Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b64203a5d0b4968785bb42b23396818.dll
Resource
win7-20231215-en
11 signatures
150 seconds
General
-
Target
6b64203a5d0b4968785bb42b23396818.dll
-
Size
1000KB
-
MD5
6b64203a5d0b4968785bb42b23396818
-
SHA1
fd6d2a08195cfb8423b80901b97f949b566b5240
-
SHA256
53c3c9f049896f4cd87cdf67f1cef8a68f76d5b47bb7e20b6b6ffb09e4746a9e
-
SHA512
ddc86408f244d17fe749bfb0d09e5b524e9d33b9df77b5ce287527de919bb555d7c9ab4d0732da1f30434b687606f98d70c00b166271b8b8095b2db65f815a8e
-
SSDEEP
24576:cQcu8pzbIPLMzjw09TI/OrRd0E1ORe39JaCHSG9:cxuW0PL4wOxNP2TG
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1240-5-0x0000000002A10000-0x0000000002A11000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 40 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
rundll32.exepid process 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe 2872 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2836 explorer.exe 2964 explorer.exe 1372 explorer.exe 396 explorer.exe 2228 explorer.exe 2512 explorer.exe 2616 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2836 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 2964 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 1372 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 396 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2228 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exepid process 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 2964 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 1372 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b64203a5d0b4968785bb42b23396818.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:396
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2616
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1932