Analysis
-
max time kernel
1561s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 01:05
Static task
static1
Behavioral task
behavioral1
Sample
BItnXySrFeNTtqudIaaoW.rtf.hta
Resource
win7-en-20211208
General
-
Target
BItnXySrFeNTtqudIaaoW.rtf.hta
-
Size
5KB
-
MD5
173662596f9b5261d1030c562fbfa1cb
-
SHA1
12346b4dc8a92a25977966a65f82e5fbc181e44a
-
SHA256
3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100
-
SHA512
054909a433d2fa855f5dccb705c9d26ed9cb599ecab2dfdb24543fb473385c971d2f8727c394d54eeb638b8bc0bce67eb91e0aab04a4993dfbb4eff295cecf75
Malware Config
Extracted
dridex
22201
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 1260 regsvr32.exe -
Processes:
resource yara_rule behavioral1/memory/1584-61-0x0000000072780000-0x000000007280C000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 5 1692 mshta.exe 7 1692 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1584 regsvr32.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 696 wmic.exe Token: SeSecurityPrivilege 696 wmic.exe Token: SeTakeOwnershipPrivilege 696 wmic.exe Token: SeLoadDriverPrivilege 696 wmic.exe Token: SeSystemProfilePrivilege 696 wmic.exe Token: SeSystemtimePrivilege 696 wmic.exe Token: SeProfSingleProcessPrivilege 696 wmic.exe Token: SeIncBasePriorityPrivilege 696 wmic.exe Token: SeCreatePagefilePrivilege 696 wmic.exe Token: SeBackupPrivilege 696 wmic.exe Token: SeRestorePrivilege 696 wmic.exe Token: SeShutdownPrivilege 696 wmic.exe Token: SeDebugPrivilege 696 wmic.exe Token: SeSystemEnvironmentPrivilege 696 wmic.exe Token: SeRemoteShutdownPrivilege 696 wmic.exe Token: SeUndockPrivilege 696 wmic.exe Token: SeManageVolumePrivilege 696 wmic.exe Token: 33 696 wmic.exe Token: 34 696 wmic.exe Token: 35 696 wmic.exe Token: SeIncreaseQuotaPrivilege 696 wmic.exe Token: SeSecurityPrivilege 696 wmic.exe Token: SeTakeOwnershipPrivilege 696 wmic.exe Token: SeLoadDriverPrivilege 696 wmic.exe Token: SeSystemProfilePrivilege 696 wmic.exe Token: SeSystemtimePrivilege 696 wmic.exe Token: SeProfSingleProcessPrivilege 696 wmic.exe Token: SeIncBasePriorityPrivilege 696 wmic.exe Token: SeCreatePagefilePrivilege 696 wmic.exe Token: SeBackupPrivilege 696 wmic.exe Token: SeRestorePrivilege 696 wmic.exe Token: SeShutdownPrivilege 696 wmic.exe Token: SeDebugPrivilege 696 wmic.exe Token: SeSystemEnvironmentPrivilege 696 wmic.exe Token: SeRemoteShutdownPrivilege 696 wmic.exe Token: SeUndockPrivilege 696 wmic.exe Token: SeManageVolumePrivilege 696 wmic.exe Token: 33 696 wmic.exe Token: 34 696 wmic.exe Token: 35 696 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
mshta.exeregsvr32.exedescription pid process target process PID 1692 wrote to memory of 696 1692 mshta.exe wmic.exe PID 1692 wrote to memory of 696 1692 mshta.exe wmic.exe PID 1692 wrote to memory of 696 1692 mshta.exe wmic.exe PID 1692 wrote to memory of 696 1692 mshta.exe wmic.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe PID 1712 wrote to memory of 1584 1712 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\BItnXySrFeNTtqudIaaoW.rtf.hta"1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "regsvr32.exe -s C:\\ProgramData\bfnigger.bin"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\\ProgramData\bfnigger.bin1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\\ProgramData\bfnigger.bin2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bfnigger.binMD5
63c22ce32346e029fa5a1ec1ae619d0f
SHA1222cf86c3b59f466292bb734be308cda77c3ddff
SHA256efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
a0f3e28d6a00aee6088fd790faf439a2
SHA1fa2aec2d0930c93d29f6f4cfccc989e1d15885dc
SHA256f3837690570d63ff2bf243324655affd2567fae7d8a89e81b984328958aa6309
SHA512a05ad3103e48226f990047854b34fda9380daed6ec8c99aed42fbf81b6a3fd40720bc6320880cb71acb1bfc03e06b58ab5d49dc774981ea9adf63dbaa31fa2a4
-
\ProgramData\bfnigger.binMD5
63c22ce32346e029fa5a1ec1ae619d0f
SHA1222cf86c3b59f466292bb734be308cda77c3ddff
SHA256efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
-
memory/696-55-0x0000000000000000-mapping.dmp
-
memory/1584-58-0x0000000000000000-mapping.dmp
-
memory/1584-59-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1584-61-0x0000000072780000-0x000000007280C000-memory.dmpFilesize
560KB
-
memory/1584-63-0x00000000001B0000-0x0000000000230000-memory.dmpFilesize
512KB
-
memory/1712-56-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB