Overview

overview

10

Static

static

8

Notificati...23.xls

windows7_x64

10

Notificati...23.xls

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notification_30123.xls

  • Size

    712KB

  • MD5

    b85ecc80652b17815971cc13eb057e54

  • SHA1

    dd8a1d3ecc7a27d39aaf60c438ef8374a3afe887

  • SHA256

    f3c837323c135a7d7ed9d03f856c81463abb80174211117f4bda193a55f1b78e

  • SHA512

    f87ccacc2f3792c33466ee49fc3a918f4589251abd5eb511778f0da8fc3bdfc373579c01d816cb19ff5b1aa0272d7291f2c1eb6498d065b2f8573231bf1c7003

Score
10/10
dridex111botnetloaderransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Notification_30123.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:988
  • C:\Windows\system32\wbem\WMic.exe
    WMic
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lxxmk.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lxxmk.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\17D50.xsl
    MD5

    261cd0ce8697f1ab1ada11ef0e8e9b3f

    SHA1

    c8e73e5207dc3541ac323b7f10947aa03651042e

    SHA256

    35b909efd6d3a0bfeea22c25b878875ce7989d7ff2c38b88648d7106e0eff07a

    SHA512

    15366ac0cd13b699147dae6b6be420e75808ff76dbe8d4629b27bce85de92648b8d44936f131cbd501d1a5d64ae78f415a4c20085ebf11bbc0cb701b193b49ea

    Download Submit
  • C:\Windows\Temp\lxxmk.dll
    MD5

    9556d8b6b9acd7515662d7cb6396b69b

    SHA1

    115eea5c6dbf36099902766f77300cf5c7c01dd9

    SHA256

    5edc51f427dc16341bfc325f74a0665e127b4f87b85ac896831cd9a86736bb14

    SHA512

    c273225b6143cc5a380baeb6934d438716bcb7f79b199abff708bbb0fb36fcb1d51bdf7d8b34bc67e46f487e100c02748b120d0fe5cb8c80418540ca85458c96

    Download Submit
  • \Windows\Temp\lxxmk.dll
    MD5

    9556d8b6b9acd7515662d7cb6396b69b

    SHA1

    115eea5c6dbf36099902766f77300cf5c7c01dd9

    SHA256

    5edc51f427dc16341bfc325f74a0665e127b4f87b85ac896831cd9a86736bb14

    SHA512

    c273225b6143cc5a380baeb6934d438716bcb7f79b199abff708bbb0fb36fcb1d51bdf7d8b34bc67e46f487e100c02748b120d0fe5cb8c80418540ca85458c96

    Download Submit
  • memory/828-4-0x0000000000000000-mapping.dmp
    Download
  • memory/988-2-0x00007FF900DC0000-0x00007FF9013F7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2388-6-0x0000000000000000-mapping.dmp
    Download
  • memory/2388-8-0x0000000073C60000-0x0000000073C7F000-memory.dmp
    Filesize

    124KB

    Download