SystemPropertiesHardware.exe -
Loads dropped DLL 7 IoCs
pid Process 1288 Process not Found 292 shrpubw.exe 1288 Process not Found 268 WFS.exe 1288 Process not Found 1568 SystemPropertiesHardware.exe 1288 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srlqp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\0Ki2\\WFS.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 rundll32.exe 772 rundll32.exe 772 rundll32.exe 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 292 shrpubw.exe 292 shrpubw.exe 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 268 WFS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1644 1288 Process not Found 29 PID 1288 wrote to memory of 1644 1288 Process not Found 29 PID 1288 wrote to memory of 1644 1288 Process not Found 29 PID 1288 wrote to memory of 292 1288 Process not Found 30 PID 1288 wrote to memory of 292 1288 Process not Found 30 PID 1288 wrote to memory of 292 1288 Process not Found 30 PID 1288 wrote to memory of 112 1288 Process not Found 31 PID 1288 wrote to memory of 112 1288 Process not Found 31 PID 1288 wrote to memory of 112 1288 Process not Found 31 PID 1288 wrote to memory of 268 1288 Process not Found 32 PID 1288 wrote to memory of 268 1288 Process not Found 32 PID 1288 wrote to memory of 268 1288 Process not Found 32 PID 1288 wrote to memory of 436 1288 Process not Found 33 PID 1288 wrote to memory of 436 1288 Process not Found 33 PID 1288 wrote to memory of 436 1288 Process not Found 33 PID 1288 wrote to memory of 1568 1288 Process not Found 34 PID 1288 wrote to memory of 1568 1288 Process not Found 34 PID 1288 wrote to memory of 1568 1288 Process not Found 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:772
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:1644
-
C:\Users\Admin\AppData\Local\GGJAUMUT\shrpubw.exeC:\Users\Admin\AppData\Local\GGJAUMUT\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:292
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:112
-
C:\Users\Admin\AppData\Local\Im9N02\WFS.exeC:\Users\Admin\AppData\Local\Im9N02\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:268
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\5rN\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\5rN\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568