Analysis
-
max time kernel
79s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Information 714353.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Information 714353.xls
Resource
win10v20201028
General
-
Target
Information 714353.xls
-
Size
698KB
-
MD5
cfb9c19b6be349c52e5d0d001f03ea85
-
SHA1
ec9d80d0d794643988faa894e25f9aa3345f45f4
-
SHA256
bae3d678224e6e93b486c9cc1c6918c7efd715b841f5cfa8e8c63cf520adbe9c
-
SHA512
2ca9676dca76918a0bf4f85607a27914a9405081c621ad03d483495c4653e8075c46fb48cd0b1b5c9b58247d0b8136e7e539cf6acca740d9c329f8f3e395303c
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wMic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 3408 wMic.exe -
Processes:
resource yara_rule behavioral2/memory/3712-8-0x0000000073D60000-0x0000000073D7F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wMic.exeflow pid process 27 3216 wMic.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3712 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\vlgxc.dll js \Windows\Temp\vlgxc.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1924 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wMic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3216 wMic.exe Token: SeSecurityPrivilege 3216 wMic.exe Token: SeTakeOwnershipPrivilege 3216 wMic.exe Token: SeLoadDriverPrivilege 3216 wMic.exe Token: SeSystemProfilePrivilege 3216 wMic.exe Token: SeSystemtimePrivilege 3216 wMic.exe Token: SeProfSingleProcessPrivilege 3216 wMic.exe Token: SeIncBasePriorityPrivilege 3216 wMic.exe Token: SeCreatePagefilePrivilege 3216 wMic.exe Token: SeBackupPrivilege 3216 wMic.exe Token: SeRestorePrivilege 3216 wMic.exe Token: SeShutdownPrivilege 3216 wMic.exe Token: SeDebugPrivilege 3216 wMic.exe Token: SeSystemEnvironmentPrivilege 3216 wMic.exe Token: SeRemoteShutdownPrivilege 3216 wMic.exe Token: SeUndockPrivilege 3216 wMic.exe Token: SeManageVolumePrivilege 3216 wMic.exe Token: 33 3216 wMic.exe Token: 34 3216 wMic.exe Token: 35 3216 wMic.exe Token: 36 3216 wMic.exe Token: SeIncreaseQuotaPrivilege 3216 wMic.exe Token: SeSecurityPrivilege 3216 wMic.exe Token: SeTakeOwnershipPrivilege 3216 wMic.exe Token: SeLoadDriverPrivilege 3216 wMic.exe Token: SeSystemProfilePrivilege 3216 wMic.exe Token: SeSystemtimePrivilege 3216 wMic.exe Token: SeProfSingleProcessPrivilege 3216 wMic.exe Token: SeIncBasePriorityPrivilege 3216 wMic.exe Token: SeCreatePagefilePrivilege 3216 wMic.exe Token: SeBackupPrivilege 3216 wMic.exe Token: SeRestorePrivilege 3216 wMic.exe Token: SeShutdownPrivilege 3216 wMic.exe Token: SeDebugPrivilege 3216 wMic.exe Token: SeSystemEnvironmentPrivilege 3216 wMic.exe Token: SeRemoteShutdownPrivilege 3216 wMic.exe Token: SeUndockPrivilege 3216 wMic.exe Token: SeManageVolumePrivilege 3216 wMic.exe Token: 33 3216 wMic.exe Token: 34 3216 wMic.exe Token: 35 3216 wMic.exe Token: 36 3216 wMic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wMic.exerundll32.exedescription pid process target process PID 3216 wrote to memory of 2220 3216 wMic.exe rundll32.exe PID 3216 wrote to memory of 2220 3216 wMic.exe rundll32.exe PID 2220 wrote to memory of 3712 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 3712 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 3712 2220 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Information 714353.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wMic.exewMic1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vlgxc.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vlgxc.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\D183.XsLMD5
919f6f8ac99148a9a9e2a1062cc9daf5
SHA1b2090e719fd092b711470d5454f6a01ece50b981
SHA256807f847bea2c8d005d0b285c20882a2332dfb2846f033883cb818f8219c07974
SHA512c092f56a3041607c6752c5f9e1036d7146ce7203777b11e2d7584fc3b9b636779faef0f35f82c9c5cd343a1579913ebaa584bfeafcdd36b5a4589b54297e624e
-
C:\Windows\Temp\vlgxc.dllMD5
a338eb08cef5ac9d6eaab808fda95463
SHA1879b098615a9cb585ec396a42b17381ce9e9c352
SHA256ef4eaf2bdc7ca32b9bc5c11c4855e07c4b35ba6f94d5307cfb61aa4ff3c63859
SHA512acdfe7594e69c712b454ead3f673fb7dfb6685552ae3f33d2d56192a9a7a47280cde2d5799fa183b33d25f25919902fa22a1b54656a5476a95087adca4340a4b
-
\Windows\Temp\vlgxc.dllMD5
a338eb08cef5ac9d6eaab808fda95463
SHA1879b098615a9cb585ec396a42b17381ce9e9c352
SHA256ef4eaf2bdc7ca32b9bc5c11c4855e07c4b35ba6f94d5307cfb61aa4ff3c63859
SHA512acdfe7594e69c712b454ead3f673fb7dfb6685552ae3f33d2d56192a9a7a47280cde2d5799fa183b33d25f25919902fa22a1b54656a5476a95087adca4340a4b
-
memory/1924-2-0x00007FFB89D80000-0x00007FFB8A3B7000-memory.dmpFilesize
6.2MB
-
memory/2220-4-0x0000000000000000-mapping.dmp
-
memory/3712-6-0x0000000000000000-mapping.dmp
-
memory/3712-8-0x0000000073D60000-0x0000000073D7F000-memory.dmpFilesize
124KB