dridex | 2f34e34033c25325694ee6e100e8b2c0deff78d0527acd72ebc598048ba74fe5

General

Target

Fax 740.xls
Size

886KB
MD5

d7213d92bb25a6163ab3b79ba75f95a0
SHA1

9e7d2f00b517a32d2f69ac0c41e48d09507abf5b
SHA256

2f34e34033c25325694ee6e100e8b2c0deff78d0527acd72ebc598048ba74fe5
SHA512

c57e459822b1463ed646824f74371ec518d09a710f41bc1022657794ec65a1eea2d404267543c076cd5e740d1e79238ddf43a3ed63463d7f7bf22e76de34d0a5

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 3540 wmic.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3540	wmic.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/1200-8-0x00000000739B0000-0x00000000739CF000-memory.dmp	dridex_ldr

Blocklisted process makes network request 3 IoCs

Processes:

wmic.exe

flow pid process

26 3752 wmic.exe
28 3752 wmic.exe
30 3752 wmic.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1200 rundll32.exe

flow	pid	process
26	3752	wmic.exe
28	3752	wmic.exe
30	3752	wmic.exe

pid	process
1200	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\6vvvy.dll	js
\Windows\Temp\6vvvy.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1400 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3752	wmic.exe
Token: SeSecurityPrivilege	3752	wmic.exe
Token: SeTakeOwnershipPrivilege	3752	wmic.exe
Token: SeLoadDriverPrivilege	3752	wmic.exe
Token: SeSystemProfilePrivilege	3752	wmic.exe
Token: SeSystemtimePrivilege	3752	wmic.exe
Token: SeProfSingleProcessPrivilege	3752	wmic.exe
Token: SeIncBasePriorityPrivilege	3752	wmic.exe
Token: SeCreatePagefilePrivilege	3752	wmic.exe
Token: SeBackupPrivilege	3752	wmic.exe
Token: SeRestorePrivilege	3752	wmic.exe
Token: SeShutdownPrivilege	3752	wmic.exe
Token: SeDebugPrivilege	3752	wmic.exe
Token: SeSystemEnvironmentPrivilege	3752	wmic.exe
Token: SeRemoteShutdownPrivilege	3752	wmic.exe
Token: SeUndockPrivilege	3752	wmic.exe
Token: SeManageVolumePrivilege	3752	wmic.exe
Token: 33	3752	wmic.exe
Token: 34	3752	wmic.exe
Token: 35	3752	wmic.exe
Token: 36	3752	wmic.exe
Token: SeIncreaseQuotaPrivilege	3752	wmic.exe
Token: SeSecurityPrivilege	3752	wmic.exe
Token: SeTakeOwnershipPrivilege	3752	wmic.exe
Token: SeLoadDriverPrivilege	3752	wmic.exe
Token: SeSystemProfilePrivilege	3752	wmic.exe
Token: SeSystemtimePrivilege	3752	wmic.exe
Token: SeProfSingleProcessPrivilege	3752	wmic.exe
Token: SeIncBasePriorityPrivilege	3752	wmic.exe
Token: SeCreatePagefilePrivilege	3752	wmic.exe
Token: SeBackupPrivilege	3752	wmic.exe
Token: SeRestorePrivilege	3752	wmic.exe
Token: SeShutdownPrivilege	3752	wmic.exe
Token: SeDebugPrivilege	3752	wmic.exe
Token: SeSystemEnvironmentPrivilege	3752	wmic.exe
Token: SeRemoteShutdownPrivilege	3752	wmic.exe
Token: SeUndockPrivilege	3752	wmic.exe
Token: SeManageVolumePrivilege	3752	wmic.exe
Token: 33	3752	wmic.exe
Token: 34	3752	wmic.exe
Token: 35	3752	wmic.exe
Token: 36	3752	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmic.exerundll32.exe

description	pid	process	target process
PID 3752 wrote to memory of 3384	3752	wmic.exe	rundll32.exe
PID 3752 wrote to memory of 3384	3752	wmic.exe	rundll32.exe
PID 3384 wrote to memory of 1200	3384	rundll32.exe	rundll32.exe
PID 3384 wrote to memory of 1200	3384	rundll32.exe	rundll32.exe
PID 3384 wrote to memory of 1200	3384	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Fax 740.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\wbem\wmic.exe
wmic
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6vvvy.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\40F27.Xsl
MD5
23b1812062536497ba39b4ad1619938f

SHA1
90a64893e96db8c1e52eaeadf255a7c3bb20b7c3

SHA256
2b6f7c8c785878922532dbfa3f23d9b1e195ff51057f56819f5ed6bd377e950d

SHA512
b389ad3ad9c4ed2f9c6c3cb20f8cfd5c9c5c50b35402a21d2526517800658abf7bc81beef772338486b532812eeeafe0e99d97acb90a3593201ad625b9628139

Download Submit
C:\Windows\Temp\6vvvy.dll
MD5
8122ecf7dd724778ca2fb1f06920e031

SHA1
a457b163f1cf408f382ba5da308ea81658b52564

SHA256
6a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960

SHA512
6e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e

Download Submit
\Windows\Temp\6vvvy.dll
MD5
8122ecf7dd724778ca2fb1f06920e031

SHA1
a457b163f1cf408f382ba5da308ea81658b52564

SHA256
6a5d97efcba0d7346b54a7ca6a6e0276970a47462f1ae656b3439aa4216ce960

SHA512
6e7972b620c587367a6e705ab666ad91d433eb7fd4ffd061531fd70f321a82f6369e444927d0c0ce317e8f9d7998552cbe5f14db3cd32920cbb38037d25f177e

Download Submit
memory/1200-6-0x0000000000000000-mapping.dmp

Download
memory/1200-8-0x00000000739B0000-0x00000000739CF000-memory.dmp

Filesize
124KB

Download
memory/1400-2-0x00007FFB568F0000-0x00007FFB56F27000-memory.dmp

Filesize
6.2MB

Download
memory/3384-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads