dridex | bd8b55be218cee85920be13f7e1fbc2b68ac4aa473f8ccc75a2dc815dbfec0b1

General

Target

Notification_836524.xls
Size

786KB
MD5

47bd6588a26043dcb77e978040e59f9a
SHA1

6d59c226abfdb88e1f4fb28dc0f1bc4ff27bb836
SHA256

bd8b55be218cee85920be13f7e1fbc2b68ac4aa473f8ccc75a2dc815dbfec0b1
SHA512

f5815fea3eea049f3896b19af7d207dd5b030b5c34b025cf0a86108bc8d8d982e5d79be3ba564ed3965110024fc4aca60d3c5a0fa332095e1a701f70f47ae985

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 1788 Wmic.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1788	Wmic.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/968-11-0x000000006BFA0000-0x000000006BFBF000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

Wmic.exe

flow pid process

6 852 Wmic.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

968 rundll32.exe
968 rundll32.exe
968 rundll32.exe
968 rundll32.exe

flow	pid	process
6	852	Wmic.exe

pid	process
968	rundll32.exe
968	rundll32.exe
968	rundll32.exe
968	rundll32.exe

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\xcynv.dll	js
\Windows\Temp\xcynv.dll	js
\Windows\Temp\xcynv.dll	js
\Windows\Temp\xcynv.dll	js
\Windows\Temp\xcynv.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Modifies registry class 280 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4288B26-FF3A-4C6C-A1FE-98B0275C012F}\2.0\FLAGS	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4288B26-FF3A-4C6C-A1FE-98B0275C012F}\2.0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{D4288B26-FF3A-4C6C-A1FE-98B0275C012F}\2.0\FLAGS	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1472 EXCEL.EXE

pid	process
1472	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	852	Wmic.exe
Token: SeSecurityPrivilege	852	Wmic.exe
Token: SeTakeOwnershipPrivilege	852	Wmic.exe
Token: SeLoadDriverPrivilege	852	Wmic.exe
Token: SeSystemProfilePrivilege	852	Wmic.exe
Token: SeSystemtimePrivilege	852	Wmic.exe
Token: SeProfSingleProcessPrivilege	852	Wmic.exe
Token: SeIncBasePriorityPrivilege	852	Wmic.exe
Token: SeCreatePagefilePrivilege	852	Wmic.exe
Token: SeBackupPrivilege	852	Wmic.exe
Token: SeRestorePrivilege	852	Wmic.exe
Token: SeShutdownPrivilege	852	Wmic.exe
Token: SeDebugPrivilege	852	Wmic.exe
Token: SeSystemEnvironmentPrivilege	852	Wmic.exe
Token: SeRemoteShutdownPrivilege	852	Wmic.exe
Token: SeUndockPrivilege	852	Wmic.exe
Token: SeManageVolumePrivilege	852	Wmic.exe
Token: 33	852	Wmic.exe
Token: 34	852	Wmic.exe
Token: 35	852	Wmic.exe
Token: SeIncreaseQuotaPrivilege	852	Wmic.exe
Token: SeSecurityPrivilege	852	Wmic.exe
Token: SeTakeOwnershipPrivilege	852	Wmic.exe
Token: SeLoadDriverPrivilege	852	Wmic.exe
Token: SeSystemProfilePrivilege	852	Wmic.exe
Token: SeSystemtimePrivilege	852	Wmic.exe
Token: SeProfSingleProcessPrivilege	852	Wmic.exe
Token: SeIncBasePriorityPrivilege	852	Wmic.exe
Token: SeCreatePagefilePrivilege	852	Wmic.exe
Token: SeBackupPrivilege	852	Wmic.exe
Token: SeRestorePrivilege	852	Wmic.exe
Token: SeShutdownPrivilege	852	Wmic.exe
Token: SeDebugPrivilege	852	Wmic.exe
Token: SeSystemEnvironmentPrivilege	852	Wmic.exe
Token: SeRemoteShutdownPrivilege	852	Wmic.exe
Token: SeUndockPrivilege	852	Wmic.exe
Token: SeManageVolumePrivilege	852	Wmic.exe
Token: 33	852	Wmic.exe
Token: 34	852	Wmic.exe
Token: 35	852	Wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1472 EXCEL.EXE
1472 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1472 EXCEL.EXE
1472 EXCEL.EXE
1472 EXCEL.EXE

