Analysis
-
max time kernel
155s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-11-2021 09:30
Static task
static1
Behavioral task
behavioral1
Sample
559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll
Resource
win7-en-20211104
General
-
Target
559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll
-
Size
1.2MB
-
MD5
366013530a4b95379a78c2fdb73c57bc
-
SHA1
ef3d3ab238a9c130efde5d42a25d6da283fb32b4
-
SHA256
559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9
-
SHA512
d069b330242c8ec15975e4ff601b6c4a6cadf43a3ea36193c3e616e0f13602d51a4ef72a8af59a7989eb4d3e126b87436280f5457787bddfe430899600113ead
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3028-124-0x0000000000860000-0x0000000000861000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
lpksetup.exewermgr.exeosk.exepid process 880 lpksetup.exe 512 wermgr.exe 1732 osk.exe -
Loads dropped DLL 3 IoCs
Processes:
lpksetup.exewermgr.exeosk.exepid process 880 lpksetup.exe 512 wermgr.exe 1732 osk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\uGF\\wermgr.exe" -
Processes:
rundll32.exelpksetup.exewermgr.exeosk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wermgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exelpksetup.exewermgr.exeosk.exepid process 2176 rundll32.exe 3028 880 lpksetup.exe 512 wermgr.exe 1732 osk.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3028 wrote to memory of 800 3028 lpksetup.exe PID 3028 wrote to memory of 800 3028 lpksetup.exe PID 3028 wrote to memory of 880 3028 lpksetup.exe PID 3028 wrote to memory of 880 3028 lpksetup.exe PID 3028 wrote to memory of 520 3028 wermgr.exe PID 3028 wrote to memory of 520 3028 wermgr.exe PID 3028 wrote to memory of 512 3028 wermgr.exe PID 3028 wrote to memory of 512 3028 wermgr.exe PID 3028 wrote to memory of 3560 3028 osk.exe PID 3028 wrote to memory of 3560 3028 osk.exe PID 3028 wrote to memory of 1732 3028 osk.exe PID 3028 wrote to memory of 1732 3028 osk.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵
-
C:\Users\Admin\AppData\Local\2Js\lpksetup.exeC:\Users\Admin\AppData\Local\2Js\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵
-
C:\Users\Admin\AppData\Local\GouTesF\wermgr.exeC:\Users\Admin\AppData\Local\GouTesF\wermgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵
-
C:\Users\Admin\AppData\Local\N5I6\osk.exeC:\Users\Admin\AppData\Local\N5I6\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2Js\dpx.dllMD5
08a2c1668c9d47a84bf07f1ef92702ef
SHA143c8f2c02aa4426d092220fcd2314ae03a26f18f
SHA256e454219e43c257e5b22cbfc6c7b7e1c8efda15e3f139cb84592612b6c8dd7554
SHA51298888efe2a15bd74dd391f4c88b696c94f449cf4c2d08a4958f11d1b60a676ea7f006b2497ce7bc3402c719d145a21bcd5d76be061356e310620f27ffa19d5bd
-
C:\Users\Admin\AppData\Local\2Js\lpksetup.exeMD5
e96f815f1f58a65c47ed4657668d40ac
SHA1ad6bbf9c08aae0d5b3a219e192a1974dc7cb1e59
SHA256edccb2f297de76763c0298829a5c5726942c0c4d7df4265639c1728b5028c79f
SHA5121ab1d5ea644b7569c75d75fc39cbb64804f8f019ca2f50efb74a1b77055d6b897c3f4207be72f5b7c63b93c49b75d3b150b9fb40b21453a69f86ad93287390fd
-
C:\Users\Admin\AppData\Local\GouTesF\wer.dllMD5
cb3aff75459707d71b55feda9ebe8f85
SHA1888d10d70a30a18df1340115810d52fa8bc5e0d2
SHA256d6545cbc430a63ddfb4d71059a9d3d4e97590e6d01a45ca970c31e5fe57b14cb
SHA5128b3fd2503281d3063951ff8c287342144be5e6b059ec97b79096df8e8e0eb0d4825f740c7a01347731a0a7d6c2021c9a0e55babcb1ce7be04d9f451d0932a39e
-
C:\Users\Admin\AppData\Local\GouTesF\wermgr.exeMD5
b6b07bd48ece5e19f8fbbe3b9d4dee8b
SHA1a9d344ae382ffaf64d7977f632d98a422b4e09fd
SHA256ab6443218f56d9743fa4605a7696c82b016f621ddefcb3207a9aa77666a7bca1
SHA512a0092bb7fca2160e1a9bf6db4399bfde9a15d6a885932e58152b80bfb3fb5f4d67836b1c31c261550bb5cea71f74bd985911daf624ad02f4938db2d23b76fdd4
-
C:\Users\Admin\AppData\Local\N5I6\WMsgAPI.dllMD5
8b2e8832684b468704465bad8bb75033
SHA1f02e2a84c915c5d9e0b22cd9c852aa51982c584b
SHA256980d0649b8a956f269c5aa5ee828133401cb5814b4ac82a8d84f3b25ef34b200
SHA51202d5f8f06fbe8743df9a54d09a66bb59fee2629d8ce701537193745b6fb79879e709241cd2de39fdab1554e6e62a7ae3aa692ed2a4e502a7ac4cbc1aae537e35
-
C:\Users\Admin\AppData\Local\N5I6\osk.exeMD5
4a614350289f2f92c6d7c5caccc09eff
SHA155e6807f31f66120e4798e37a8fb26e583ce1c81
