dridex | 857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901

General

Target

sample20201021-01.xlsm
Size

43KB
MD5

0ec3a0613d2fc39417eaccebaedfcdf0
SHA1

0195cdd1579f6be5f143e36c942075ae811c0595
SHA256

857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901
SHA512

2f77e01859e5a54f7002b3ea13a17167589e4aa2b48b71a17d9d86f515af81b95acbbbfadcbd94818eb9a9ece47d2b7205dff8253329d9165ad9914b6f2af3f3

Score

10^/10

dridex 10444 botnet cryptone loader packer

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

79.137.29.86:443

87.106.191.77:3889

44.48.26.99:4664

178.254.22.25:33443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3692	3808	regsvr32.exe	EXCEL.EXE

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qqnvr._UH	cryptone
\Users\Admin\AppData\Local\Temp\qqnvr._UH	cryptone

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/196-9-0x0000000002E60000-0x0000000002E9D000-memory.dmp	dridex_ldr

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

196 regsvr32.exe

pid	process
196	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3808 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

EXCEL.EXEregsvr32.exe

description	pid	process	target process
PID 3808 wrote to memory of 3692	3808	EXCEL.EXE	regsvr32.exe
PID 3808 wrote to memory of 3692	3808	EXCEL.EXE	regsvr32.exe
PID 3692 wrote to memory of 196	3692	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 196	3692	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 196	3692	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample20201021-01.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
3⤵
- Loads dropped DLL
PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
MD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f

SHA1
77f7f1ffb9757dde690dd3466af59f171875a9f4

SHA256
6b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4

SHA512
3b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87

Download Submit
\Users\Admin\AppData\Local\Temp\qqnvr._UH
MD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f

SHA1
77f7f1ffb9757dde690dd3466af59f171875a9f4

SHA256
6b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4

SHA512
3b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87

Download Submit
memory/196-7-0x0000000000000000-mapping.dmp

Download
memory/196-9-0x0000000002E60000-0x0000000002E9D000-memory.dmp

Filesize
244KB

Download
memory/3692-5-0x0000000000000000-mapping.dmp

Download
memory/3808-0-0x00007FFD63CE0000-0x00007FFD643A6000-memory.dmp

Filesize
6.8MB

Download
memory/3808-1-0x0000024B4693D000-0x0000024B46942000-memory.dmp

Filesize
20KB

Download
memory/3808-2-0x0000024B41560000-0x0000024B4157E000-memory.dmp

Filesize
120KB

Download
memory/3808-3-0x0000024B41560000-0x0000024B4157E000-memory.dmp

Filesize
120KB

Download
memory/3808-4-0x0000024B41560000-0x0000024B4157E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads