dridex | 59d0ba2bce05366ad852a51dd0e9387ae38ea0493f9ad8368e47a55903117018

General

Target

Reports 78497.xls
Size

875KB
MD5

e452debc1653b43f09dcd98d1f05ba14
SHA1

d68fb05919682ac456701041a955a42d6198b3ef
SHA256

59d0ba2bce05366ad852a51dd0e9387ae38ea0493f9ad8368e47a55903117018
SHA512

a89b049ce90147915cf09bdf36a506afa19f8c440f50a1db0cd1c7437bf522ca977559b4d9ab0a637534b5b5d0fb911e0e5d9104d5b46a91f5a502cfbf6d7413

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 3328 wmic.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3328	wmic.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/3120-8-0x0000000073980000-0x000000007399F000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

wmic.exe

flow pid process

27 2192 wmic.exe
29 2192 wmic.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3120 rundll32.exe

flow	pid	process
27	2192	wmic.exe
29	2192	wmic.exe

pid	process
3120	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\he09m.dll	js
\Windows\Temp\he09m.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

508 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmic.exerundll32.exe

description	pid	process	target process
PID 2192 wrote to memory of 1560	2192	wmic.exe	rundll32.exe
PID 2192 wrote to memory of 1560	2192	wmic.exe	rundll32.exe
PID 1560 wrote to memory of 3120	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 3120	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 3120	1560	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reports 78497.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:508

C:\Windows\system32\wbem\wmic.exe
wmic
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//he09m.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//he09m.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B638.xsL
MD5
700d9ef5283e8dca4a53b60e5674941e

SHA1
e6bd6c2d88c640b8983a1cb2f4007c67d205801c

SHA256
c893bb57aeb12a781bcb21a5c6c574e53786a0173f1bf45d7ef57860a8956a48

SHA512
fe3496c0e5ce6bd84838a6a87ead6e9a8c331ea3bc39c3993a7e6e7c9ae6aabeec3ca1fd3bef87b0f1232658b367820f856593f901d52772dc6e16240a7a7754

Download Submit
C:\Windows\Temp\he09m.dll
MD5
dd7f7a7ce66d36bb2b214e51e7426b9e

SHA1
a669b7ebe3bf03152fc4284e2b09acee0828051d

SHA256
342bae2521a4409d329f86be3d543f928db597b98b84010f2b0e32c23145d634

SHA512
ca3cebba72f0ac7a99c8315e08c5cd7bbd441af71286eb2b40aedb32758981bd14381a3f647f064cbb154e3f1e5c6cf2e4d8b253a99b1eb13939cc435c19ee16

Download Submit
\Windows\Temp\he09m.dll
MD5
dd7f7a7ce66d36bb2b214e51e7426b9e

SHA1
a669b7ebe3bf03152fc4284e2b09acee0828051d

SHA256
342bae2521a4409d329f86be3d543f928db597b98b84010f2b0e32c23145d634

SHA512
ca3cebba72f0ac7a99c8315e08c5cd7bbd441af71286eb2b40aedb32758981bd14381a3f647f064cbb154e3f1e5c6cf2e4d8b253a99b1eb13939cc435c19ee16

Download Submit
memory/508-2-0x00007FF9A7230000-0x00007FF9A7867000-memory.dmp

Filesize
6.2MB

Download
memory/1560-4-0x0000000000000000-mapping.dmp

Download
memory/3120-6-0x0000000000000000-mapping.dmp

Download
memory/3120-8-0x0000000073980000-0x000000007399F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads