Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
370f1c893acaf12c7238a3977f0eda3cfaa660ccea43b1b61461d551501e371a.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
370f1c893acaf12c7238a3977f0eda3cfaa660ccea43b1b61461d551501e371a.dll
-
Size
1.2MB
-
MD5
a4e06cc670b5bd72bacd34ba263e9819
-
SHA1
b028d9787d1c0f6cd10afa64f491caed94e172c9
-
SHA256
370f1c893acaf12c7238a3977f0eda3cfaa660ccea43b1b61461d551501e371a
-
SHA512
6f8774b2969cc4b4b7a6288f300c88467c776eadf00ee1cb25ac5d47d7db9ae34439d701e4d2fb153aaf4162243cace9fa7ddb9da76231ba0122fa6695c71603
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-59-0x0000000002B30000-0x0000000002B31000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe Token: 33 1856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1856 AUDIODG.EXE Token: 33 1856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1856 AUDIODG.EXE Token: SeShutdownPrivilege 1360 explorer.exe Token: SeShutdownPrivilege 1360 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\370f1c893acaf12c7238a3977f0eda3cfaa660ccea43b1b61461d551501e371a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5541⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-59-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB
-
memory/1360-60-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1944-54-0x0000000140000000-0x000000014012E000-memory.dmpFilesize
1.2MB
-
memory/1944-58-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB