Analysis
-
max time kernel
154s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
79ce64fe463d8dc2c3687245f24393b3690e5279ca0510483ef154ac3c8b45cf.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
79ce64fe463d8dc2c3687245f24393b3690e5279ca0510483ef154ac3c8b45cf.dll
-
Size
968KB
-
MD5
c8073ff4fbafcf44911cbcebb3bc9c1d
-
SHA1
f9d3c9b951b65a799cb4274c0caeed80d6ac522e
-
SHA256
79ce64fe463d8dc2c3687245f24393b3690e5279ca0510483ef154ac3c8b45cf
-
SHA512
a8144a46b3fc3fba6f05ca8be4d1bf275d4dca8ee0a6d17a64300a8dc81ca016179b73ad80822530c84a2b513af244738f27ea8456881cd3e472148b1e25d74a
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-59-0x0000000001E20000-0x0000000001E21000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: 33 1088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1088 AUDIODG.EXE Token: 33 1088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1088 AUDIODG.EXE Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79ce64fe463d8dc2c3687245f24393b3690e5279ca0510483ef154ac3c8b45cf.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/840-60-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB
-
memory/1212-59-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/2012-54-0x0000000140000000-0x00000001400FB000-memory.dmpFilesize
1004KB
-
memory/2012-58-0x0000000001AC0000-0x0000000001AC7000-memory.dmpFilesize
28KB