Analysis
-
max time kernel
63s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
Contract_#_599848.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Contract_#_599848.xls
Resource
win10v20201028
General
-
Target
Contract_#_599848.xls
-
Size
815KB
-
MD5
82ee594ab9d12d0a00bf399beb7f4e1f
-
SHA1
5b58a1fefd63ca221b0eeca61b9378db25ae0eb1
-
SHA256
05b9806f446c71ca46bbddc10176bf28838430bbecb9545cc730fdb93b205476
-
SHA512
78b80fc1780c51f827ee6f71111b3b037ef0605cbe364b039e7746f6704759f9b1f2c725e7e5869bedf0a11dc9d41d21a9d527f8b2cffcd222818f7ac8651cc5
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WmIc.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3656 WmIc.exe -
Processes:
resource yara_rule behavioral2/memory/2340-8-0x0000000073830000-0x000000007384F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
WmIc.exeflow pid process 27 2388 WmIc.exe 28 2388 WmIc.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2340 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\vg74a.dll js \Windows\Temp\vg74a.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4056 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WmIc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2388 WmIc.exe Token: SeSecurityPrivilege 2388 WmIc.exe Token: SeTakeOwnershipPrivilege 2388 WmIc.exe Token: SeLoadDriverPrivilege 2388 WmIc.exe Token: SeSystemProfilePrivilege 2388 WmIc.exe Token: SeSystemtimePrivilege 2388 WmIc.exe Token: SeProfSingleProcessPrivilege 2388 WmIc.exe Token: SeIncBasePriorityPrivilege 2388 WmIc.exe Token: SeCreatePagefilePrivilege 2388 WmIc.exe Token: SeBackupPrivilege 2388 WmIc.exe Token: SeRestorePrivilege 2388 WmIc.exe Token: SeShutdownPrivilege 2388 WmIc.exe Token: SeDebugPrivilege 2388 WmIc.exe Token: SeSystemEnvironmentPrivilege 2388 WmIc.exe Token: SeRemoteShutdownPrivilege 2388 WmIc.exe Token: SeUndockPrivilege 2388 WmIc.exe Token: SeManageVolumePrivilege 2388 WmIc.exe Token: 33 2388 WmIc.exe Token: 34 2388 WmIc.exe Token: 35 2388 WmIc.exe Token: 36 2388 WmIc.exe Token: SeIncreaseQuotaPrivilege 2388 WmIc.exe Token: SeSecurityPrivilege 2388 WmIc.exe Token: SeTakeOwnershipPrivilege 2388 WmIc.exe Token: SeLoadDriverPrivilege 2388 WmIc.exe Token: SeSystemProfilePrivilege 2388 WmIc.exe Token: SeSystemtimePrivilege 2388 WmIc.exe Token: SeProfSingleProcessPrivilege 2388 WmIc.exe Token: SeIncBasePriorityPrivilege 2388 WmIc.exe Token: SeCreatePagefilePrivilege 2388 WmIc.exe Token: SeBackupPrivilege 2388 WmIc.exe Token: SeRestorePrivilege 2388 WmIc.exe Token: SeShutdownPrivilege 2388 WmIc.exe Token: SeDebugPrivilege 2388 WmIc.exe Token: SeSystemEnvironmentPrivilege 2388 WmIc.exe Token: SeRemoteShutdownPrivilege 2388 WmIc.exe Token: SeUndockPrivilege 2388 WmIc.exe Token: SeManageVolumePrivilege 2388 WmIc.exe Token: 33 2388 WmIc.exe Token: 34 2388 WmIc.exe Token: 35 2388 WmIc.exe Token: 36 2388 WmIc.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE 4056 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WmIc.exerundll32.exedescription pid process target process PID 2388 wrote to memory of 3360 2388 WmIc.exe rundll32.exe PID 2388 wrote to memory of 3360 2388 WmIc.exe rundll32.exe PID 3360 wrote to memory of 2340 3360 rundll32.exe rundll32.exe PID 3360 wrote to memory of 2340 3360 rundll32.exe rundll32.exe PID 3360 wrote to memory of 2340 3360 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Contract_#_599848.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmIc.exeWmIc1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vg74a.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vg74a.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2AC17.xSlMD5
6d75f5c52219c05eb60f8d4b0cacfd2f
SHA19b01f494a2f9b0f0e79a1441c3bc52273c900b9e
SHA2560e5c4fe7cde7b846f72886bcc5551c642c098532d18d9d71e6f3913d2df22b14
SHA51295c5bf80f348da62cbd1afc4afc3e3f90ce5c4b76026d47eaed2b90ffa095f149c18d806ab57ef626735bdc7805da91c03c5764579ea707a43b62d9035263636
-
C:\Windows\Temp\vg74a.dllMD5
286ba04c4298dfdf3f832e696d1e9f41
SHA1b9528980760dc556d6d805641419751f4d1504a0
SHA256f7a190e49808e6ac9d28822d948efa5fb8a51547c705dd1cee92ef5138a8af00
SHA51258105cfdf4d9879a7ee0eee9db320f05b2984261b5995668cbeb4276b58bc0ae5aa9dbd2a68f4b017f75eacf2c3deefef98a9409f47c998aca6313b3ba09a78a
-
\Windows\Temp\vg74a.dllMD5
286ba04c4298dfdf3f832e696d1e9f41
SHA1b9528980760dc556d6d805641419751f4d1504a0
SHA256f7a190e49808e6ac9d28822d948efa5fb8a51547c705dd1cee92ef5138a8af00
SHA51258105cfdf4d9879a7ee0eee9db320f05b2984261b5995668cbeb4276b58bc0ae5aa9dbd2a68f4b017f75eacf2c3deefef98a9409f47c998aca6313b3ba09a78a
-
memory/2340-6-0x0000000000000000-mapping.dmp
-
memory/2340-8-0x0000000073830000-0x000000007384F000-memory.dmpFilesize
124KB
-
memory/3360-4-0x0000000000000000-mapping.dmp
-
memory/4056-2-0x00007FFFF3BC0000-0x00007FFFF41F7000-memory.dmpFilesize
6.2MB