Analysis

  • max time kernel
    137s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    21-10-2020 09:32

General

  • Target

    sample20201021-01.xlsm

  • Size

    43KB

  • MD5

    0ec3a0613d2fc39417eaccebaedfcdf0

  • SHA1

    0195cdd1579f6be5f143e36c942075ae811c0595

  • SHA256

    857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901

  • SHA512

    2f77e01859e5a54f7002b3ea13a17167589e4aa2b48b71a17d9d86f515af81b95acbbbfadcbd94818eb9a9ece47d2b7205dff8253329d9165ad9914b6f2af3f3

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

79.137.29.86:443

87.106.191.77:3889

44.48.26.99:4664

178.254.22.25:33443

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample20201021-01.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
        3⤵
        • Loads dropped DLL
        PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\qqnvr._UH
    MD5

    dcf2227479f4f2a37f4ffdfc7c4b1f0f

    SHA1

    77f7f1ffb9757dde690dd3466af59f171875a9f4

    SHA256

    6b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4

    SHA512

    3b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87

  • \Users\Admin\AppData\Local\Temp\qqnvr._UH
    MD5

    dcf2227479f4f2a37f4ffdfc7c4b1f0f

    SHA1

    77f7f1ffb9757dde690dd3466af59f171875a9f4

    SHA256

    6b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4

    SHA512

    3b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87

  • memory/196-7-0x0000000000000000-mapping.dmp
  • memory/196-9-0x0000000002E60000-0x0000000002E9D000-memory.dmp
    Filesize

    244KB

  • memory/3692-5-0x0000000000000000-mapping.dmp
  • memory/3808-0-0x00007FFD63CE0000-0x00007FFD643A6000-memory.dmp
    Filesize

    6.8MB

  • memory/3808-1-0x0000024B4693D000-0x0000024B46942000-memory.dmp
    Filesize

    20KB

  • memory/3808-2-0x0000024B41560000-0x0000024B4157E000-memory.dmp
    Filesize

    120KB

  • memory/3808-3-0x0000024B41560000-0x0000024B4157E000-memory.dmp
    Filesize

    120KB

  • memory/3808-4-0x0000024B41560000-0x0000024B4157E000-memory.dmp
    Filesize

    120KB