Analysis

  • max time kernel
    66s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 07:08

General

  • Target

    Fax 740.xls

  • Size

    886KB

  • MD5

    d7213d92bb25a6163ab3b79ba75f95a0

  • SHA1

    9e7d2f00b517a32d2f69ac0c41e48d09507abf5b

  • SHA256

    2f34e34033c25325694ee6e100e8b2c0deff78d0527acd72ebc598048ba74fe5

  • SHA512

    c57e459822b1463ed646824f74371ec518d09a710f41bc1022657794ec65a1eea2d404267543c076cd5e740d1e79238ddf43a3ed63463d7f7bf22e76de34d0a5

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Fax 740.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1400
  • C:\Windows\system32\wbem\wmic.exe
    wmic
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\40F27.Xsl
    MD5

    23b1812062536497ba39b4ad1619938f

    SHA1

    90a64893e96db8c1e52eaeadf255a7c3bb20b7c3

    SHA256

    2b6f7c8c785878922532dbfa3f23d9b1e195ff51057f56819f5ed6bd377e950d

    SHA512

    b389ad3ad9c4ed2f9c6c3cb20f8cfd5c9c5c50b35402a21d2526517800658abf7bc81beef772338486b532812eeeafe0e99d97acb90a3593201ad625b9628139

  • C:\Windows\Temp\6vvvy.dll
    MD5

    8122ecf7dd724778ca2fb1f06920e031

    SHA1

    a457b163f1cf408f382ba5da308ea81658b52564

    SHA256

    6a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960

    SHA512

    6e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e

  • \Windows\Temp\6vvvy.dll
    MD5

    8122ecf7dd724778ca2fb1f06920e031

    SHA1

    a457b163f1cf408f382ba5da308ea81658b52564

    SHA256

    6a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960

    SHA512

    6e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e

  • memory/1200-6-0x0000000000000000-mapping.dmp
  • memory/1200-8-0x00000000739B0000-0x00000000739CF000-memory.dmp
    Filesize

    124KB

  • memory/1400-2-0x00007FFB568F0000-0x00007FFB56F27000-memory.dmp
    Filesize

    6.2MB

  • memory/3384-4-0x0000000000000000-mapping.dmp