Analysis
-
max time kernel
86s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Inv #147.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inv #147.xls
Resource
win10v20201028
General
-
Target
Inv #147.xls
-
Size
706KB
-
MD5
77e05d6f0c417328a50a29af170e1efd
-
SHA1
3167568a7dcef3faba0a4636ff71f2844d6d8962
-
SHA256
346a5f545abd67c879755d34f5985f038b30704d97ed59b5597d9dc251336080
-
SHA512
2ea0153df0240a964e92ef4b5477ed361a20614149f36992496914a89bf3fc5abb582fd3fe4478aa0b6b2c8de6f1d4358aa5baec664f4fa5caf2aa1b841433e1
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmiC.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 68 wmiC.exe -
Processes:
resource yara_rule behavioral2/memory/816-8-0x00000000741B0000-0x00000000741CF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
wmiC.exeflow pid process 28 508 wmiC.exe 30 508 wmiC.exe 32 508 wmiC.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 816 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\8p10k.dll js \Windows\Temp\8p10k.dll js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 500 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmiC.exedescription pid process Token: SeIncreaseQuotaPrivilege 508 wmiC.exe Token: SeSecurityPrivilege 508 wmiC.exe Token: SeTakeOwnershipPrivilege 508 wmiC.exe Token: SeLoadDriverPrivilege 508 wmiC.exe Token: SeSystemProfilePrivilege 508 wmiC.exe Token: SeSystemtimePrivilege 508 wmiC.exe Token: SeProfSingleProcessPrivilege 508 wmiC.exe Token: SeIncBasePriorityPrivilege 508 wmiC.exe Token: SeCreatePagefilePrivilege 508 wmiC.exe Token: SeBackupPrivilege 508 wmiC.exe Token: SeRestorePrivilege 508 wmiC.exe Token: SeShutdownPrivilege 508 wmiC.exe Token: SeDebugPrivilege 508 wmiC.exe Token: SeSystemEnvironmentPrivilege 508 wmiC.exe Token: SeRemoteShutdownPrivilege 508 wmiC.exe Token: SeUndockPrivilege 508 wmiC.exe Token: SeManageVolumePrivilege 508 wmiC.exe Token: 33 508 wmiC.exe Token: 34 508 wmiC.exe Token: 35 508 wmiC.exe Token: 36 508 wmiC.exe Token: SeIncreaseQuotaPrivilege 508 wmiC.exe Token: SeSecurityPrivilege 508 wmiC.exe Token: SeTakeOwnershipPrivilege 508 wmiC.exe Token: SeLoadDriverPrivilege 508 wmiC.exe Token: SeSystemProfilePrivilege 508 wmiC.exe Token: SeSystemtimePrivilege 508 wmiC.exe Token: SeProfSingleProcessPrivilege 508 wmiC.exe Token: SeIncBasePriorityPrivilege 508 wmiC.exe Token: SeCreatePagefilePrivilege 508 wmiC.exe Token: SeBackupPrivilege 508 wmiC.exe Token: SeRestorePrivilege 508 wmiC.exe Token: SeShutdownPrivilege 508 wmiC.exe Token: SeDebugPrivilege 508 wmiC.exe Token: SeSystemEnvironmentPrivilege 508 wmiC.exe Token: SeRemoteShutdownPrivilege 508 wmiC.exe Token: SeUndockPrivilege 508 wmiC.exe Token: SeManageVolumePrivilege 508 wmiC.exe Token: 33 508 wmiC.exe Token: 34 508 wmiC.exe Token: 35 508 wmiC.exe Token: 36 508 wmiC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE 500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmiC.exerundll32.exedescription pid process target process PID 508 wrote to memory of 1480 508 wmiC.exe rundll32.exe PID 508 wrote to memory of 1480 508 wmiC.exe rundll32.exe PID 1480 wrote to memory of 816 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 816 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 816 1480 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv #147.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmiC.exewmiC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//8p10k.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//8p10k.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2092E.XSLMD5
6dbdd2b3310032a65b0435e8afcad218
SHA167542823e1d2a526c4b9a3206be1f1d54f9dfd8b
SHA2563a7c2bc8d86e18f0e6458ad150f052574475e1c34c382d200b7f832b08e43c12
SHA5126fb08152de538afc6ac5bad3469c7be9647884611a6b97236b2a62e617844fa493592a81e6e6a05a658c302d49a0d9454a5474bd5df82633ec6f093f6c9af764
-
C:\Windows\Temp\8p10k.dllMD5
806279bd4aa02e4ca543f4df70a97071
SHA1510d71a67521be4dc0d6b1da67492e7834e8fb59
SHA256481adb7aee323dc6e2725682cd17fba1e94b3ea4fed0d94fb6189b7afd8378fd
SHA512f6a014cf9e6d6df59770b4ba7eb96d86b643f7ca02e12d0be3c502ca8caead589d0829cdc09833a086e54a5998077117ee940610fce34cb1eed417799d90a844
-
\Windows\Temp\8p10k.dllMD5
806279bd4aa02e4ca543f4df70a97071
SHA1510d71a67521be4dc0d6b1da67492e7834e8fb59
SHA256481adb7aee323dc6e2725682cd17fba1e94b3ea4fed0d94fb6189b7afd8378fd
SHA512f6a014cf9e6d6df59770b4ba7eb96d86b643f7ca02e12d0be3c502ca8caead589d0829cdc09833a086e54a5998077117ee940610fce34cb1eed417799d90a844
-
memory/500-2-0x00007FFAB59F0000-0x00007FFAB6027000-memory.dmpFilesize
6.2MB
-
memory/816-6-0x0000000000000000-mapping.dmp
-
memory/816-8-0x00000000741B0000-0x00000000741CF000-memory.dmpFilesize
124KB
-
memory/1480-4-0x0000000000000000-mapping.dmp