Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 13:18
General
-
Target
Inv_26726_06464.xlsm
-
Size
54KB
-
MD5
b403bcb2e1902f9851753976c5e6c3a7
-
SHA1
845932e0c3c0b743f5fb5eb56d3e056706ab91d6
-
SHA256
7ce03706ca499ae052de8bdaf9181f4f059cae19fd22fd52a902e2fcdb27f32e
-
SHA512
30367dc639491a990ea5c7e9ec2adbbb19f305fe6157c35a0b4a0f974cb8151fabdf3ff3f1a99603f73191fbe4676cf9f29e132558aac881a776ba3d796a7436
Malware Config
Extracted
smokeloader
2020
http://penodux.com/xsmkld/index.php
http://tommusikirtyur.com/xsmkld/index.php
http://ploaernysannyer.com/xsmkld/index.php
http://dersmasfannyer.com/xsmkld/index.php
http://derdsgdannyer.com/xsmkld/index.php
Extracted
dridex
10444
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv_26726_06464.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\sledPro\nqxzcqsl.exe"C:\Users\Admin\sledPro\nqxzcqsl.exe" 02⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\410C.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\410C.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\48CE.exeC:\Users\Admin\AppData\Local\Temp\48CE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
52KB
-
Filesize
116KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
6.2MB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
40KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
428KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
428KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
428KB
-
Filesize
468KB
-
Filesize
244KB
-
Filesize
36KB
-
Filesize
56KB
-
Filesize
44KB
-
Filesize
24KB