Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 19:04

General

  • Target

    Notification_71823.xls

  • Size

    724KB

  • MD5

    d65ddb3ade34504d44e72ba9db953916

  • SHA1

    8bcccc3bce9568919160024dbc3144de359f2d5f

  • SHA256

    83386fb9fa084ea2de1f106d155a819b8090f95c28ed7a0f3c9756910bcedc5b

  • SHA512

    60d7a503c24c3b324c185f7010642e874271d759ff58fd0dcc7184683d6c1d3a2e322f19d26f04174ac14fe6a96f97f13fcfde16bd74ab72ed29d30ecb0d198d

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 5 IoCs
  • Loads dropped DLL 4 IoCs
  • JavaScript code in executable 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Notification_71823.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1936
  • C:\Windows\system32\wbem\WMic.exe
    WMic
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lat5u.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lat5u.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\27AB3.XsL
    MD5

    b8c3851e4878f935f84bc801ca898175

    SHA1

    e365adfa7081bd212b0a8824157761b68246d34a

    SHA256

    8dff64e9c4529d7c566fa4a707a6789c4a751d32cbb84cd1aadf9a7be163c701

    SHA512

    3e9b5420a07811320e8bcff80b3782f300f563edba5984dc026557f3355299d1aa321f2d56885d70afab116d9531503019dc03b280cf09d34fe1382771223393

  • C:\Windows\Temp\lat5u.dll
    MD5

    1b93f0a1652b6aef2b5d97d3cf99867c

    SHA1

    fd17c439098ae668f15a9d6db94f18d854b9603d

    SHA256

    d39107fd4c34dd032cf92143f9985069d8e2bb40890d2f194175512a54ee45e7

    SHA512

    dbfe2693221c67e43e7b323084086c3333f7c0be4d1d82180d6b2ee23a6acc77cee38daa2e46e5580b7f0ab867f450dfac4a1497217589095e4bd1200b0803f0

  • \Windows\Temp\lat5u.dll
    MD5

    1b93f0a1652b6aef2b5d97d3cf99867c

    SHA1

    fd17c439098ae668f15a9d6db94f18d854b9603d

    SHA256

    d39107fd4c34dd032cf92143f9985069d8e2bb40890d2f194175512a54ee45e7

    SHA512

    dbfe2693221c67e43e7b323084086c3333f7c0be4d1d82180d6b2ee23a6acc77cee38daa2e46e5580b7f0ab867f450dfac4a1497217589095e4bd1200b0803f0

  • \Windows\Temp\lat5u.dll
    MD5

    1b93f0a1652b6aef2b5d97d3cf99867c

    SHA1

    fd17c439098ae668f15a9d6db94f18d854b9603d

    SHA256

    d39107fd4c34dd032cf92143f9985069d8e2bb40890d2f194175512a54ee45e7

    SHA512

    dbfe2693221c67e43e7b323084086c3333f7c0be4d1d82180d6b2ee23a6acc77cee38daa2e46e5580b7f0ab867f450dfac4a1497217589095e4bd1200b0803f0

  • \Windows\Temp\lat5u.dll
    MD5

    1b93f0a1652b6aef2b5d97d3cf99867c

    SHA1

    fd17c439098ae668f15a9d6db94f18d854b9603d

    SHA256

    d39107fd4c34dd032cf92143f9985069d8e2bb40890d2f194175512a54ee45e7

    SHA512

    dbfe2693221c67e43e7b323084086c3333f7c0be4d1d82180d6b2ee23a6acc77cee38daa2e46e5580b7f0ab867f450dfac4a1497217589095e4bd1200b0803f0

  • \Windows\Temp\lat5u.dll
    MD5

    1b93f0a1652b6aef2b5d97d3cf99867c

    SHA1

    fd17c439098ae668f15a9d6db94f18d854b9603d

    SHA256

    d39107fd4c34dd032cf92143f9985069d8e2bb40890d2f194175512a54ee45e7

    SHA512

    dbfe2693221c67e43e7b323084086c3333f7c0be4d1d82180d6b2ee23a6acc77cee38daa2e46e5580b7f0ab867f450dfac4a1497217589095e4bd1200b0803f0

  • memory/1084-6-0x0000000000000000-mapping.dmp
  • memory/1084-11-0x000000006B300000-0x000000006B31F000-memory.dmp
    Filesize

    124KB

  • memory/1108-4-0x0000000000000000-mapping.dmp
  • memory/1480-3-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp
    Filesize

    2.5MB

  • memory/1936-12-0x0000000000510000-0x0000000000511000-memory.dmp
    Filesize

    4KB