dridex | 7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a

General

Target

Copy_#_824.xls
Size

707KB
MD5

36e8e3ce267eed9890d07b45b339a71b
SHA1

47e662c6d5041836ba207ad2e6ed22a99ca1a4da
SHA256

7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a
SHA512

af22f3d08e86f3b97f0169f3ceeed46dd0cfb027d761c9b9b6589e2b8b2990a63d1ac3a40d1dcb0b0d4b2f7a2df16e898e66d158b00e567d37699f572fc6d9f3

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WmIC.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 3664 WmIC.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3664	WmIC.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/2224-8-0x0000000073D80000-0x0000000073D9F000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

WmIC.exe

flow pid process

30 1592 WmIC.exe
32 1592 WmIC.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2224 rundll32.exe

flow	pid	process
30	1592	WmIC.exe
32	1592	WmIC.exe

pid	process
2224	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\ph59q.dll	js
\Windows\Temp\ph59q.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3992 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WmIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1592	WmIC.exe
Token: SeSecurityPrivilege	1592	WmIC.exe
Token: SeTakeOwnershipPrivilege	1592	WmIC.exe
Token: SeLoadDriverPrivilege	1592	WmIC.exe
Token: SeSystemProfilePrivilege	1592	WmIC.exe
Token: SeSystemtimePrivilege	1592	WmIC.exe
Token: SeProfSingleProcessPrivilege	1592	WmIC.exe
Token: SeIncBasePriorityPrivilege	1592	WmIC.exe
Token: SeCreatePagefilePrivilege	1592	WmIC.exe
Token: SeBackupPrivilege	1592	WmIC.exe
Token: SeRestorePrivilege	1592	WmIC.exe
Token: SeShutdownPrivilege	1592	WmIC.exe
Token: SeDebugPrivilege	1592	WmIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WmIC.exe
Token: SeRemoteShutdownPrivilege	1592	WmIC.exe
Token: SeUndockPrivilege	1592	WmIC.exe
Token: SeManageVolumePrivilege	1592	WmIC.exe
Token: 33	1592	WmIC.exe
Token: 34	1592	WmIC.exe
Token: 35	1592	WmIC.exe
Token: 36	1592	WmIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WmIC.exe
Token: SeSecurityPrivilege	1592	WmIC.exe
Token: SeTakeOwnershipPrivilege	1592	WmIC.exe
Token: SeLoadDriverPrivilege	1592	WmIC.exe
Token: SeSystemProfilePrivilege	1592	WmIC.exe
Token: SeSystemtimePrivilege	1592	WmIC.exe
Token: SeProfSingleProcessPrivilege	1592	WmIC.exe
Token: SeIncBasePriorityPrivilege	1592	WmIC.exe
Token: SeCreatePagefilePrivilege	1592	WmIC.exe
Token: SeBackupPrivilege	1592	WmIC.exe
Token: SeRestorePrivilege	1592	WmIC.exe
Token: SeShutdownPrivilege	1592	WmIC.exe
Token: SeDebugPrivilege	1592	WmIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WmIC.exe
Token: SeRemoteShutdownPrivilege	1592	WmIC.exe
Token: SeUndockPrivilege	1592	WmIC.exe
Token: SeManageVolumePrivilege	1592	WmIC.exe
Token: 33	1592	WmIC.exe
Token: 34	1592	WmIC.exe
Token: 35	1592	WmIC.exe
Token: 36	1592	WmIC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE
3992	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WmIC.exerundll32.exe

description	pid	process	target process
PID 1592 wrote to memory of 388	1592	WmIC.exe	rundll32.exe
PID 1592 wrote to memory of 388	1592	WmIC.exe	rundll32.exe
PID 388 wrote to memory of 2224	388	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 2224	388	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 2224	388	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Copy_#_824.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\system32\wbem\WmIC.exe
WmIC
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ph59q.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ph59q.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2D81.xSl
MD5
f9de1a05ac94042f70aed27cfe853451

SHA1
f0652c536c3276f2fb4ef7da59a1ec7f62e13bde

SHA256
749f74aa13cd0e285c6cb61c0ba2d8c42b320ece826beeb212560786e2e900cb

SHA512
09a6f7c418016c7753a0722808a15252b585c404a828046fdc126c631848127fec9ada5a8476052686756689b4f1697aeeca259e59a779646a9230aad942877f

Download Submit
C:\Windows\Temp\ph59q.dll
MD5
0cb706bfbca22c37c8eb80b0c7712b84

SHA1
3d8dd8d271096b9f198bf08188503de6ab6c9f36

SHA256
dd23694567254ac813d4532e8614cd1492470f2cf3d2db0e0499c4b5d61e7251

SHA512
c805072f25cda2da2d01c4c89271ac60dde1097131e8e9f7d5371b220a3b4ec47cbf8549192986aad4bbc7a6bc8d5940376738cadaff369168ebe07ca3f24d57

Download Submit
\Windows\Temp\ph59q.dll
MD5
0cb706bfbca22c37c8eb80b0c7712b84

SHA1
3d8dd8d271096b9f198bf08188503de6ab6c9f36

SHA256
dd23694567254ac813d4532e8614cd1492470f2cf3d2db0e0499c4b5d61e7251

SHA512
c805072f25cda2da2d01c4c89271ac60dde1097131e8e9f7d5371b220a3b4ec47cbf8549192986aad4bbc7a6bc8d5940376738cadaff369168ebe07ca3f24d57

Download Submit
memory/388-4-0x0000000000000000-mapping.dmp

Download
memory/2224-6-0x0000000000000000-mapping.dmp

Download
memory/2224-8-0x0000000073D80000-0x0000000073D9F000-memory.dmp

Filesize
124KB

Download
memory/3992-2-0x00007FFC338E0000-0x00007FFC33F17000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads