Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 16:34
Static task
static1
Behavioral task
behavioral1
Sample
ebcba394786cc603974e26ec590d690cda189e984aa284c09004906686986e11.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
ebcba394786cc603974e26ec590d690cda189e984aa284c09004906686986e11.dll
-
Size
621KB
-
MD5
7fc2c7a96f7e298e44f3ed49955089b3
-
SHA1
673e01731046d838398fed7a6a7806bc2541097f
-
SHA256
ebcba394786cc603974e26ec590d690cda189e984aa284c09004906686986e11
-
SHA512
722516043cd0b491680c0fbc6054cc8b999b822a0bb6f18c26ff5affcb20a53210788c166736450ed5271fa98095b13f8ce9fbc2efab9a9183b09b8020de0d6f
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/784-54-0x0000000140000000-0x00000001400A4000-memory.dmp dridex_payload -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 784 rundll32.exe 784 rundll32.exe 784 rundll32.exe 784 rundll32.exe 784 rundll32.exe 784 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: 33 1100 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1100 AUDIODG.EXE Token: 33 1100 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1100 AUDIODG.EXE Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcba394786cc603974e26ec590d690cda189e984aa284c09004906686986e11.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken