Analysis
-
max time kernel
66s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Fax 740.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fax 740.xls
Resource
win10v20201028
General
-
Target
Fax 740.xls
-
Size
886KB
-
MD5
d7213d92bb25a6163ab3b79ba75f95a0
-
SHA1
9e7d2f00b517a32d2f69ac0c41e48d09507abf5b
-
SHA256
2f34e34033c25325694ee6e100e8b2c0deff78d0527acd72ebc598048ba74fe5
-
SHA512
c57e459822b1463ed646824f74371ec518d09a710f41bc1022657794ec65a1eea2d404267543c076cd5e740d1e79238ddf43a3ed63463d7f7bf22e76de34d0a5
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 3540 wmic.exe -
Processes:
resource yara_rule behavioral2/memory/1200-8-0x00000000739B0000-0x00000000739CF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
wmic.exeflow pid process 26 3752 wmic.exe 28 3752 wmic.exe 30 3752 wmic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1200 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\6vvvy.dll js \Windows\Temp\6vvvy.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
wmic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wmic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wmic.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1400 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3752 wmic.exe Token: SeSecurityPrivilege 3752 wmic.exe Token: SeTakeOwnershipPrivilege 3752 wmic.exe Token: SeLoadDriverPrivilege 3752 wmic.exe Token: SeSystemProfilePrivilege 3752 wmic.exe Token: SeSystemtimePrivilege 3752 wmic.exe Token: SeProfSingleProcessPrivilege 3752 wmic.exe Token: SeIncBasePriorityPrivilege 3752 wmic.exe Token: SeCreatePagefilePrivilege 3752 wmic.exe Token: SeBackupPrivilege 3752 wmic.exe Token: SeRestorePrivilege 3752 wmic.exe Token: SeShutdownPrivilege 3752 wmic.exe Token: SeDebugPrivilege 3752 wmic.exe Token: SeSystemEnvironmentPrivilege 3752 wmic.exe Token: SeRemoteShutdownPrivilege 3752 wmic.exe Token: SeUndockPrivilege 3752 wmic.exe Token: SeManageVolumePrivilege 3752 wmic.exe Token: 33 3752 wmic.exe Token: 34 3752 wmic.exe Token: 35 3752 wmic.exe Token: 36 3752 wmic.exe Token: SeIncreaseQuotaPrivilege 3752 wmic.exe Token: SeSecurityPrivilege 3752 wmic.exe Token: SeTakeOwnershipPrivilege 3752 wmic.exe Token: SeLoadDriverPrivilege 3752 wmic.exe Token: SeSystemProfilePrivilege 3752 wmic.exe Token: SeSystemtimePrivilege 3752 wmic.exe Token: SeProfSingleProcessPrivilege 3752 wmic.exe Token: SeIncBasePriorityPrivilege 3752 wmic.exe Token: SeCreatePagefilePrivilege 3752 wmic.exe Token: SeBackupPrivilege 3752 wmic.exe Token: SeRestorePrivilege 3752 wmic.exe Token: SeShutdownPrivilege 3752 wmic.exe Token: SeDebugPrivilege 3752 wmic.exe Token: SeSystemEnvironmentPrivilege 3752 wmic.exe Token: SeRemoteShutdownPrivilege 3752 wmic.exe Token: SeUndockPrivilege 3752 wmic.exe Token: SeManageVolumePrivilege 3752 wmic.exe Token: 33 3752 wmic.exe Token: 34 3752 wmic.exe Token: 35 3752 wmic.exe Token: 36 3752 wmic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmic.exerundll32.exedescription pid process target process PID 3752 wrote to memory of 3384 3752 wmic.exe rundll32.exe PID 3752 wrote to memory of 3384 3752 wmic.exe rundll32.exe PID 3384 wrote to memory of 1200 3384 rundll32.exe rundll32.exe PID 3384 wrote to memory of 1200 3384 rundll32.exe rundll32.exe PID 3384 wrote to memory of 1200 3384 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Fax 740.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmic.exewmic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\40F27.XslMD5
23b1812062536497ba39b4ad1619938f
SHA190a64893e96db8c1e52eaeadf255a7c3bb20b7c3
SHA2562b6f7c8c785878922532dbfa3f23d9b1e195ff51057f56819f5ed6bd377e950d
SHA512b389ad3ad9c4ed2f9c6c3cb20f8cfd5c9c5c50b35402a21d2526517800658abf7bc81beef772338486b532812eeeafe0e99d97acb90a3593201ad625b9628139
-
C:\Windows\Temp\6vvvy.dllMD5
8122ecf7dd724778ca2fb1f06920e031
SHA1a457b163f1cf408f382ba5da308ea81658b52564
SHA2566a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960
SHA5126e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e
-
\Windows\Temp\6vvvy.dllMD5
8122ecf7dd724778ca2fb1f06920e031
SHA1a457b163f1cf408f382ba5da308ea81658b52564
SHA2566a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960
SHA5126e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e
-
memory/1200-6-0x0000000000000000-mapping.dmp
-
memory/1200-8-0x00000000739B0000-0x00000000739CF000-memory.dmpFilesize
124KB
-
memory/1400-2-0x00007FFB568F0000-0x00007FFB56F27000-memory.dmpFilesize
6.2MB
-
memory/3384-4-0x0000000000000000-mapping.dmp