Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
2fb06f555d81adffa0f0f2b6e63a0dad50a6fda767668654fda0f971fd9d9ccb.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
2fb06f555d81adffa0f0f2b6e63a0dad50a6fda767668654fda0f971fd9d9ccb.dll
-
Size
1.2MB
-
MD5
284579c3610621502f530cd9bcdd0e5f
-
SHA1
354fba659c8c50845b1c591ba452a4416b01263e
-
SHA256
2fb06f555d81adffa0f0f2b6e63a0dad50a6fda767668654fda0f971fd9d9ccb
-
SHA512
4667b6eb5a4a16918fdaecd3bbe7d9cd8954321b0b8e52d09ab1b8b407b9a4bb150fa95608b9aff8ad4c98f7bea02beb505b586c0e58d5d2601adf0c9b85ff92
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: 33 680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 680 AUDIODG.EXE Token: 33 680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 680 AUDIODG.EXE Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fb06f555d81adffa0f0f2b6e63a0dad50a6fda767668654fda0f971fd9d9ccb.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken