Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
74246d765994955efe932397fc50c403a928955f3103342ee65424dcfa5b5edc.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
74246d765994955efe932397fc50c403a928955f3103342ee65424dcfa5b5edc.dll
-
Size
1.2MB
-
MD5
841c682fbe1ad1d044622d734f9726a4
-
SHA1
3483863245ec0f42c51d9e9d0b5ba4b398286163
-
SHA256
74246d765994955efe932397fc50c403a928955f3103342ee65424dcfa5b5edc
-
SHA512
1f14265cda5b01723000f1184173cfad8d9237af577a17d0cbdc29bb964a4091fb3bbf071eabf308f1391e7e79fad024f25a10f46ed9305f509321394fa67044
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1256-59-0x0000000002A40000-0x0000000002A41000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe Token: 33 384 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 384 AUDIODG.EXE Token: 33 384 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 384 AUDIODG.EXE Token: SeShutdownPrivilege 1820 explorer.exe Token: SeShutdownPrivilege 1820 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe 1820 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74246d765994955efe932397fc50c403a928955f3103342ee65424dcfa5b5edc.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1256-59-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/1820-60-0x000007FEFB841000-0x000007FEFB843000-memory.dmpFilesize
8KB
-
memory/1840-54-0x0000000140000000-0x000000014012E000-memory.dmpFilesize
1.2MB
-
memory/1840-58-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB