Analysis
-
max time kernel
63s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 19:04
Static task
static1
Behavioral task
behavioral1
Sample
Notification_71823.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Notification_71823.xls
Resource
win10v20201028
General
-
Target
Notification_71823.xls
-
Size
724KB
-
MD5
d65ddb3ade34504d44e72ba9db953916
-
SHA1
8bcccc3bce9568919160024dbc3144de359f2d5f
-
SHA256
83386fb9fa084ea2de1f106d155a819b8090f95c28ed7a0f3c9756910bcedc5b
-
SHA512
60d7a503c24c3b324c185f7010642e874271d759ff58fd0dcc7184683d6c1d3a2e322f19d26f04174ac14fe6a96f97f13fcfde16bd74ab72ed29d30ecb0d198d
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WMic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 4020 WMic.exe -
Processes:
resource yara_rule behavioral2/memory/3936-8-0x0000000074410000-0x000000007442F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
WMic.exeflow pid process 27 2732 WMic.exe 29 2732 WMic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3936 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\4j9ko.dll js \Windows\Temp\4j9ko.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
WMic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WMic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WMic.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3812 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2732 WMic.exe Token: SeSecurityPrivilege 2732 WMic.exe Token: SeTakeOwnershipPrivilege 2732 WMic.exe Token: SeLoadDriverPrivilege 2732 WMic.exe Token: SeSystemProfilePrivilege 2732 WMic.exe Token: SeSystemtimePrivilege 2732 WMic.exe Token: SeProfSingleProcessPrivilege 2732 WMic.exe Token: SeIncBasePriorityPrivilege 2732 WMic.exe Token: SeCreatePagefilePrivilege 2732 WMic.exe Token: SeBackupPrivilege 2732 WMic.exe Token: SeRestorePrivilege 2732 WMic.exe Token: SeShutdownPrivilege 2732 WMic.exe Token: SeDebugPrivilege 2732 WMic.exe Token: SeSystemEnvironmentPrivilege 2732 WMic.exe Token: SeRemoteShutdownPrivilege 2732 WMic.exe Token: SeUndockPrivilege 2732 WMic.exe Token: SeManageVolumePrivilege 2732 WMic.exe Token: 33 2732 WMic.exe Token: 34 2732 WMic.exe Token: 35 2732 WMic.exe Token: 36 2732 WMic.exe Token: SeIncreaseQuotaPrivilege 2732 WMic.exe Token: SeSecurityPrivilege 2732 WMic.exe Token: SeTakeOwnershipPrivilege 2732 WMic.exe Token: SeLoadDriverPrivilege 2732 WMic.exe Token: SeSystemProfilePrivilege 2732 WMic.exe Token: SeSystemtimePrivilege 2732 WMic.exe Token: SeProfSingleProcessPrivilege 2732 WMic.exe Token: SeIncBasePriorityPrivilege 2732 WMic.exe Token: SeCreatePagefilePrivilege 2732 WMic.exe Token: SeBackupPrivilege 2732 WMic.exe Token: SeRestorePrivilege 2732 WMic.exe Token: SeShutdownPrivilege 2732 WMic.exe Token: SeDebugPrivilege 2732 WMic.exe Token: SeSystemEnvironmentPrivilege 2732 WMic.exe Token: SeRemoteShutdownPrivilege 2732 WMic.exe Token: SeUndockPrivilege 2732 WMic.exe Token: SeManageVolumePrivilege 2732 WMic.exe Token: 33 2732 WMic.exe Token: 34 2732 WMic.exe Token: 35 2732 WMic.exe Token: 36 2732 WMic.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEpid process 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE 3812 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WMic.exerundll32.exedescription pid process target process PID 2732 wrote to memory of 3924 2732 WMic.exe rundll32.exe PID 2732 wrote to memory of 3924 2732 WMic.exe rundll32.exe PID 3924 wrote to memory of 3936 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 3936 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 3936 3924 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Notification_71823.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WMic.exeWMic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j9ko.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j9ko.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\27AB3.XsLMD5
b8c3851e4878f935f84bc801ca898175
SHA1e365adfa7081bd212b0a8824157761b68246d34a
SHA2568dff64e9c4529d7c566fa4a707a6789c4a751d32cbb84cd1aadf9a7be163c701
SHA5123e9b5420a07811320e8bcff80b3782f300f563edba5984dc026557f3355299d1aa321f2d56885d70afab116d9531503019dc03b280cf09d34fe1382771223393
-
C:\Windows\Temp\4j9ko.dllMD5
84ff7ec307253e0994970afd2306c26b
SHA1f68edd99bffbab07a4e943c722f6afac275361ef
SHA2568e7da51571c18c184194f237241c304b1614ab21ca9624000c53ebfea4af7cc0
SHA512e05571c396d1fcee575cdacbdc3451450da39f5ca78119c1a6bfaac0ca730de3fdd09663be55e735944dbfb3d02eeef3f57688194f12994e05d56d815c400be1
-
\Windows\Temp\4j9ko.dllMD5
84ff7ec307253e0994970afd2306c26b
SHA1f68edd99bffbab07a4e943c722f6afac275361ef
SHA2568e7da51571c18c184194f237241c304b1614ab21ca9624000c53ebfea4af7cc0
SHA512e05571c396d1fcee575cdacbdc3451450da39f5ca78119c1a6bfaac0ca730de3fdd09663be55e735944dbfb3d02eeef3f57688194f12994e05d56d815c400be1
-
memory/3812-2-0x00007FF98AD10000-0x00007FF98B347000-memory.dmpFilesize
6.2MB
-
memory/3812-9-0x00007FF61D860000-0x00007FF620E16000-memory.dmpFilesize
53.7MB
-
memory/3924-4-0x0000000000000000-mapping.dmp
-
memory/3936-6-0x0000000000000000-mapping.dmp
-
memory/3936-8-0x0000000074410000-0x000000007442F000-memory.dmpFilesize
124KB