Analysis
-
max time kernel
137s -
max time network
133s -
platform
windows10_x64 -
resource
win10 -
submitted
21-10-2020 09:32
Static task
static1
Behavioral task
behavioral1
Sample
sample20201021-01.xlsm
Resource
win7
General
-
Target
sample20201021-01.xlsm
-
Size
43KB
-
MD5
0ec3a0613d2fc39417eaccebaedfcdf0
-
SHA1
0195cdd1579f6be5f143e36c942075ae811c0595
-
SHA256
857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901
-
SHA512
2f77e01859e5a54f7002b3ea13a17167589e4aa2b48b71a17d9d86f515af81b95acbbbfadcbd94818eb9a9ece47d2b7205dff8253329d9165ad9914b6f2af3f3
Malware Config
Extracted
dridex
10444
79.137.29.86:443
87.106.191.77:3889
44.48.26.99:4664
178.254.22.25:33443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3692 3808 regsvr32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\qqnvr._UH cryptone \Users\Admin\AppData\Local\Temp\qqnvr._UH cryptone -
Processes:
resource yara_rule behavioral2/memory/196-9-0x0000000002E60000-0x0000000002E9D000-memory.dmp dridex_ldr -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 196 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3808 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE 3808 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEregsvr32.exedescription pid process target process PID 3808 wrote to memory of 3692 3808 EXCEL.EXE regsvr32.exe PID 3808 wrote to memory of 3692 3808 EXCEL.EXE regsvr32.exe PID 3692 wrote to memory of 196 3692 regsvr32.exe regsvr32.exe PID 3692 wrote to memory of 196 3692 regsvr32.exe regsvr32.exe PID 3692 wrote to memory of 196 3692 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample20201021-01.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qqnvr._UHMD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f
SHA177f7f1ffb9757dde690dd3466af59f171875a9f4
SHA2566b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4
SHA5123b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87
-
\Users\Admin\AppData\Local\Temp\qqnvr._UHMD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f
SHA177f7f1ffb9757dde690dd3466af59f171875a9f4
SHA2566b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4
SHA5123b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87
-
memory/196-7-0x0000000000000000-mapping.dmp
-
memory/196-9-0x0000000002E60000-0x0000000002E9D000-memory.dmpFilesize
244KB
-
memory/3692-5-0x0000000000000000-mapping.dmp
-
memory/3808-0-0x00007FFD63CE0000-0x00007FFD643A6000-memory.dmpFilesize
6.8MB
-
memory/3808-1-0x0000024B4693D000-0x0000024B46942000-memory.dmpFilesize
20KB
-
memory/3808-2-0x0000024B41560000-0x0000024B4157E000-memory.dmpFilesize
120KB
-
memory/3808-3-0x0000024B41560000-0x0000024B4157E000-memory.dmpFilesize
120KB
-
memory/3808-4-0x0000024B41560000-0x0000024B4157E000-memory.dmpFilesize
120KB