Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
f6d275aec16dbd848d1726e5588c6497c20e4d1788562133c0de98d4f7601b92.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f6d275aec16dbd848d1726e5588c6497c20e4d1788562133c0de98d4f7601b92.dll
-
Size
1.2MB
-
MD5
7fe2e94e92e811267a97386b7db2c8c6
-
SHA1
195e82349b1267c21acadb5064c41116c882c354
-
SHA256
f6d275aec16dbd848d1726e5588c6497c20e4d1788562133c0de98d4f7601b92
-
SHA512
2e473afafa91ad44dde63342a255747530e26be5ffa4d467110fdddd053671ad0207394dbdb5bed83751e041daaed7b88c939808f71d6d0c80190b36bc8db8cc
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: 33 1160 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1160 AUDIODG.EXE Token: 33 1160 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1160 AUDIODG.EXE Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d275aec16dbd848d1726e5588c6497c20e4d1788562133c0de98d4f7601b92.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken