dridex | 0b110be9ae7f5755dad4e964cd94566a0252586a000feb669c5dd75b2307b214

General

Target

Subconract_1541.xls
Size

805KB
MD5

90501b4eda1eaacd5773c77717050e51
SHA1

31a5e6dab54af69ff3991af5f3c2e8fc83daf975
SHA256

0b110be9ae7f5755dad4e964cd94566a0252586a000feb669c5dd75b2307b214
SHA512

dbc8a965d20aa95e9e3bfde5abcc274ef08b5210e5432f940ce2446a244b2eef19cb216bb4799537e39e6000b1083256cac7e64938a938fe09c6471fe557adf3

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmiC.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1380 wmiC.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1380	wmiC.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/552-11-0x000000006BD50000-0x000000006BD6F000-memory.dmp	dridex_ldr

Blocklisted process makes network request 8 IoCs

Processes:

wmiC.exe

flow pid process

5 1676 wmiC.exe
7 1676 wmiC.exe
8 1676 wmiC.exe
9 1676 wmiC.exe
10 1676 wmiC.exe
12 1676 wmiC.exe
14 1676 wmiC.exe
16 1676 wmiC.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

552 rundll32.exe
552 rundll32.exe
552 rundll32.exe
552 rundll32.exe

flow	pid	process
5	1676	wmiC.exe
7	1676	wmiC.exe
8	1676	wmiC.exe
9	1676	wmiC.exe
10	1676	wmiC.exe
12	1676	wmiC.exe
14	1676	wmiC.exe
16	1676	wmiC.exe

pid	process
552	rundll32.exe
552	rundll32.exe
552	rundll32.exe
552	rundll32.exe

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\7fwdc.dll	js
\Windows\Temp\7fwdc.dll	js
\Windows\Temp\7fwdc.dll	js
\Windows\Temp\7fwdc.dll	js
\Windows\Temp\7fwdc.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Modifies registry class 280 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\FLAGS	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\0\win32	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303AF0C-F492-4315-99FE-F955B00FDBC3}\2.0\FLAGS\ = "6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmiC.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wmiC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wmiC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE

pid	process
1096	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

wmiC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1676	wmiC.exe
Token: SeSecurityPrivilege	1676	wmiC.exe
Token: SeTakeOwnershipPrivilege	1676	wmiC.exe
Token: SeLoadDriverPrivilege	1676	wmiC.exe
Token: SeSystemProfilePrivilege	1676	wmiC.exe
Token: SeSystemtimePrivilege	1676	wmiC.exe
Token: SeProfSingleProcessPrivilege	1676	wmiC.exe
Token: SeIncBasePriorityPrivilege	1676	wmiC.exe
Token: SeCreatePagefilePrivilege	1676	wmiC.exe
Token: SeBackupPrivilege	1676	wmiC.exe
Token: SeRestorePrivilege	1676	wmiC.exe
Token: SeShutdownPrivilege	1676	wmiC.exe
Token: SeDebugPrivilege	1676	wmiC.exe
Token: SeSystemEnvironmentPrivilege	1676	wmiC.exe
Token: SeRemoteShutdownPrivilege	1676	wmiC.exe
Token: SeUndockPrivilege	1676	wmiC.exe
Token: SeManageVolumePrivilege	1676	wmiC.exe
Token: 33	1676	wmiC.exe
Token: 34	1676	wmiC.exe
Token: 35	1676	wmiC.exe
Token: SeIncreaseQuotaPrivilege	1676	wmiC.exe
Token: SeSecurityPrivilege	1676	wmiC.exe
Token: SeTakeOwnershipPrivilege	1676	wmiC.exe
Token: SeLoadDriverPrivilege	1676	wmiC.exe
Token: SeSystemProfilePrivilege	1676	wmiC.exe
Token: SeSystemtimePrivilege	1676	wmiC.exe
Token: SeProfSingleProcessPrivilege	1676	wmiC.exe
Token: SeIncBasePriorityPrivilege	1676	wmiC.exe
Token: SeCreatePagefilePrivilege	1676	wmiC.exe
Token: SeBackupPrivilege	1676	wmiC.exe
Token: SeRestorePrivilege	1676	wmiC.exe
Token: SeShutdownPrivilege	1676	wmiC.exe
Token: SeDebugPrivilege	1676	wmiC.exe
Token: SeSystemEnvironmentPrivilege	1676	wmiC.exe
Token: SeRemoteShutdownPrivilege	1676	wmiC.exe
Token: SeUndockPrivilege	1676	wmiC.exe
Token: SeManageVolumePrivilege	1676	wmiC.exe
Token: 33	1676	wmiC.exe
Token: 34	1676	wmiC.exe
Token: 35	1676	wmiC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wmiC.exerundll32.exe

