Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
2dabd9d734c7d34448d9788baffa67d710d3fd3187425d8f48e6c84837bdfce1.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
2dabd9d734c7d34448d9788baffa67d710d3fd3187425d8f48e6c84837bdfce1.dll
-
Size
1.4MB
-
MD5
93ba44fe28e716dd7d99748f6b093c32
-
SHA1
3691be58d3a71488e29ea4a0d4bbbcbd301e42ee
-
SHA256
2dabd9d734c7d34448d9788baffa67d710d3fd3187425d8f48e6c84837bdfce1
-
SHA512
a702dac638b7d0aa2798a76befab9fac510868bd1d709fb917690e6a234da192e1ba7a08f82c351701c586a8dcaa3624f87cf18d52ee49bfba5a4816d136873a
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-59-0x00000000026A0000-0x00000000026A1000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: 33 1680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1680 AUDIODG.EXE Token: 33 1680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1680 AUDIODG.EXE Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dabd9d734c7d34448d9788baffa67d710d3fd3187425d8f48e6c84837bdfce1.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x59c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1264-59-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1352-60-0x000007FEFB7A1000-0x000007FEFB7A3000-memory.dmpFilesize
8KB
-
memory/1500-54-0x0000000140000000-0x0000000140170000-memory.dmpFilesize
1.4MB
-
memory/1500-56-0x00000000000A0000-0x00000000000A7000-memory.dmpFilesize
28KB