Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10_x64 -
resource
win10 -
submitted
21-10-2020 09:45
Static task
static1
Behavioral task
behavioral1
Sample
Inv_64103_from_899482.xlsm
Resource
win7v200722
General
-
Target
Inv_64103_from_899482.xlsm
-
Size
43KB
-
MD5
0ec3a0613d2fc39417eaccebaedfcdf0
-
SHA1
0195cdd1579f6be5f143e36c942075ae811c0595
-
SHA256
857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901
-
SHA512
2f77e01859e5a54f7002b3ea13a17167589e4aa2b48b71a17d9d86f515af81b95acbbbfadcbd94818eb9a9ece47d2b7205dff8253329d9165ad9914b6f2af3f3
Malware Config
Extracted
dridex
10444
79.137.29.86:443
87.106.191.77:3889
44.48.26.99:4664
178.254.22.25:33443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2220 3788 regsvr32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ujpmwzae._JN cryptone \Users\Admin\AppData\Local\Temp\ujpmwzae._JN cryptone -
Processes:
resource yara_rule behavioral2/memory/3728-9-0x00000000046C0000-0x00000000046FD000-memory.dmp dridex_ldr -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3728 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3788 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEregsvr32.exedescription pid process target process PID 3788 wrote to memory of 2220 3788 EXCEL.EXE regsvr32.exe PID 3788 wrote to memory of 2220 3788 EXCEL.EXE regsvr32.exe PID 2220 wrote to memory of 3728 2220 regsvr32.exe regsvr32.exe PID 2220 wrote to memory of 3728 2220 regsvr32.exe regsvr32.exe PID 2220 wrote to memory of 3728 2220 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv_64103_from_899482.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\ujpmwzae._JN2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\ujpmwzae._JN3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ujpmwzae._JNMD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f
SHA177f7f1ffb9757dde690dd3466af59f171875a9f4
SHA2566b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4
SHA5123b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87
-
\Users\Admin\AppData\Local\Temp\ujpmwzae._JNMD5
dcf2227479f4f2a37f4ffdfc7c4b1f0f
SHA177f7f1ffb9757dde690dd3466af59f171875a9f4
SHA2566b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4
SHA5123b290fa848381834136e2f58059def67b9c8a847ca5040ae659eaf517321333a4d4ff3dbc024273d9d8ff8e95211f93ab46d0f40a0ba4e3b75d60e2408dbef87
-
memory/2220-5-0x0000000000000000-mapping.dmp
-
memory/3728-7-0x0000000000000000-mapping.dmp
-
memory/3728-9-0x00000000046C0000-0x00000000046FD000-memory.dmpFilesize
244KB
-
memory/3788-0-0x00007FF9D0EF0000-0x00007FF9D15B6000-memory.dmpFilesize
6.8MB
-
memory/3788-1-0x000002429E81A000-0x000002429E820000-memory.dmpFilesize
24KB
-
memory/3788-2-0x000002429E90D000-0x000002429E913000-memory.dmpFilesize
24KB
-
memory/3788-3-0x000002429E90D000-0x000002429E913000-memory.dmpFilesize
24KB
-
memory/3788-4-0x000002429E81A000-0x000002429E820000-memory.dmpFilesize
24KB