Analysis
-
max time kernel
152s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
7a4e011803ef96e8fac69078841190d9b2e70a8e7b46503763f198b56610a47a.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
7a4e011803ef96e8fac69078841190d9b2e70a8e7b46503763f198b56610a47a.dll
-
Size
1.4MB
-
MD5
9ddff2357afda5654a8d78e9619cd3c6
-
SHA1
d424194ee2151aea827f7ee24893ee6731982385
-
SHA256
7a4e011803ef96e8fac69078841190d9b2e70a8e7b46503763f198b56610a47a
-
SHA512
b9884ae6ba552cd19352ddc4c556de6a3792693c01b6e25723b5a3667cdf23daf4478021d9e55e340af745466111424f506cba62896a20ba7f9af6e45acd3b07
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1272-59-0x0000000002980000-0x0000000002981000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe Token: 33 1964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1964 AUDIODG.EXE Token: 33 1964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1964 AUDIODG.EXE Token: SeShutdownPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 1340 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a4e011803ef96e8fac69078841190d9b2e70a8e7b46503763f198b56610a47a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-59-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/1340-60-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/1944-54-0x0000000140000000-0x0000000140170000-memory.dmpFilesize
1.4MB
-
memory/1944-58-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB