Analysis
-
max time kernel
53s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
Confidential_123.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Confidential_123.xls
Resource
win10v20201028
General
-
Target
Confidential_123.xls
-
Size
718KB
-
MD5
fcd41b38e1a97fa769c5a9383b3652da
-
SHA1
bf5e3db26379cbc9dab2256d87a84c78f222e56e
-
SHA256
b4fa49afb10b8ceb2cbf7c422be2c024be8f298988da16d436df0a136ece5bf3
-
SHA512
dd2304b7c79dc2b6f631dd004c45cb19be66a51f5124b3a1441ff3fb173497421b52777bbeb7fa240edc722bece2a364252c0ca14e535ff4ce6ffc213442eb56
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmIC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3288 wmIC.exe -
Processes:
resource yara_rule behavioral2/memory/3756-8-0x0000000073E80000-0x0000000073E9F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
wmIC.exeflow pid process 27 2600 wmIC.exe 29 2600 wmIC.exe 31 2600 wmIC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3756 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\gpzkm.dll js \Windows\Temp\gpzkm.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3888 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2600 wmIC.exe Token: SeSecurityPrivilege 2600 wmIC.exe Token: SeTakeOwnershipPrivilege 2600 wmIC.exe Token: SeLoadDriverPrivilege 2600 wmIC.exe Token: SeSystemProfilePrivilege 2600 wmIC.exe Token: SeSystemtimePrivilege 2600 wmIC.exe Token: SeProfSingleProcessPrivilege 2600 wmIC.exe Token: SeIncBasePriorityPrivilege 2600 wmIC.exe Token: SeCreatePagefilePrivilege 2600 wmIC.exe Token: SeBackupPrivilege 2600 wmIC.exe Token: SeRestorePrivilege 2600 wmIC.exe Token: SeShutdownPrivilege 2600 wmIC.exe Token: SeDebugPrivilege 2600 wmIC.exe Token: SeSystemEnvironmentPrivilege 2600 wmIC.exe Token: SeRemoteShutdownPrivilege 2600 wmIC.exe Token: SeUndockPrivilege 2600 wmIC.exe Token: SeManageVolumePrivilege 2600 wmIC.exe Token: 33 2600 wmIC.exe Token: 34 2600 wmIC.exe Token: 35 2600 wmIC.exe Token: 36 2600 wmIC.exe Token: SeIncreaseQuotaPrivilege 2600 wmIC.exe Token: SeSecurityPrivilege 2600 wmIC.exe Token: SeTakeOwnershipPrivilege 2600 wmIC.exe Token: SeLoadDriverPrivilege 2600 wmIC.exe Token: SeSystemProfilePrivilege 2600 wmIC.exe Token: SeSystemtimePrivilege 2600 wmIC.exe Token: SeProfSingleProcessPrivilege 2600 wmIC.exe Token: SeIncBasePriorityPrivilege 2600 wmIC.exe Token: SeCreatePagefilePrivilege 2600 wmIC.exe Token: SeBackupPrivilege 2600 wmIC.exe Token: SeRestorePrivilege 2600 wmIC.exe Token: SeShutdownPrivilege 2600 wmIC.exe Token: SeDebugPrivilege 2600 wmIC.exe Token: SeSystemEnvironmentPrivilege 2600 wmIC.exe Token: SeRemoteShutdownPrivilege 2600 wmIC.exe Token: SeUndockPrivilege 2600 wmIC.exe Token: SeManageVolumePrivilege 2600 wmIC.exe Token: 33 2600 wmIC.exe Token: 34 2600 wmIC.exe Token: 35 2600 wmIC.exe Token: 36 2600 wmIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmIC.exerundll32.exedescription pid process target process PID 2600 wrote to memory of 3056 2600 wmIC.exe rundll32.exe PID 2600 wrote to memory of 3056 2600 wmIC.exe rundll32.exe PID 3056 wrote to memory of 3756 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 3756 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 3756 3056 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Confidential_123.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmIC.exewmIC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//gpzkm.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//gpzkm.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4E26.XslMD5
a0ddf92efc3149ec6be5ae0e1c7d4697
SHA17c0835df13babacba8a70289b2ae457cb6999745
SHA2561f2166903f1fdaf7cc09ae166d956d4eaf09ec9e887ee6bfc629f9eaa629f9b7
SHA512c6f32e0d46891d559feac44b2a6d7d1689ca1be959c88aca457dceab79c3f435e28bebe32bfa26164bbb410ea184cd47122610ccb227b5e515bfb4c099f554e5
-
C:\Windows\Temp\gpzkm.dllMD5
d423ad4a4df8daffa82552595924eb87
SHA1c45c0b9874cafe83e2c695d1c94dee75d51bf998
SHA2566685975af81b4c3627a5eb7026e854ecc1710a8786490eae338833f6f2090fd7
SHA512d1a5d4cfd423dfedc38fe396b1f9a5de2ddba19cb3fec3318cc8281097aebcd5e1b53899c24cf19e1e573d7cd7794f0deebd934757f2a1f07cd3381f26b94ffe
-
\Windows\Temp\gpzkm.dllMD5
d423ad4a4df8daffa82552595924eb87
SHA1c45c0b9874cafe83e2c695d1c94dee75d51bf998
SHA2566685975af81b4c3627a5eb7026e854ecc1710a8786490eae338833f6f2090fd7
SHA512d1a5d4cfd423dfedc38fe396b1f9a5de2ddba19cb3fec3318cc8281097aebcd5e1b53899c24cf19e1e573d7cd7794f0deebd934757f2a1f07cd3381f26b94ffe
-
memory/3056-4-0x0000000000000000-mapping.dmp
-
memory/3756-6-0x0000000000000000-mapping.dmp
-
memory/3756-8-0x0000000073E80000-0x0000000073E9F000-memory.dmpFilesize
124KB
-
memory/3888-2-0x00007FFF6D2A0000-0x00007FFF6D8D7000-memory.dmpFilesize
6.2MB