Analysis
-
max time kernel
59s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Inv 4529.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inv 4529.xls
Resource
win10v20201028
General
-
Target
Inv 4529.xls
-
Size
793KB
-
MD5
8db799f159631efb77a2d8c7c0099399
-
SHA1
8f202b18d37b68a26d53a64cc6c4b7b127c6c94b
-
SHA256
4d13b0dda7b538ae90a79ac5bbb872f3aba6fd798c2900c4580bc59ae8623b1f
-
SHA512
78506c8a91f09a98f015462b3a88ee1c08552bb2a396a1103106a4b71438633a52a6315c50700c229e5775fb9b87f3201ccda9a9b7a4d67e906a5c6bc7ff3bcc
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WmiC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 4304 WmiC.exe -
Processes:
resource yara_rule behavioral2/memory/4504-8-0x0000000073990000-0x00000000739AF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
WmiC.exeflow pid process 26 3212 WmiC.exe 29 3212 WmiC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4504 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\t0nue.dll js \Windows\Temp\t0nue.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4712 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WmiC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3212 WmiC.exe Token: SeSecurityPrivilege 3212 WmiC.exe Token: SeTakeOwnershipPrivilege 3212 WmiC.exe Token: SeLoadDriverPrivilege 3212 WmiC.exe Token: SeSystemProfilePrivilege 3212 WmiC.exe Token: SeSystemtimePrivilege 3212 WmiC.exe Token: SeProfSingleProcessPrivilege 3212 WmiC.exe Token: SeIncBasePriorityPrivilege 3212 WmiC.exe Token: SeCreatePagefilePrivilege 3212 WmiC.exe Token: SeBackupPrivilege 3212 WmiC.exe Token: SeRestorePrivilege 3212 WmiC.exe Token: SeShutdownPrivilege 3212 WmiC.exe Token: SeDebugPrivilege 3212 WmiC.exe Token: SeSystemEnvironmentPrivilege 3212 WmiC.exe Token: SeRemoteShutdownPrivilege 3212 WmiC.exe Token: SeUndockPrivilege 3212 WmiC.exe Token: SeManageVolumePrivilege 3212 WmiC.exe Token: 33 3212 WmiC.exe Token: 34 3212 WmiC.exe Token: 35 3212 WmiC.exe Token: 36 3212 WmiC.exe Token: SeIncreaseQuotaPrivilege 3212 WmiC.exe Token: SeSecurityPrivilege 3212 WmiC.exe Token: SeTakeOwnershipPrivilege 3212 WmiC.exe Token: SeLoadDriverPrivilege 3212 WmiC.exe Token: SeSystemProfilePrivilege 3212 WmiC.exe Token: SeSystemtimePrivilege 3212 WmiC.exe Token: SeProfSingleProcessPrivilege 3212 WmiC.exe Token: SeIncBasePriorityPrivilege 3212 WmiC.exe Token: SeCreatePagefilePrivilege 3212 WmiC.exe Token: SeBackupPrivilege 3212 WmiC.exe Token: SeRestorePrivilege 3212 WmiC.exe Token: SeShutdownPrivilege 3212 WmiC.exe Token: SeDebugPrivilege 3212 WmiC.exe Token: SeSystemEnvironmentPrivilege 3212 WmiC.exe Token: SeRemoteShutdownPrivilege 3212 WmiC.exe Token: SeUndockPrivilege 3212 WmiC.exe Token: SeManageVolumePrivilege 3212 WmiC.exe Token: 33 3212 WmiC.exe Token: 34 3212 WmiC.exe Token: 35 3212 WmiC.exe Token: 36 3212 WmiC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE 4712 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WmiC.exerundll32.exedescription pid process target process PID 3212 wrote to memory of 4500 3212 WmiC.exe rundll32.exe PID 3212 wrote to memory of 4500 3212 WmiC.exe rundll32.exe PID 4500 wrote to memory of 4504 4500 rundll32.exe rundll32.exe PID 4500 wrote to memory of 4504 4500 rundll32.exe rundll32.exe PID 4500 wrote to memory of 4504 4500 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv 4529.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmiC.exeWmiC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//t0nue.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//t0nue.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2C986.XslMD5
ce8fe37f9e9fe345494f4abc26bc8486
SHA17165984ae2fff5e25a95b52215ff1575bb08a7ed
SHA256e43dc63bb5855d140266ae4105d391dbbbb99633621affba06a8e3dec5e2b287
SHA51286eb6722aa6d3d916a9116caf45310254cdba5ab99337e6324385ef91e2b1d9e800d1a9e915c7ab4f40fa48bcb095bf783bf1b5a801b0652a9c283df77fe4b8d
-
C:\Windows\Temp\t0nue.dllMD5
0da1b3631ac12b39bfaba514cd1c9bd3
SHA159d9ab5be0b558167463e8c3e5ca81777f394156
SHA2561835950bd36618da010f46baac9f05fc01d773c28147ab9afc503f53f962538a
SHA51250480417561bbd714329af59ebc95a039c4cf8f4aaa7aeb30d4973cc73ba412ffede4a33f337f862c7a8eec1d1441440aa9d63e08dfb98938e1d6012049741a2
-
\Windows\Temp\t0nue.dllMD5
0da1b3631ac12b39bfaba514cd1c9bd3
SHA159d9ab5be0b558167463e8c3e5ca81777f394156
SHA2561835950bd36618da010f46baac9f05fc01d773c28147ab9afc503f53f962538a
SHA51250480417561bbd714329af59ebc95a039c4cf8f4aaa7aeb30d4973cc73ba412ffede4a33f337f862c7a8eec1d1441440aa9d63e08dfb98938e1d6012049741a2
-
memory/4500-4-0x0000000000000000-mapping.dmp
-
memory/4504-6-0x0000000000000000-mapping.dmp
-
memory/4504-8-0x0000000073990000-0x00000000739AF000-memory.dmpFilesize
124KB
-
memory/4712-2-0x00007FF864190000-0x00007FF8647C7000-memory.dmpFilesize
6.2MB