Analysis
-
max time kernel
59s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
Contract 30964.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Contract 30964.xls
Resource
win10v20201028
General
-
Target
Contract 30964.xls
-
Size
727KB
-
MD5
c84236e6997a25861e15d5d44a7d207e
-
SHA1
f4b0cad4dfa47c8ce6feaaeea3ee3ef79708ffe5
-
SHA256
4b365dadb8a5d68b5ff999a1b5991aa0cad00852e0ed7517c4748ecc5f402558
-
SHA512
ca35ae9393899391a9593d2f0c94d04314c267c4385fd96b06776c066cfa3bc42db6c348a622349cbc4315352fb63213c105c47a9c198f417b898bddf8105058
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmiC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 4048 wmiC.exe -
Processes:
resource yara_rule behavioral2/memory/3704-8-0x0000000073EE0000-0x0000000073EFF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wmiC.exeflow pid process 26 2912 wmiC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3704 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\elkde.dll js \Windows\Temp\elkde.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmiC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2912 wmiC.exe Token: SeSecurityPrivilege 2912 wmiC.exe Token: SeTakeOwnershipPrivilege 2912 wmiC.exe Token: SeLoadDriverPrivilege 2912 wmiC.exe Token: SeSystemProfilePrivilege 2912 wmiC.exe Token: SeSystemtimePrivilege 2912 wmiC.exe Token: SeProfSingleProcessPrivilege 2912 wmiC.exe Token: SeIncBasePriorityPrivilege 2912 wmiC.exe Token: SeCreatePagefilePrivilege 2912 wmiC.exe Token: SeBackupPrivilege 2912 wmiC.exe Token: SeRestorePrivilege 2912 wmiC.exe Token: SeShutdownPrivilege 2912 wmiC.exe Token: SeDebugPrivilege 2912 wmiC.exe Token: SeSystemEnvironmentPrivilege 2912 wmiC.exe Token: SeRemoteShutdownPrivilege 2912 wmiC.exe Token: SeUndockPrivilege 2912 wmiC.exe Token: SeManageVolumePrivilege 2912 wmiC.exe Token: 33 2912 wmiC.exe Token: 34 2912 wmiC.exe Token: 35 2912 wmiC.exe Token: 36 2912 wmiC.exe Token: SeIncreaseQuotaPrivilege 2912 wmiC.exe Token: SeSecurityPrivilege 2912 wmiC.exe Token: SeTakeOwnershipPrivilege 2912 wmiC.exe Token: SeLoadDriverPrivilege 2912 wmiC.exe Token: SeSystemProfilePrivilege 2912 wmiC.exe Token: SeSystemtimePrivilege 2912 wmiC.exe Token: SeProfSingleProcessPrivilege 2912 wmiC.exe Token: SeIncBasePriorityPrivilege 2912 wmiC.exe Token: SeCreatePagefilePrivilege 2912 wmiC.exe Token: SeBackupPrivilege 2912 wmiC.exe Token: SeRestorePrivilege 2912 wmiC.exe Token: SeShutdownPrivilege 2912 wmiC.exe Token: SeDebugPrivilege 2912 wmiC.exe Token: SeSystemEnvironmentPrivilege 2912 wmiC.exe Token: SeRemoteShutdownPrivilege 2912 wmiC.exe Token: SeUndockPrivilege 2912 wmiC.exe Token: SeManageVolumePrivilege 2912 wmiC.exe Token: 33 2912 wmiC.exe Token: 34 2912 wmiC.exe Token: 35 2912 wmiC.exe Token: 36 2912 wmiC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE 1160 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmiC.exerundll32.exedescription pid process target process PID 2912 wrote to memory of 2012 2912 wmiC.exe rundll32.exe PID 2912 wrote to memory of 2012 2912 wmiC.exe rundll32.exe PID 2012 wrote to memory of 3704 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 3704 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 3704 2012 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Contract 30964.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1160
-
C:\Windows\system32\wbem\wmiC.exewmiC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//elkde.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//elkde.dll InitHelperDll3⤵
- Loads dropped DLL
PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\22318.XslMD5
e3a79122a87bf19fdf4806107057fd76
SHA1bb37c6e0105f7cf0b1d493bdc70461cf9205adb3
SHA2560b3882afb92516477f07439957421c7cc89eb4119d85a80a69047be15802f09f
SHA51215860e164cbc1cca8d92acd509ed2dbc5c3c537d7ee422f9183ce635039a3ca41483ec5a8f5d28527490931f95870aeab44a804e5b7658ce377d0ee6c5f5850e
-
C:\Windows\Temp\elkde.dllMD5
1c918636e8b37ca62aa3adc4080bfc04
SHA15ca59c659c799016dac95f7156eb8f750bf367f0
SHA256aa011818f23997b6dd44e74fe4242aa8e50f10d7e26f1ba05134198cd04920e5
SHA512b8ac01256bdd943b675931c4d91f7770d81253a1fff84c48021377df1a4d5c3ecd98db977aeab9a1a2c26aaf6f477929077f4bd4d9458c19046a58fe727bbbd6
-
\Windows\Temp\elkde.dllMD5
1c918636e8b37ca62aa3adc4080bfc04
SHA15ca59c659c799016dac95f7156eb8f750bf367f0
SHA256aa011818f23997b6dd44e74fe4242aa8e50f10d7e26f1ba05134198cd04920e5
SHA512b8ac01256bdd943b675931c4d91f7770d81253a1fff84c48021377df1a4d5c3ecd98db977aeab9a1a2c26aaf6f477929077f4bd4d9458c19046a58fe727bbbd6
-
memory/1160-2-0x00007FFE208A0000-0x00007FFE20ED7000-memory.dmpFilesize
6.2MB
-
memory/2012-4-0x0000000000000000-mapping.dmp
-
memory/3704-6-0x0000000000000000-mapping.dmp
-
memory/3704-8-0x0000000073EE0000-0x0000000073EFF000-memory.dmpFilesize
124KB