Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
5f784ed9f418f7a98229b971bc9457de485210db974cd14daf21434d282d7b92.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
5f784ed9f418f7a98229b971bc9457de485210db974cd14daf21434d282d7b92.dll
-
Size
1.4MB
-
MD5
c735763b0646ba739a001a3dea51881d
-
SHA1
42fc1ad0a8a26f4948ad54294fbef505a7652ef1
-
SHA256
5f784ed9f418f7a98229b971bc9457de485210db974cd14daf21434d282d7b92
-
SHA512
5b719ae4445301ec3a33b4d70181f758ac966e5f543241566d417ead1eea0454ff8db6ec47931b254b0ec987c7fba00e32c363e7ba07cb620a621b8e25d174d0
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: SeShutdownPrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe 1260 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f784ed9f418f7a98229b971bc9457de485210db974cd14daf21434d282d7b92.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
- Suspicious use of AdjustPrivilegeToken