SHA256f259aa7bfb7f18f981d0a08888942f5027766cdcf4d4d60d2540d5eda048fd68
SHA512ddf8fdc5b186ab9a15fa15310356d48cfbe1948fda0f0e624b1a429be11f406e5e3ce1924f48bbb9a9d14ede34a20c55c3e88f1f640e9d7d21f39bfad3c21dfc
-
\Users\Admin\AppData\Local\2Js\dpx.dllMD5
08a2c1668c9d47a84bf07f1ef92702ef
SHA143c8f2c02aa4426d092220fcd2314ae03a26f18f
SHA256e454219e43c257e5b22cbfc6c7b7e1c8efda15e3f139cb84592612b6c8dd7554
SHA51298888efe2a15bd74dd391f4c88b696c94f449cf4c2d08a4958f11d1b60a676ea7f006b2497ce7bc3402c719d145a21bcd5d76be061356e310620f27ffa19d5bd
-
\Users\Admin\AppData\Local\GouTesF\wer.dllMD5
cb3aff75459707d71b55feda9ebe8f85
SHA1888d10d70a30a18df1340115810d52fa8bc5e0d2
SHA256d6545cbc430a63ddfb4d71059a9d3d4e97590e6d01a45ca970c31e5fe57b14cb
SHA5128b3fd2503281d3063951ff8c287342144be5e6b059ec97b79096df8e8e0eb0d4825f740c7a01347731a0a7d6c2021c9a0e55babcb1ce7be04d9f451d0932a39e
-
\Users\Admin\AppData\Local\N5I6\WMsgAPI.dllMD5
8b2e8832684b468704465bad8bb75033
SHA1f02e2a84c915c5d9e0b22cd9c852aa51982c584b
SHA256980d0649b8a956f269c5aa5ee828133401cb5814b4ac82a8d84f3b25ef34b200
SHA51202d5f8f06fbe8743df9a54d09a66bb59fee2629d8ce701537193745b6fb79879e709241cd2de39fdab1554e6e62a7ae3aa692ed2a4e502a7ac4cbc1aae537e35
-
memory/512-174-0x00000255AAD00000-0x00000255AAD02000-memory.dmpFilesize
8KB
-
memory/512-173-0x00000255AAD00000-0x00000255AAD02000-memory.dmpFilesize
8KB
-
memory/512-175-0x00000255AAD00000-0x00000255AAD02000-memory.dmpFilesize
8KB
-
memory/512-166-0x0000000000000000-mapping.dmp
-
memory/512-170-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/880-164-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmpFilesize
8KB
-
memory/880-165-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmpFilesize
8KB
-
memory/880-163-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmpFilesize
8KB
-
memory/880-160-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/880-155-0x0000000000000000-mapping.dmp
-
memory/1732-184-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmpFilesize
8KB
-
memory/1732-185-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmpFilesize
8KB
-
memory/1732-183-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmpFilesize
8KB
-
memory/1732-176-0x0000000000000000-mapping.dmp
-
memory/2176-118-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/2176-123-0x000002AEC6D60000-0x000002AEC6D67000-memory.dmpFilesize
28KB
-
memory/2176-122-0x000002AEC6D70000-0x000002AEC6D72000-memory.dmpFilesize
8KB
-
memory/2176-121-0x000002AEC6D70000-0x000002AEC6D72000-memory.dmpFilesize
8KB
-
memory/3028-133-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-138-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-154-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3028-152-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3028-151-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3028-145-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-158-0x00007FF97D0F0000-0x00007FF97D100000-memory.dmpFilesize
64KB
-
memory/3028-144-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-143-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-142-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-141-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-140-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-139-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-153-0x00007FF97D1E5000-0x00007FF97D1E6000-memory.dmpFilesize
4KB
-
memory/3028-137-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-136-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-135-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-134-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-132-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-130-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-131-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-129-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-128-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-127-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-125-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-126-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3028-124-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/3028-186-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB