Analysis
-
max time kernel
65s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
Scan 108.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Scan 108.xls
Resource
win10v20201028
General
-
Target
Scan 108.xls
-
Size
792KB
-
MD5
1591b2551c119472366dbb437c9a12f2
-
SHA1
5e0e2ae88a7c7f70b288392583e0b955ebf0c715
-
SHA256
9e2e53a384fe464132f9a1c4918db48a933558c946fae7ef2aeed6b7ff59caae
-
SHA512
eeab26390ec5bfb1873afc326dc123095a465957d03eb3831d1a7d1dfea08013883bcfc9c7202dc94a65a222ef19d228af21c3d42241eb622eaf7f68cb8acf2b
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WmIC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 68 WmIC.exe -
Processes:
resource yara_rule behavioral2/memory/3824-8-0x00000000741B0000-0x00000000741CF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
WmIC.exeflow pid process 28 2716 WmIC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3824 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\ru7nq.dll js \Windows\Temp\ru7nq.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 500 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WmIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2716 WmIC.exe Token: SeSecurityPrivilege 2716 WmIC.exe Token: SeTakeOwnershipPrivilege 2716 WmIC.exe Token: SeLoadDriverPrivilege 2716 WmIC.exe Token: SeSystemProfilePrivilege 2716 WmIC.exe Token: SeSystemtimePrivilege 2716 WmIC.exe Token: SeProfSingleProcessPrivilege 2716 WmIC.exe Token: SeIncBasePriorityPrivilege 2716 WmIC.exe Token: SeCreatePagefilePrivilege 2716 WmIC.exe Token: SeBackupPrivilege 2716 WmIC.exe Token: SeRestorePrivilege 2716 WmIC.exe Token: SeShutdownPrivilege 2716 WmIC.exe Token: SeDebugPrivilege 2716 WmIC.exe Token: SeSystemEnvironmentPrivilege 2716 WmIC.exe Token: SeRemoteShutdownPrivilege 2716 WmIC.exe Token: SeUndockPrivilege 2716 WmIC.exe Token: SeManageVolumePrivilege 2716 WmIC.exe Token: 33 2716 WmIC.exe Token: 34 2716 WmIC.exe Token: 35 2716 WmIC.exe Token: 36 2716 WmIC.exe Token: SeIncreaseQuotaPrivilege 2716 WmIC.exe Token: SeSecurityPrivilege 2716 WmIC.exe Token: SeTakeOwnershipPrivilege 2716 WmIC.exe Token: SeLoadDriverPrivilege 2716 WmIC.exe Token: SeSystemProfilePrivilege 2716 WmIC.exe Token: SeSystemtimePrivilege 2716 WmIC.exe Token: SeProfSingleProcessPrivilege 2716 WmIC.exe Token: SeIncBasePriorityPrivilege 2716 WmIC.exe Token: SeCreatePagefilePrivilege 2716 WmIC.exe Token: SeBackupPrivilege 2716 WmIC.exe Token: SeRestorePrivilege 2716 WmIC.exe Token: SeShutdownPrivilege 2716 WmIC.exe Token: SeDebugPrivilege 2716 WmIC.exe Token: SeSystemEnvironmentPrivilege 2716 WmIC.exe Token: SeRemoteShutdownPrivilege 2716 WmIC.exe Token: SeUndockPrivilege 2716 WmIC.exe Token: SeManageVolumePrivilege 2716 WmIC.exe Token: 33 2716 WmIC.exe Token: 34 2716 WmIC.exe Token: 35 2716 WmIC.exe Token: 36 2716 WmIC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WmIC.exerundll32.exedescription pid process target process PID 2716 wrote to memory of 720 2716 WmIC.exe rundll32.exe PID 2716 wrote to memory of 720 2716 WmIC.exe rundll32.exe PID 720 wrote to memory of 3824 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 3824 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 3824 720 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Scan 108.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmIC.exeWmIC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ru7nq.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ru7nq.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\37947.xSLMD5
93d089f0026002b821027454aa9152fc
SHA10419495132c4cf131745bced9cdfc04fbebecec2
SHA2560160e206607a89e86a57fa2e7b90acceff8c64bfa8885d0aab336f06b8b9f85c
SHA5122def4a38365e28ab3e301e79677ec656508d5d185d14558983b573184d491b4871e229523bdd9296769323db9676f2921212ecc9b28c22f0e8e1ed26441b0878
-
C:\Windows\Temp\ru7nq.dllMD5
ee0ebd703ca02b7e85547378c8edfc2f
SHA17b41cd9934d20c83f041da509b119e32534b53a8
SHA256b9a0aa918013f096c5e5c330a4f2fbee2e7aa3b833cca15732bff85f46be3a34
SHA5124190b36384596d04f7393d04e152b7620c3ce401716e941728c19f079553d1f8fa1df08a969eb9d1a98761a585bbd1e57e022f0b407170c668c0be5772ecc884
-
\Windows\Temp\ru7nq.dllMD5
ee0ebd703ca02b7e85547378c8edfc2f
SHA17b41cd9934d20c83f041da509b119e32534b53a8
SHA256b9a0aa918013f096c5e5c330a4f2fbee2e7aa3b833cca15732bff85f46be3a34
SHA5124190b36384596d04f7393d04e152b7620c3ce401716e941728c19f079553d1f8fa1df08a969eb9d1a98761a585bbd1e57e022f0b407170c668c0be5772ecc884
-
memory/500-2-0x00007FFAB5B80000-0x00007FFAB61B7000-memory.dmpFilesize
6.2MB
-
memory/720-4-0x0000000000000000-mapping.dmp
-
memory/3824-6-0x0000000000000000-mapping.dmp
-
memory/3824-8-0x00000000741B0000-0x00000000741CF000-memory.dmpFilesize
124KB