Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
545ad887af8d8588ce8b919f320a8b9ae0acfc926a3a9385df2751ab3cdec949.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
545ad887af8d8588ce8b919f320a8b9ae0acfc926a3a9385df2751ab3cdec949.dll
-
Size
1.2MB
-
MD5
9695e76c854bada80b3d1b54d7ff492c
-
SHA1
9001b73c1570ec65cc1bc89216adc846bb06e083
-
SHA256
545ad887af8d8588ce8b919f320a8b9ae0acfc926a3a9385df2751ab3cdec949
-
SHA512
0874b871365cd2d74b92cb71d0d57799c04e76d5ccbea57d48de8fc7c550ae087b34848e21253bc9295c0c78d26db81c42bdb71af7ffdfeabf7e72a81268a2d1
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe Token: 33 1680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1680 AUDIODG.EXE Token: 33 1680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1680 AUDIODG.EXE Token: SeShutdownPrivilege 1620 explorer.exe Token: SeShutdownPrivilege 1620 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe 1620 explorer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\545ad887af8d8588ce8b919f320a8b9ae0acfc926a3a9385df2751ab3cdec949.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5801⤵
- Suspicious use of AdjustPrivilegeToken