Overview

overview

10

Static

static

8

Notificati...23.xls

windows7_x64

10

Notificati...23.xls

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notification_71823.xls

  • Size

    724KB

  • MD5

    d65ddb3ade34504d44e72ba9db953916

  • SHA1

    8bcccc3bce9568919160024dbc3144de359f2d5f

  • SHA256

    83386fb9fa084ea2de1f106d155a819b8090f95c28ed7a0f3c9756910bcedc5b

  • SHA512

    60d7a503c24c3b324c185f7010642e874271d759ff58fd0dcc7184683d6c1d3a2e322f19d26f04174ac14fe6a96f97f13fcfde16bd74ab72ed29d30ecb0d198d

Score
10/10
dridex111botnetloaderransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • JavaScript code in executable 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Notification_71823.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:844
  • C:\Windows\system32\wbem\WMic.exe
    WMic
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//iub8i.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//iub8i.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\27AB3.XsL
    MD5

    b8c3851e4878f935f84bc801ca898175

    SHA1

    e365adfa7081bd212b0a8824157761b68246d34a

    SHA256

    8dff64e9c4529d7c566fa4a707a6789c4a751d32cbb84cd1aadf9a7be163c701

    SHA512

    3e9b5420a07811320e8bcff80b3782f300f563edba5984dc026557f3355299d1aa321f2d56885d70afab116d9531503019dc03b280cf09d34fe1382771223393

    Download Submit
  • C:\Windows\Temp\iub8i.dll
    MD5

    9019cc939edb85725bd0cc760698c4bc

    SHA1

    b67b0831e644a04a24723bcd764b2398629fe664

    SHA256

    a9a4e7849e923cf7fd506230edb93fcbc22c5cceff5c85df133b32e2ef5bedb1

    SHA512

    a6fd3aa1ed6664e32232c55753b09524e0b3d4783eaa907b73631eed90ca3b58dafbe9097c2bbae85f865dedd0aa31e2bcf5143756257563f06a08328d570549

    Download Submit
  • \Windows\Temp\iub8i.dll
    MD5

    9019cc939edb85725bd0cc760698c4bc

    SHA1

    b67b0831e644a04a24723bcd764b2398629fe664

    SHA256

    a9a4e7849e923cf7fd506230edb93fcbc22c5cceff5c85df133b32e2ef5bedb1

    SHA512

    a6fd3aa1ed6664e32232c55753b09524e0b3d4783eaa907b73631eed90ca3b58dafbe9097c2bbae85f865dedd0aa31e2bcf5143756257563f06a08328d570549

    Download Submit
  • \Windows\Temp\iub8i.dll
    MD5

    9019cc939edb85725bd0cc760698c4bc

    SHA1

    b67b0831e644a04a24723bcd764b2398629fe664

    SHA256

    a9a4e7849e923cf7fd506230edb93fcbc22c5cceff5c85df133b32e2ef5bedb1

    SHA512

    a6fd3aa1ed6664e32232c55753b09524e0b3d4783eaa907b73631eed90ca3b58dafbe9097c2bbae85f865dedd0aa31e2bcf5143756257563f06a08328d570549

    Download Submit
  • \Windows\Temp\iub8i.dll
    MD5

    9019cc939edb85725bd0cc760698c4bc

    SHA1

    b67b0831e644a04a24723bcd764b2398629fe664

    SHA256

    a9a4e7849e923cf7fd506230edb93fcbc22c5cceff5c85df133b32e2ef5bedb1

    SHA512

    a6fd3aa1ed6664e32232c55753b09524e0b3d4783eaa907b73631eed90ca3b58dafbe9097c2bbae85f865dedd0aa31e2bcf5143756257563f06a08328d570549

    Download Submit
  • \Windows\Temp\iub8i.dll
    MD5

    9019cc939edb85725bd0cc760698c4bc

    SHA1

    b67b0831e644a04a24723bcd764b2398629fe664

    SHA256

    a9a4e7849e923cf7fd506230edb93fcbc22c5cceff5c85df133b32e2ef5bedb1

    SHA512

    a6fd3aa1ed6664e32232c55753b09524e0b3d4783eaa907b73631eed90ca3b58dafbe9097c2bbae85f865dedd0aa31e2bcf5143756257563f06a08328d570549

    Download Submit
  • memory/528-3-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1404-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1404-11-0x000000006BED0000-0x000000006BEEF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1836-4-0x0000000000000000-mapping.dmp
    Download