Analysis
-
max time kernel
71s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
Copy_#_824.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Copy_#_824.xls
Resource
win10v20201028
General
-
Target
Copy_#_824.xls
-
Size
707KB
-
MD5
36e8e3ce267eed9890d07b45b339a71b
-
SHA1
47e662c6d5041836ba207ad2e6ed22a99ca1a4da
-
SHA256
7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a
-
SHA512
af22f3d08e86f3b97f0169f3ceeed46dd0cfb027d761c9b9b6589e2b8b2990a63d1ac3a40d1dcb0b0d4b2f7a2df16e898e66d158b00e567d37699f572fc6d9f3
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WmIC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 3664 WmIC.exe -
Processes:
resource yara_rule behavioral2/memory/2224-8-0x0000000073D80000-0x0000000073D9F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
WmIC.exeflow pid process 30 1592 WmIC.exe 32 1592 WmIC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2224 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\ph59q.dll js \Windows\Temp\ph59q.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3992 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WmIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1592 WmIC.exe Token: SeSecurityPrivilege 1592 WmIC.exe Token: SeTakeOwnershipPrivilege 1592 WmIC.exe Token: SeLoadDriverPrivilege 1592 WmIC.exe Token: SeSystemProfilePrivilege 1592 WmIC.exe Token: SeSystemtimePrivilege 1592 WmIC.exe Token: SeProfSingleProcessPrivilege 1592 WmIC.exe Token: SeIncBasePriorityPrivilege 1592 WmIC.exe Token: SeCreatePagefilePrivilege 1592 WmIC.exe Token: SeBackupPrivilege 1592 WmIC.exe Token: SeRestorePrivilege 1592 WmIC.exe Token: SeShutdownPrivilege 1592 WmIC.exe Token: SeDebugPrivilege 1592 WmIC.exe Token: SeSystemEnvironmentPrivilege 1592 WmIC.exe Token: SeRemoteShutdownPrivilege 1592 WmIC.exe Token: SeUndockPrivilege 1592 WmIC.exe Token: SeManageVolumePrivilege 1592 WmIC.exe Token: 33 1592 WmIC.exe Token: 34 1592 WmIC.exe Token: 35 1592 WmIC.exe Token: 36 1592 WmIC.exe Token: SeIncreaseQuotaPrivilege 1592 WmIC.exe Token: SeSecurityPrivilege 1592 WmIC.exe Token: SeTakeOwnershipPrivilege 1592 WmIC.exe Token: SeLoadDriverPrivilege 1592 WmIC.exe Token: SeSystemProfilePrivilege 1592 WmIC.exe Token: SeSystemtimePrivilege 1592 WmIC.exe Token: SeProfSingleProcessPrivilege 1592 WmIC.exe Token: SeIncBasePriorityPrivilege 1592 WmIC.exe Token: SeCreatePagefilePrivilege 1592 WmIC.exe Token: SeBackupPrivilege 1592 WmIC.exe Token: SeRestorePrivilege 1592 WmIC.exe Token: SeShutdownPrivilege 1592 WmIC.exe Token: SeDebugPrivilege 1592 WmIC.exe Token: SeSystemEnvironmentPrivilege 1592 WmIC.exe Token: SeRemoteShutdownPrivilege 1592 WmIC.exe Token: SeUndockPrivilege 1592 WmIC.exe Token: SeManageVolumePrivilege 1592 WmIC.exe Token: 33 1592 WmIC.exe Token: 34 1592 WmIC.exe Token: 35 1592 WmIC.exe Token: 36 1592 WmIC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE 3992 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WmIC.exerundll32.exedescription pid process target process PID 1592 wrote to memory of 388 1592 WmIC.exe rundll32.exe PID 1592 wrote to memory of 388 1592 WmIC.exe rundll32.exe PID 388 wrote to memory of 2224 388 rundll32.exe rundll32.exe PID 388 wrote to memory of 2224 388 rundll32.exe rundll32.exe PID 388 wrote to memory of 2224 388 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Copy_#_824.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmIC.exeWmIC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ph59q.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ph59q.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2D81.xSlMD5
f9de1a05ac94042f70aed27cfe853451
SHA1f0652c536c3276f2fb4ef7da59a1ec7f62e13bde
SHA256749f74aa13cd0e285c6cb61c0ba2d8c42b320ece826beeb212560786e2e900cb
SHA51209a6f7c418016c7753a0722808a15252b585c404a828046fdc126c631848127fec9ada5a8476052686756689b4f1697aeeca259e59a779646a9230aad942877f
-
C:\Windows\Temp\ph59q.dllMD5
0cb706bfbca22c37c8eb80b0c7712b84
SHA13d8dd8d271096b9f198bf08188503de6ab6c9f36
SHA256dd23694567254ac813d4532e8614cd1492470f2cf3d2db0e0499c4b5d61e7251
SHA512c805072f25cda2da2d01c4c89271ac60dde1097131e8e9f7d5371b220a3b4ec47cbf8549192986aad4bbc7a6bc8d5940376738cadaff369168ebe07ca3f24d57
-
\Windows\Temp\ph59q.dllMD5
0cb706bfbca22c37c8eb80b0c7712b84
SHA13d8dd8d271096b9f198bf08188503de6ab6c9f36
SHA256dd23694567254ac813d4532e8614cd1492470f2cf3d2db0e0499c4b5d61e7251
SHA512c805072f25cda2da2d01c4c89271ac60dde1097131e8e9f7d5371b220a3b4ec47cbf8549192986aad4bbc7a6bc8d5940376738cadaff369168ebe07ca3f24d57
-
memory/388-4-0x0000000000000000-mapping.dmp
-
memory/2224-6-0x0000000000000000-mapping.dmp
-
memory/2224-8-0x0000000073D80000-0x0000000073D9F000-memory.dmpFilesize
124KB
-
memory/3992-2-0x00007FFC338E0000-0x00007FFC33F17000-memory.dmpFilesize
6.2MB