Analysis
-
max time kernel
76s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
Reports 78497.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Reports 78497.xls
Resource
win10v20201028
General
-
Target
Reports 78497.xls
-
Size
875KB
-
MD5
e452debc1653b43f09dcd98d1f05ba14
-
SHA1
d68fb05919682ac456701041a955a42d6198b3ef
-
SHA256
59d0ba2bce05366ad852a51dd0e9387ae38ea0493f9ad8368e47a55903117018
-
SHA512
a89b049ce90147915cf09bdf36a506afa19f8c440f50a1db0cd1c7437bf522ca977559b4d9ab0a637534b5b5d0fb911e0e5d9104d5b46a91f5a502cfbf6d7413
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 3328 wmic.exe -
Processes:
resource yara_rule behavioral2/memory/3120-8-0x0000000073980000-0x000000007399F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
wmic.exeflow pid process 27 2192 wmic.exe 29 2192 wmic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3120 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\he09m.dll js \Windows\Temp\he09m.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 508 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2192 wmic.exe Token: SeSecurityPrivilege 2192 wmic.exe Token: SeTakeOwnershipPrivilege 2192 wmic.exe Token: SeLoadDriverPrivilege 2192 wmic.exe Token: SeSystemProfilePrivilege 2192 wmic.exe Token: SeSystemtimePrivilege 2192 wmic.exe Token: SeProfSingleProcessPrivilege 2192 wmic.exe Token: SeIncBasePriorityPrivilege 2192 wmic.exe Token: SeCreatePagefilePrivilege 2192 wmic.exe Token: SeBackupPrivilege 2192 wmic.exe Token: SeRestorePrivilege 2192 wmic.exe Token: SeShutdownPrivilege 2192 wmic.exe Token: SeDebugPrivilege 2192 wmic.exe Token: SeSystemEnvironmentPrivilege 2192 wmic.exe Token: SeRemoteShutdownPrivilege 2192 wmic.exe Token: SeUndockPrivilege 2192 wmic.exe Token: SeManageVolumePrivilege 2192 wmic.exe Token: 33 2192 wmic.exe Token: 34 2192 wmic.exe Token: 35 2192 wmic.exe Token: 36 2192 wmic.exe Token: SeIncreaseQuotaPrivilege 2192 wmic.exe Token: SeSecurityPrivilege 2192 wmic.exe Token: SeTakeOwnershipPrivilege 2192 wmic.exe Token: SeLoadDriverPrivilege 2192 wmic.exe Token: SeSystemProfilePrivilege 2192 wmic.exe Token: SeSystemtimePrivilege 2192 wmic.exe Token: SeProfSingleProcessPrivilege 2192 wmic.exe Token: SeIncBasePriorityPrivilege 2192 wmic.exe Token: SeCreatePagefilePrivilege 2192 wmic.exe Token: SeBackupPrivilege 2192 wmic.exe Token: SeRestorePrivilege 2192 wmic.exe Token: SeShutdownPrivilege 2192 wmic.exe Token: SeDebugPrivilege 2192 wmic.exe Token: SeSystemEnvironmentPrivilege 2192 wmic.exe Token: SeRemoteShutdownPrivilege 2192 wmic.exe Token: SeUndockPrivilege 2192 wmic.exe Token: SeManageVolumePrivilege 2192 wmic.exe Token: 33 2192 wmic.exe Token: 34 2192 wmic.exe Token: 35 2192 wmic.exe Token: 36 2192 wmic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE 508 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmic.exerundll32.exedescription pid process target process PID 2192 wrote to memory of 1560 2192 wmic.exe rundll32.exe PID 2192 wrote to memory of 1560 2192 wmic.exe rundll32.exe PID 1560 wrote to memory of 3120 1560 rundll32.exe rundll32.exe PID 1560 wrote to memory of 3120 1560 rundll32.exe rundll32.exe PID 1560 wrote to memory of 3120 1560 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reports 78497.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmic.exewmic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//he09m.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//he09m.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\B638.xsLMD5
700d9ef5283e8dca4a53b60e5674941e
SHA1e6bd6c2d88c640b8983a1cb2f4007c67d205801c
SHA256c893bb57aeb12a781bcb21a5c6c574e53786a0173f1bf45d7ef57860a8956a48
SHA512fe3496c0e5ce6bd84838a6a87ead6e9a8c331ea3bc39c3993a7e6e7c9ae6aabeec3ca1fd3bef87b0f1232658b367820f856593f901d52772dc6e16240a7a7754
-
C:\Windows\Temp\he09m.dllMD5
dd7f7a7ce66d36bb2b214e51e7426b9e
SHA1a669b7ebe3bf03152fc4284e2b09acee0828051d
SHA256342bae2521a4409d329f86be3d543f928db597b98b84010f2b0e32c23145d634
SHA512ca3cebba72f0ac7a99c8315e08c5cd7bbd441af71286eb2b40aedb32758981bd14381a3f647f064cbb154e3f1e5c6cf2e4d8b253a99b1eb13939cc435c19ee16
-
\Windows\Temp\he09m.dllMD5
dd7f7a7ce66d36bb2b214e51e7426b9e
SHA1a669b7ebe3bf03152fc4284e2b09acee0828051d
SHA256342bae2521a4409d329f86be3d543f928db597b98b84010f2b0e32c23145d634
SHA512ca3cebba72f0ac7a99c8315e08c5cd7bbd441af71286eb2b40aedb32758981bd14381a3f647f064cbb154e3f1e5c6cf2e4d8b253a99b1eb13939cc435c19ee16
-
memory/508-2-0x00007FF9A7230000-0x00007FF9A7867000-memory.dmpFilesize
6.2MB
-
memory/1560-4-0x0000000000000000-mapping.dmp
-
memory/3120-6-0x0000000000000000-mapping.dmp
-
memory/3120-8-0x0000000073980000-0x000000007399F000-memory.dmpFilesize
124KB