Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
f8a764a3f99993f4b6042719d93a5f2f39638bde7bc04223fcb546aa3347e3e4.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f8a764a3f99993f4b6042719d93a5f2f39638bde7bc04223fcb546aa3347e3e4.dll
-
Size
1.2MB
-
MD5
c50408c64af413bf14ee924055a2b917
-
SHA1
c9fa32505e6e82a0dea5e40a202b37dc6d3f5ada
-
SHA256
f8a764a3f99993f4b6042719d93a5f2f39638bde7bc04223fcb546aa3347e3e4
-
SHA512
d76f14df79e7cbdbeef2afdeed61f54eeafdfd99a84eeac0b6e039c7835114e86cf2ce7ae6043af296cee719bcfe4f2ab519328545bb836002e8279eab95b301
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1480 rundll32.exe 1480 rundll32.exe 1480 rundll32.exe 1480 rundll32.exe 1480 rundll32.exe 1480 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: 33 1732 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1732 AUDIODG.EXE Token: 33 1732 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1732 AUDIODG.EXE Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8a764a3f99993f4b6042719d93a5f2f39638bde7bc04223fcb546aa3347e3e4.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
- Suspicious use of AdjustPrivilegeToken