pid	process
1472	EXCEL.EXE
1472	EXCEL.EXE

pid	process
1472	EXCEL.EXE
1472	EXCEL.EXE
1472	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Wmic.exerundll32.exe

description	pid	process	target process
PID 852 wrote to memory of 1192	852	Wmic.exe	rundll32.exe
PID 852 wrote to memory of 1192	852	Wmic.exe	rundll32.exe
PID 852 wrote to memory of 1192	852	Wmic.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 968	1192	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Notification_836524.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\system32\wbem\Wmic.exe
Wmic
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//xcynv.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//xcynv.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2196C.XSL
MD5
156482b2d07ffdb9cff8b67888dac5ef

SHA1
aadac6dc0190b6f5346b171afcdcb483a4071714

SHA256
09c4a32d7f8ba2df5b2440e890cc6f6e9ec053bf60f65116f08550fb4cc9ebe9

SHA512
912361a81d622dd9d474c4813482f914a93837a43ebbcdbd54cf5e9b6e81be73ead6594cc2ecbb76024a3d4c0f6de229b6254fdb7b3ebf79bbfa370fcb218ccc

Download Submit
C:\Windows\Temp\xcynv.dll
MD5
f71add843d968269481d6a694435454f

SHA1
45c1f84a64107a4eaf6fbde6c3fe66d24614ab2d

SHA256
0d78ae0e3c1c43c93c78a6a1ddeff2a5ca76e18e086cb1fcc50654481895138e

SHA512
43e3c2645e320215a05f4997d7ebd9002be56a882e85d7ea1e9eabe6227ccd7e77700bcc1ad1785fa1c76957bc5161025843e665b982c9976c288c18ecd5e79b

Download Submit
\Windows\Temp\xcynv.dll
MD5
f71add843d968269481d6a694435454f

SHA1
45c1f84a64107a4eaf6fbde6c3fe66d24614ab2d

SHA256
0d78ae0e3c1c43c93c78a6a1ddeff2a5ca76e18e086cb1fcc50654481895138e

SHA512
43e3c2645e320215a05f4997d7ebd9002be56a882e85d7ea1e9eabe6227ccd7e77700bcc1ad1785fa1c76957bc5161025843e665b982c9976c288c18ecd5e79b

Download Submit
\Windows\Temp\xcynv.dll
MD5
f71add843d968269481d6a694435454f

SHA1
45c1f84a64107a4eaf6fbde6c3fe66d24614ab2d

SHA256
0d78ae0e3c1c43c93c78a6a1ddeff2a5ca76e18e086cb1fcc50654481895138e

SHA512
43e3c2645e320215a05f4997d7ebd9002be56a882e85d7ea1e9eabe6227ccd7e77700bcc1ad1785fa1c76957bc5161025843e665b982c9976c288c18ecd5e79b

Download Submit
\Windows\Temp\xcynv.dll
MD5
f71add843d968269481d6a694435454f

SHA1
45c1f84a64107a4eaf6fbde6c3fe66d24614ab2d

SHA256
0d78ae0e3c1c43c93c78a6a1ddeff2a5ca76e18e086cb1fcc50654481895138e

SHA512
43e3c2645e320215a05f4997d7ebd9002be56a882e85d7ea1e9eabe6227ccd7e77700bcc1ad1785fa1c76957bc5161025843e665b982c9976c288c18ecd5e79b

Download Submit
\Windows\Temp\xcynv.dll
MD5
f71add843d968269481d6a694435454f

SHA1
45c1f84a64107a4eaf6fbde6c3fe66d24614ab2d

SHA256
0d78ae0e3c1c43c93c78a6a1ddeff2a5ca76e18e086cb1fcc50654481895138e

SHA512
43e3c2645e320215a05f4997d7ebd9002be56a882e85d7ea1e9eabe6227ccd7e77700bcc1ad1785fa1c76957bc5161025843e665b982c9976c288c18ecd5e79b

Download Submit
memory/964-3-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmp

Filesize
2.5MB

Download
memory/968-6-0x0000000000000000-mapping.dmp

Download
memory/968-11-0x000000006BFA0000-0x000000006BFBF000-memory.dmp

Filesize
124KB

Download
memory/1192-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads