Analysis
-
max time kernel
77s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
Report 290.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Report 290.xls
Resource
win10v20201028
General
-
Target
Report 290.xls
-
Size
730KB
-
MD5
59539fde938ac6da898bd587f1850c96
-
SHA1
2fb5d4ffe1a88cffe59463ac2e7e3996574b1556
-
SHA256
137bdd679664e951ea9c919cb447b64d6d24251c406350e78471c1d589f12706
-
SHA512
2ba1a2c5063a7bdab49c4c4f54d637658fe627b4150e0878cdae469811d3a289b6ac07aa7fd7eb02b27ebb64c4e2461712be6b116bba41fdba1e042d1bd2c3b9
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wMIc.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 4080 wMIc.exe -
Processes:
resource yara_rule behavioral2/memory/496-8-0x0000000073DD0000-0x0000000073DEF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
wMIc.exeflow pid process 32 2224 wMIc.exe 34 2224 wMIc.exe 36 2224 wMIc.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 496 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\100se.dll js \Windows\Temp\100se.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Processes:
wMIc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wMIc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wMIc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2432 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wMIc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2224 wMIc.exe Token: SeSecurityPrivilege 2224 wMIc.exe Token: SeTakeOwnershipPrivilege 2224 wMIc.exe Token: SeLoadDriverPrivilege 2224 wMIc.exe Token: SeSystemProfilePrivilege 2224 wMIc.exe Token: SeSystemtimePrivilege 2224 wMIc.exe Token: SeProfSingleProcessPrivilege 2224 wMIc.exe Token: SeIncBasePriorityPrivilege 2224 wMIc.exe Token: SeCreatePagefilePrivilege 2224 wMIc.exe Token: SeBackupPrivilege 2224 wMIc.exe Token: SeRestorePrivilege 2224 wMIc.exe Token: SeShutdownPrivilege 2224 wMIc.exe Token: SeDebugPrivilege 2224 wMIc.exe Token: SeSystemEnvironmentPrivilege 2224 wMIc.exe Token: SeRemoteShutdownPrivilege 2224 wMIc.exe Token: SeUndockPrivilege 2224 wMIc.exe Token: SeManageVolumePrivilege 2224 wMIc.exe Token: 33 2224 wMIc.exe Token: 34 2224 wMIc.exe Token: 35 2224 wMIc.exe Token: 36 2224 wMIc.exe Token: SeIncreaseQuotaPrivilege 2224 wMIc.exe Token: SeSecurityPrivilege 2224 wMIc.exe Token: SeTakeOwnershipPrivilege 2224 wMIc.exe Token: SeLoadDriverPrivilege 2224 wMIc.exe Token: SeSystemProfilePrivilege 2224 wMIc.exe Token: SeSystemtimePrivilege 2224 wMIc.exe Token: SeProfSingleProcessPrivilege 2224 wMIc.exe Token: SeIncBasePriorityPrivilege 2224 wMIc.exe Token: SeCreatePagefilePrivilege 2224 wMIc.exe Token: SeBackupPrivilege 2224 wMIc.exe Token: SeRestorePrivilege 2224 wMIc.exe Token: SeShutdownPrivilege 2224 wMIc.exe Token: SeDebugPrivilege 2224 wMIc.exe Token: SeSystemEnvironmentPrivilege 2224 wMIc.exe Token: SeRemoteShutdownPrivilege 2224 wMIc.exe Token: SeUndockPrivilege 2224 wMIc.exe Token: SeManageVolumePrivilege 2224 wMIc.exe Token: 33 2224 wMIc.exe Token: 34 2224 wMIc.exe Token: 35 2224 wMIc.exe Token: 36 2224 wMIc.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wMIc.exerundll32.exedescription pid process target process PID 2224 wrote to memory of 3560 2224 wMIc.exe rundll32.exe PID 2224 wrote to memory of 3560 2224 wMIc.exe rundll32.exe PID 3560 wrote to memory of 496 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 496 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 496 3560 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Report 290.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wMIc.exewMIc1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//100se.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//100se.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\14BD2.xSLMD5
4896536b767ba4574e2a9621652fb457
SHA1a6fc2118a9cabd80e90fcb3c802b8ce21b8ac274
SHA25645966761b08e8d946b9ec207bfe44be1ed9c6e947ac534f49b9595d5e5d5b824
SHA512cb4759d30824cf20170d42f9ef2ea9c313f7b2cbfc07ce8e54a91c7451396a7c3a5b644a21174d9a13e20c9b36b693b4dfa7bcb3b95c90217ecb312837202564
-
C:\Windows\Temp\100se.dllMD5
91f40f266cab7ab3810ef15193a5994e
SHA196e9d19f1000b1d9616de2f2611fa3a02f96444e
SHA25699f8643948a2f4830ed06053bdeca1cc394d516e64b73cdbab442b2f5c4d07f2
SHA512a0b8b8c61192d18358136f4ef529c7d6f05217f9831831b6c2557b1df128703d5d5b5124a1ea9b55d50ed34b02bc9b321f0271a2984eccdba347a9467a81cac3
-
\Windows\Temp\100se.dllMD5
91f40f266cab7ab3810ef15193a5994e
SHA196e9d19f1000b1d9616de2f2611fa3a02f96444e
SHA25699f8643948a2f4830ed06053bdeca1cc394d516e64b73cdbab442b2f5c4d07f2
SHA512a0b8b8c61192d18358136f4ef529c7d6f05217f9831831b6c2557b1df128703d5d5b5124a1ea9b55d50ed34b02bc9b321f0271a2984eccdba347a9467a81cac3
-
memory/496-6-0x0000000000000000-mapping.dmp
-
memory/496-8-0x0000000073DD0000-0x0000000073DEF000-memory.dmpFilesize
124KB
-
memory/2432-2-0x00007FFD88A90000-0x00007FFD890C7000-memory.dmpFilesize
6.2MB
-
memory/3560-4-0x0000000000000000-mapping.dmp