Analysis
-
max time kernel
1802s -
max time network
1554s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 01:05
Static task
static1
Behavioral task
behavioral1
Sample
BItnXySrFeNTtqudIaaoW.rtf.hta
Resource
win7-en-20211208
General
-
Target
BItnXySrFeNTtqudIaaoW.rtf.hta
-
Size
5KB
-
MD5
173662596f9b5261d1030c562fbfa1cb
-
SHA1
12346b4dc8a92a25977966a65f82e5fbc181e44a
-
SHA256
3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100
-
SHA512
054909a433d2fa855f5dccb705c9d26ed9cb599ecab2dfdb24543fb473385c971d2f8727c394d54eeb638b8bc0bce67eb91e0aab04a4993dfbb4eff295cecf75
Malware Config
Extracted
dridex
22201
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4344 regsvr32.exe -
Processes:
resource yara_rule behavioral2/memory/4436-119-0x0000000070080000-0x000000007010C000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 9 3664 mshta.exe 11 3664 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4436 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4044 wmic.exe Token: SeSecurityPrivilege 4044 wmic.exe Token: SeTakeOwnershipPrivilege 4044 wmic.exe Token: SeLoadDriverPrivilege 4044 wmic.exe Token: SeSystemProfilePrivilege 4044 wmic.exe Token: SeSystemtimePrivilege 4044 wmic.exe Token: SeProfSingleProcessPrivilege 4044 wmic.exe Token: SeIncBasePriorityPrivilege 4044 wmic.exe Token: SeCreatePagefilePrivilege 4044 wmic.exe Token: SeBackupPrivilege 4044 wmic.exe Token: SeRestorePrivilege 4044 wmic.exe Token: SeShutdownPrivilege 4044 wmic.exe Token: SeDebugPrivilege 4044 wmic.exe Token: SeSystemEnvironmentPrivilege 4044 wmic.exe Token: SeRemoteShutdownPrivilege 4044 wmic.exe Token: SeUndockPrivilege 4044 wmic.exe Token: SeManageVolumePrivilege 4044 wmic.exe Token: 33 4044 wmic.exe Token: 34 4044 wmic.exe Token: 35 4044 wmic.exe Token: 36 4044 wmic.exe Token: SeIncreaseQuotaPrivilege 4044 wmic.exe Token: SeSecurityPrivilege 4044 wmic.exe Token: SeTakeOwnershipPrivilege 4044 wmic.exe Token: SeLoadDriverPrivilege 4044 wmic.exe Token: SeSystemProfilePrivilege 4044 wmic.exe Token: SeSystemtimePrivilege 4044 wmic.exe Token: SeProfSingleProcessPrivilege 4044 wmic.exe Token: SeIncBasePriorityPrivilege 4044 wmic.exe Token: SeCreatePagefilePrivilege 4044 wmic.exe Token: SeBackupPrivilege 4044 wmic.exe Token: SeRestorePrivilege 4044 wmic.exe Token: SeShutdownPrivilege 4044 wmic.exe Token: SeDebugPrivilege 4044 wmic.exe Token: SeSystemEnvironmentPrivilege 4044 wmic.exe Token: SeRemoteShutdownPrivilege 4044 wmic.exe Token: SeUndockPrivilege 4044 wmic.exe Token: SeManageVolumePrivilege 4044 wmic.exe Token: 33 4044 wmic.exe Token: 34 4044 wmic.exe Token: 35 4044 wmic.exe Token: 36 4044 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
mshta.exeregsvr32.exedescription pid process target process PID 3664 wrote to memory of 4044 3664 mshta.exe wmic.exe PID 3664 wrote to memory of 4044 3664 mshta.exe wmic.exe PID 3664 wrote to memory of 4044 3664 mshta.exe wmic.exe PID 4468 wrote to memory of 4436 4468 regsvr32.exe regsvr32.exe PID 4468 wrote to memory of 4436 4468 regsvr32.exe regsvr32.exe PID 4468 wrote to memory of 4436 4468 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\BItnXySrFeNTtqudIaaoW.rtf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "regsvr32.exe -s C:\\ProgramData\bfnigger.bin"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\\ProgramData\bfnigger.bin1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\\ProgramData\bfnigger.bin2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bfnigger.binMD5
63c22ce32346e029fa5a1ec1ae619d0f
SHA1222cf86c3b59f466292bb734be308cda77c3ddff
SHA256efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
-
\ProgramData\bfnigger.binMD5
63c22ce32346e029fa5a1ec1ae619d0f
SHA1222cf86c3b59f466292bb734be308cda77c3ddff
SHA256efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
-
memory/4044-115-0x0000000000000000-mapping.dmp
-
memory/4436-117-0x0000000000000000-mapping.dmp
-
memory/4436-119-0x0000000070080000-0x000000007010C000-memory.dmpFilesize
560KB
-
memory/4436-121-0x00000000012A0000-0x00000000012A6000-memory.dmpFilesize
24KB
-
memory/4436-123-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/4436-122-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/4436-124-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB