Analysis
-
max time kernel
65s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Notification_71823.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Notification_71823.xls
Resource
win10v20201028
General
-
Target
Notification_71823.xls
-
Size
724KB
-
MD5
d65ddb3ade34504d44e72ba9db953916
-
SHA1
8bcccc3bce9568919160024dbc3144de359f2d5f
-
SHA256
83386fb9fa084ea2de1f106d155a819b8090f95c28ed7a0f3c9756910bcedc5b
-
SHA512
60d7a503c24c3b324c185f7010642e874271d759ff58fd0dcc7184683d6c1d3a2e322f19d26f04174ac14fe6a96f97f13fcfde16bd74ab72ed29d30ecb0d198d
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WMic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 3508 WMic.exe -
Processes:
resource yara_rule behavioral2/memory/2164-8-0x0000000074340000-0x000000007435F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
WMic.exeflow pid process 29 3680 WMic.exe 31 3680 WMic.exe 33 3680 WMic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2164 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\kequ8.dll js \Windows\Temp\kequ8.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
WMic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WMic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WMic.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 732 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3680 WMic.exe Token: SeSecurityPrivilege 3680 WMic.exe Token: SeTakeOwnershipPrivilege 3680 WMic.exe Token: SeLoadDriverPrivilege 3680 WMic.exe Token: SeSystemProfilePrivilege 3680 WMic.exe Token: SeSystemtimePrivilege 3680 WMic.exe Token: SeProfSingleProcessPrivilege 3680 WMic.exe Token: SeIncBasePriorityPrivilege 3680 WMic.exe Token: SeCreatePagefilePrivilege 3680 WMic.exe Token: SeBackupPrivilege 3680 WMic.exe Token: SeRestorePrivilege 3680 WMic.exe Token: SeShutdownPrivilege 3680 WMic.exe Token: SeDebugPrivilege 3680 WMic.exe Token: SeSystemEnvironmentPrivilege 3680 WMic.exe Token: SeRemoteShutdownPrivilege 3680 WMic.exe Token: SeUndockPrivilege 3680 WMic.exe Token: SeManageVolumePrivilege 3680 WMic.exe Token: 33 3680 WMic.exe Token: 34 3680 WMic.exe Token: 35 3680 WMic.exe Token: 36 3680 WMic.exe Token: SeIncreaseQuotaPrivilege 3680 WMic.exe Token: SeSecurityPrivilege 3680 WMic.exe Token: SeTakeOwnershipPrivilege 3680 WMic.exe Token: SeLoadDriverPrivilege 3680 WMic.exe Token: SeSystemProfilePrivilege 3680 WMic.exe Token: SeSystemtimePrivilege 3680 WMic.exe Token: SeProfSingleProcessPrivilege 3680 WMic.exe Token: SeIncBasePriorityPrivilege 3680 WMic.exe Token: SeCreatePagefilePrivilege 3680 WMic.exe Token: SeBackupPrivilege 3680 WMic.exe Token: SeRestorePrivilege 3680 WMic.exe Token: SeShutdownPrivilege 3680 WMic.exe Token: SeDebugPrivilege 3680 WMic.exe Token: SeSystemEnvironmentPrivilege 3680 WMic.exe Token: SeRemoteShutdownPrivilege 3680 WMic.exe Token: SeUndockPrivilege 3680 WMic.exe Token: SeManageVolumePrivilege 3680 WMic.exe Token: 33 3680 WMic.exe Token: 34 3680 WMic.exe Token: 35 3680 WMic.exe Token: 36 3680 WMic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WMic.exerundll32.exedescription pid process target process PID 3680 wrote to memory of 2188 3680 WMic.exe rundll32.exe PID 3680 wrote to memory of 2188 3680 WMic.exe rundll32.exe PID 2188 wrote to memory of 2164 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2164 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2164 2188 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Notification_71823.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WMic.exeWMic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//kequ8.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//kequ8.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\27AB3.XsLMD5
b8c3851e4878f935f84bc801ca898175
SHA1e365adfa7081bd212b0a8824157761b68246d34a
SHA2568dff64e9c4529d7c566fa4a707a6789c4a751d32cbb84cd1aadf9a7be163c701
SHA5123e9b5420a07811320e8bcff80b3782f300f563edba5984dc026557f3355299d1aa321f2d56885d70afab116d9531503019dc03b280cf09d34fe1382771223393
-
C:\Windows\Temp\kequ8.dllMD5
42ecacef4d8e4fe2c912f6231300c623
SHA107d4f1872171281c944680fb0d6c13336c59a232
SHA256e99c3bdb6e31650c736a0232098a85b7808b1c76e89f9faed2fb4572420c4c1a
SHA512284710d44ff52c2a972ace6457c22ea6fe11f1b21ee9beb55b322374f6749bf9f823569d3f7c149c306dd5c464001dd6041685bbe0421644acb1b607a47bc7c2
-
\Windows\Temp\kequ8.dllMD5
42ecacef4d8e4fe2c912f6231300c623
SHA107d4f1872171281c944680fb0d6c13336c59a232
SHA256e99c3bdb6e31650c736a0232098a85b7808b1c76e89f9faed2fb4572420c4c1a
SHA512284710d44ff52c2a972ace6457c22ea6fe11f1b21ee9beb55b322374f6749bf9f823569d3f7c149c306dd5c464001dd6041685bbe0421644acb1b607a47bc7c2
-
memory/732-2-0x00007FFD712E0000-0x00007FFD71917000-memory.dmpFilesize
6.2MB
-
memory/2164-6-0x0000000000000000-mapping.dmp
-
memory/2164-8-0x0000000074340000-0x000000007435F000-memory.dmpFilesize
124KB
-
memory/2188-4-0x0000000000000000-mapping.dmp