Analysis
-
max time kernel
55s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
Documentation 644.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Documentation 644.xls
Resource
win10v20201028
General
-
Target
Documentation 644.xls
-
Size
778KB
-
MD5
955ddd57164c95530bbff3d5481c0cde
-
SHA1
38449ef5a84f657d39228df55586fa13cab8d9f1
-
SHA256
e9e0a2d27876dc9e0fb5e4a9675a23be3f1a8651f72d5774db0e34c0418fcbf8
-
SHA512
3f502ef2bf16519e0992129a0070efcee4905d88f60b75f1389e39e9549192631ed796f27918b797b0de917e46f3d8c7690201ad0df049e24251844dd0007e38
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wMIc.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 3364 wMIc.exe -
Processes:
resource yara_rule behavioral2/memory/3104-8-0x0000000073E00000-0x0000000073E1F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wMIc.exeflow pid process 25 1940 wMIc.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3104 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\4j22g.dll js \Windows\Temp\4j22g.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 756 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wMIc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1940 wMIc.exe Token: SeSecurityPrivilege 1940 wMIc.exe Token: SeTakeOwnershipPrivilege 1940 wMIc.exe Token: SeLoadDriverPrivilege 1940 wMIc.exe Token: SeSystemProfilePrivilege 1940 wMIc.exe Token: SeSystemtimePrivilege 1940 wMIc.exe Token: SeProfSingleProcessPrivilege 1940 wMIc.exe Token: SeIncBasePriorityPrivilege 1940 wMIc.exe Token: SeCreatePagefilePrivilege 1940 wMIc.exe Token: SeBackupPrivilege 1940 wMIc.exe Token: SeRestorePrivilege 1940 wMIc.exe Token: SeShutdownPrivilege 1940 wMIc.exe Token: SeDebugPrivilege 1940 wMIc.exe Token: SeSystemEnvironmentPrivilege 1940 wMIc.exe Token: SeRemoteShutdownPrivilege 1940 wMIc.exe Token: SeUndockPrivilege 1940 wMIc.exe Token: SeManageVolumePrivilege 1940 wMIc.exe Token: 33 1940 wMIc.exe Token: 34 1940 wMIc.exe Token: 35 1940 wMIc.exe Token: 36 1940 wMIc.exe Token: SeIncreaseQuotaPrivilege 1940 wMIc.exe Token: SeSecurityPrivilege 1940 wMIc.exe Token: SeTakeOwnershipPrivilege 1940 wMIc.exe Token: SeLoadDriverPrivilege 1940 wMIc.exe Token: SeSystemProfilePrivilege 1940 wMIc.exe Token: SeSystemtimePrivilege 1940 wMIc.exe Token: SeProfSingleProcessPrivilege 1940 wMIc.exe Token: SeIncBasePriorityPrivilege 1940 wMIc.exe Token: SeCreatePagefilePrivilege 1940 wMIc.exe Token: SeBackupPrivilege 1940 wMIc.exe Token: SeRestorePrivilege 1940 wMIc.exe Token: SeShutdownPrivilege 1940 wMIc.exe Token: SeDebugPrivilege 1940 wMIc.exe Token: SeSystemEnvironmentPrivilege 1940 wMIc.exe Token: SeRemoteShutdownPrivilege 1940 wMIc.exe Token: SeUndockPrivilege 1940 wMIc.exe Token: SeManageVolumePrivilege 1940 wMIc.exe Token: 33 1940 wMIc.exe Token: 34 1940 wMIc.exe Token: 35 1940 wMIc.exe Token: 36 1940 wMIc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 756 EXCEL.EXE 756 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE 756 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wMIc.exerundll32.exedescription pid process target process PID 1940 wrote to memory of 2576 1940 wMIc.exe rundll32.exe PID 1940 wrote to memory of 2576 1940 wMIc.exe rundll32.exe PID 2576 wrote to memory of 3104 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3104 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3104 2576 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documentation 644.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wMIc.exewMIc1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j22g.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j22g.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2E7EF.xslMD5
bf8eb8c05f7fef58d868e7b066936a12
SHA1ed97a033371ea71e271506ea015316efa652c6d9
SHA2562219065f014fa13dfc5681b5f675ccd3abef2f515a5abb2d0217d2e8c766270a
SHA512b76d583cfe8718f8933b845fe44521a06e36d63a26094b0f6dc3b42221505f21411682360ce20113bf0904f463eef82424e0913e5930c703069c45a62dd02fb3
-
C:\Windows\Temp\4j22g.dllMD5
d47ab880746796f31f9130b551ba5f63
SHA17b792f55a895ebe6c67917780f2a50df55ba1e82
SHA256dd8dbc7a333d89c7c6e24affa9c1d356a47d57f3711a43cc2d87fd6a728f429f
SHA512581cf0b80de0ac276821540b2126d33ee871946f9057ee3bd1b9172e97227b090b2f01ffd4551407d388225712fd63526df5af5d290bf71213963c15804191f7
-
\Windows\Temp\4j22g.dllMD5
d47ab880746796f31f9130b551ba5f63
SHA17b792f55a895ebe6c67917780f2a50df55ba1e82
SHA256dd8dbc7a333d89c7c6e24affa9c1d356a47d57f3711a43cc2d87fd6a728f429f
SHA512581cf0b80de0ac276821540b2126d33ee871946f9057ee3bd1b9172e97227b090b2f01ffd4551407d388225712fd63526df5af5d290bf71213963c15804191f7
-
memory/756-2-0x00007FFFCF370000-0x00007FFFCF9A7000-memory.dmpFilesize
6.2MB
-
memory/2576-4-0x0000000000000000-mapping.dmp
-
memory/3104-6-0x0000000000000000-mapping.dmp
-
memory/3104-8-0x0000000073E00000-0x0000000073E1F000-memory.dmpFilesize
124KB