description	pid	process	target process
PID 1676 wrote to memory of 1764	1676	wmiC.exe	rundll32.exe
PID 1676 wrote to memory of 1764	1676	wmiC.exe	rundll32.exe
PID 1676 wrote to memory of 1764	1676	wmiC.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 552	1764	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Subconract_1541.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\system32\wbem\wmiC.exe
wmiC
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//7fwdc.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//7fwdc.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4750A.xSl
MD5
c26c0ca270eb6012e3db0c14f7cb9565

SHA1
3e8aa4be680a352419d217da7fc125053edf8153

SHA256
507c250392848fbd9178ec54b3329f119e380bbc6581b1eef5a790cfe797af6e

SHA512
0788b8feb1fc2eee4a0af8e6d51724ab54bb99256f4aac46ca24711d82795ad3a60499619feb7ac40a91bc1e4e36374fefe7baa1d35f24f1d66a146db524c910

Download Submit
C:\Windows\Temp\7fwdc.dll
MD5
5b33d3f8ede9d513108ca5ca4238e6af

SHA1
5726eb20a352e352133ff953e5200c7711c431e8

SHA256
51d3fae271586d2cd52c3b58163f5582d86b19398bcb89a30bd41422123b69b0

SHA512
353b85bc46b61573119985660b585cc1cfe8ebd88d45fd8ee3cc1b1356c17c804227e10a2ed4cab017063921bd66c3195b3f37f1e7404fc14a784a43380ae1fe

Download Submit
\Windows\Temp\7fwdc.dll
MD5
5b33d3f8ede9d513108ca5ca4238e6af

SHA1
5726eb20a352e352133ff953e5200c7711c431e8

SHA256
51d3fae271586d2cd52c3b58163f5582d86b19398bcb89a30bd41422123b69b0

SHA512
353b85bc46b61573119985660b585cc1cfe8ebd88d45fd8ee3cc1b1356c17c804227e10a2ed4cab017063921bd66c3195b3f37f1e7404fc14a784a43380ae1fe

Download Submit
\Windows\Temp\7fwdc.dll
MD5
5b33d3f8ede9d513108ca5ca4238e6af

SHA1
5726eb20a352e352133ff953e5200c7711c431e8

SHA256
51d3fae271586d2cd52c3b58163f5582d86b19398bcb89a30bd41422123b69b0

SHA512
353b85bc46b61573119985660b585cc1cfe8ebd88d45fd8ee3cc1b1356c17c804227e10a2ed4cab017063921bd66c3195b3f37f1e7404fc14a784a43380ae1fe

Download Submit
\Windows\Temp\7fwdc.dll
MD5
5b33d3f8ede9d513108ca5ca4238e6af

SHA1
5726eb20a352e352133ff953e5200c7711c431e8

SHA256
51d3fae271586d2cd52c3b58163f5582d86b19398bcb89a30bd41422123b69b0

SHA512
353b85bc46b61573119985660b585cc1cfe8ebd88d45fd8ee3cc1b1356c17c804227e10a2ed4cab017063921bd66c3195b3f37f1e7404fc14a784a43380ae1fe

Download Submit
\Windows\Temp\7fwdc.dll
MD5
5b33d3f8ede9d513108ca5ca4238e6af

SHA1
5726eb20a352e352133ff953e5200c7711c431e8

SHA256
51d3fae271586d2cd52c3b58163f5582d86b19398bcb89a30bd41422123b69b0

SHA512
353b85bc46b61573119985660b585cc1cfe8ebd88d45fd8ee3cc1b1356c17c804227e10a2ed4cab017063921bd66c3195b3f37f1e7404fc14a784a43380ae1fe

Download Submit
memory/552-6-0x0000000000000000-mapping.dmp

Download
memory/552-11-0x000000006BD50000-0x000000006BD6F000-memory.dmp

Filesize
124KB

Download
memory/744-3-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

Filesize
2.5MB

Download
memory/1764-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads