Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
68ef0bd9ea3010ec7948345cc9338dbb8ea093e24284b41ff9fc46aad317abb2.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
68ef0bd9ea3010ec7948345cc9338dbb8ea093e24284b41ff9fc46aad317abb2.dll
-
Size
976KB
-
MD5
28545297f8559419c9554247053d4f87
-
SHA1
19e30fbaee5c3032a1b3866f2880ee29a62588dd
-
SHA256
68ef0bd9ea3010ec7948345cc9338dbb8ea093e24284b41ff9fc46aad317abb2
-
SHA512
01c2e35bd16792e622949131728e9c7210e671ceddd0add4514bc7a952e34f18e6b4b4387bb1162ef5b6c69bc6bb2967288abb5eae131819e07b0247ca96c1f4
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-59-0x0000000002210000-0x0000000002211000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: 33 1600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1600 AUDIODG.EXE Token: 33 1600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1600 AUDIODG.EXE Token: SeShutdownPrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68ef0bd9ea3010ec7948345cc9338dbb8ea093e24284b41ff9fc46aad317abb2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1212-59-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/1824-54-0x0000000140000000-0x00000001400FB000-memory.dmpFilesize
1004KB
-
memory/1824-58-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2024-60-0x000007FEFC041000-0x000007FEFC043000-memory.dmpFilesize
8KB