Analysis
-
max time kernel
62s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:09
Static task
static1
Behavioral task
behavioral1
Sample
Notification_30123.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Notification_30123.xls
Resource
win10v20201028
General
-
Target
Notification_30123.xls
-
Size
712KB
-
MD5
b85ecc80652b17815971cc13eb057e54
-
SHA1
dd8a1d3ecc7a27d39aaf60c438ef8374a3afe887
-
SHA256
f3c837323c135a7d7ed9d03f856c81463abb80174211117f4bda193a55f1b78e
-
SHA512
f87ccacc2f3792c33466ee49fc3a918f4589251abd5eb511778f0da8fc3bdfc373579c01d816cb19ff5b1aa0272d7291f2c1eb6498d065b2f8573231bf1c7003
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WMic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 3488 WMic.exe -
Processes:
resource yara_rule behavioral2/memory/2388-8-0x0000000073C60000-0x0000000073C7F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
WMic.exeflow pid process 24 228 WMic.exe 26 228 WMic.exe 28 228 WMic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2388 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\lxxmk.dll js \Windows\Temp\lxxmk.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 988 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMic.exedescription pid process Token: SeIncreaseQuotaPrivilege 228 WMic.exe Token: SeSecurityPrivilege 228 WMic.exe Token: SeTakeOwnershipPrivilege 228 WMic.exe Token: SeLoadDriverPrivilege 228 WMic.exe Token: SeSystemProfilePrivilege 228 WMic.exe Token: SeSystemtimePrivilege 228 WMic.exe Token: SeProfSingleProcessPrivilege 228 WMic.exe Token: SeIncBasePriorityPrivilege 228 WMic.exe Token: SeCreatePagefilePrivilege 228 WMic.exe Token: SeBackupPrivilege 228 WMic.exe Token: SeRestorePrivilege 228 WMic.exe Token: SeShutdownPrivilege 228 WMic.exe Token: SeDebugPrivilege 228 WMic.exe Token: SeSystemEnvironmentPrivilege 228 WMic.exe Token: SeRemoteShutdownPrivilege 228 WMic.exe Token: SeUndockPrivilege 228 WMic.exe Token: SeManageVolumePrivilege 228 WMic.exe Token: 33 228 WMic.exe Token: 34 228 WMic.exe Token: 35 228 WMic.exe Token: 36 228 WMic.exe Token: SeIncreaseQuotaPrivilege 228 WMic.exe Token: SeSecurityPrivilege 228 WMic.exe Token: SeTakeOwnershipPrivilege 228 WMic.exe Token: SeLoadDriverPrivilege 228 WMic.exe Token: SeSystemProfilePrivilege 228 WMic.exe Token: SeSystemtimePrivilege 228 WMic.exe Token: SeProfSingleProcessPrivilege 228 WMic.exe Token: SeIncBasePriorityPrivilege 228 WMic.exe Token: SeCreatePagefilePrivilege 228 WMic.exe Token: SeBackupPrivilege 228 WMic.exe Token: SeRestorePrivilege 228 WMic.exe Token: SeShutdownPrivilege 228 WMic.exe Token: SeDebugPrivilege 228 WMic.exe Token: SeSystemEnvironmentPrivilege 228 WMic.exe Token: SeRemoteShutdownPrivilege 228 WMic.exe Token: SeUndockPrivilege 228 WMic.exe Token: SeManageVolumePrivilege 228 WMic.exe Token: 33 228 WMic.exe Token: 34 228 WMic.exe Token: 35 228 WMic.exe Token: 36 228 WMic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE 988 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WMic.exerundll32.exedescription pid process target process PID 228 wrote to memory of 828 228 WMic.exe rundll32.exe PID 228 wrote to memory of 828 228 WMic.exe rundll32.exe PID 828 wrote to memory of 2388 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 2388 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 2388 828 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Notification_30123.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WMic.exeWMic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lxxmk.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lxxmk.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\17D50.xslMD5
261cd0ce8697f1ab1ada11ef0e8e9b3f
SHA1c8e73e5207dc3541ac323b7f10947aa03651042e
SHA25635b909efd6d3a0bfeea22c25b878875ce7989d7ff2c38b88648d7106e0eff07a
SHA51215366ac0cd13b699147dae6b6be420e75808ff76dbe8d4629b27bce85de92648b8d44936f131cbd501d1a5d64ae78f415a4c20085ebf11bbc0cb701b193b49ea
-
C:\Windows\Temp\lxxmk.dllMD5
9556d8b6b9acd7515662d7cb6396b69b
SHA1115eea5c6dbf36099902766f77300cf5c7c01dd9
SHA2565edc51f427dc16341bfc325f74a0665e127b4f87b85ac896831cd9a86736bb14
SHA512c273225b6143cc5a380baeb6934d438716bcb7f79b199abff708bbb0fb36fcb1d51bdf7d8b34bc67e46f487e100c02748b120d0fe5cb8c80418540ca85458c96
-
\Windows\Temp\lxxmk.dllMD5
9556d8b6b9acd7515662d7cb6396b69b
SHA1115eea5c6dbf36099902766f77300cf5c7c01dd9
SHA2565edc51f427dc16341bfc325f74a0665e127b4f87b85ac896831cd9a86736bb14
SHA512c273225b6143cc5a380baeb6934d438716bcb7f79b199abff708bbb0fb36fcb1d51bdf7d8b34bc67e46f487e100c02748b120d0fe5cb8c80418540ca85458c96
-
memory/828-4-0x0000000000000000-mapping.dmp
-
memory/988-2-0x00007FF900DC0000-0x00007FF9013F7000-memory.dmpFilesize
6.2MB
-
memory/2388-6-0x0000000000000000-mapping.dmp
-
memory/2388-8-0x0000000073C60000-0x0000000073C7F000-memory.dmpFilesize
124KB