Analysis
-
max time kernel
169s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
7b8b6a9ded1330e3ef0dd42e7edf2b167dec4063699ab5e78d95905c6ba6a816.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7b8b6a9ded1330e3ef0dd42e7edf2b167dec4063699ab5e78d95905c6ba6a816.dll
Resource
win10v2004-20220414-en
General
-
Target
7b8b6a9ded1330e3ef0dd42e7edf2b167dec4063699ab5e78d95905c6ba6a816.dll
-
Size
1.2MB
-
MD5
a81d9ca2425c6431264471bf3dd5dc5e
-
SHA1
963dbf7119b0c55cf0713c3fd45da2e637f6f41d
-
SHA256
7b8b6a9ded1330e3ef0dd42e7edf2b167dec4063699ab5e78d95905c6ba6a816
-
SHA512
a42921495ffb3ba00ef58cd6464143608b032ca2f7ed0f8c67fac6c656d2e321424caabaebcfa6fae2f48b9811c5bfcdc7ef7969382dc613d86bd7dc806e2b2d
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1396-59-0x00000000021C0000-0x00000000021C1000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1988 rundll32.exe 1988 rundll32.exe 1988 rundll32.exe 1988 rundll32.exe 1988 rundll32.exe 1988 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe Token: 33 1472 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1472 AUDIODG.EXE Token: 33 1472 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1472 AUDIODG.EXE Token: SeShutdownPrivilege 1432 explorer.exe Token: SeShutdownPrivilege 1432 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe 1432 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b8b6a9ded1330e3ef0dd42e7edf2b167dec4063699ab5e78d95905c6ba6a816.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-59-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/1432-60-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB
-
memory/1988-54-0x0000000140000000-0x000000014012E000-memory.dmpFilesize
1.2MB
-
memory/1988-58-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB