Analysis
-
max time kernel
53s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:07
General
-
Target
Confidential_123.xls
-
Size
718KB
-
MD5
fcd41b38e1a97fa769c5a9383b3652da
-
SHA1
bf5e3db26379cbc9dab2256d87a84c78f222e56e
-
SHA256
b4fa49afb10b8ceb2cbf7c422be2c024be8f298988da16d436df0a136ece5bf3
-
SHA512
dd2304b7c79dc2b6f631dd004c45cb19be66a51f5124b3a1441ff3fb173497421b52777bbeb7fa240edc722bece2a364252c0ca14e535ff4ce6ffc213442eb56
Malware Config
Extracted
dridex
111
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 3 IoCs
-
Loads dropped DLL 1 IoCs
-
JavaScript code in executable 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Confidential_123.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmIC.exewmIC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//gpzkm.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//gpzkm.dll InitHelperDll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4E26.XslMD5
a0ddf92efc3149ec6be5ae0e1c7d4697
SHA17c0835df13babacba8a70289b2ae457cb6999745
SHA2561f2166903f1fdaf7cc09ae166d956d4eaf09ec9e887ee6bfc629f9eaa629f9b7
SHA512c6f32e0d46891d559feac44b2a6d7d1689ca1be959c88aca457dceab79c3f435e28bebe32bfa26164bbb410ea184cd47122610ccb227b5e515bfb4c099f554e5
-
C:\Windows\Temp\gpzkm.dllMD5
d423ad4a4df8daffa82552595924eb87
SHA1c45c0b9874cafe83e2c695d1c94dee75d51bf998
SHA2566685975af81b4c3627a5eb7026e854ecc1710a8786490eae338833f6f2090fd7
SHA512d1a5d4cfd423dfedc38fe396b1f9a5de2ddba19cb3fec3318cc8281097aebcd5e1b53899c24cf19e1e573d7cd7794f0deebd934757f2a1f07cd3381f26b94ffe
-
\Windows\Temp\gpzkm.dllMD5
d423ad4a4df8daffa82552595924eb87
SHA1c45c0b9874cafe83e2c695d1c94dee75d51bf998
SHA2566685975af81b4c3627a5eb7026e854ecc1710a8786490eae338833f6f2090fd7
SHA512d1a5d4cfd423dfedc38fe396b1f9a5de2ddba19cb3fec3318cc8281097aebcd5e1b53899c24cf19e1e573d7cd7794f0deebd934757f2a1f07cd3381f26b94ffe
-
memory/3056-4-0x0000000000000000-mapping.dmp
-
memory/3756-6-0x0000000000000000-mapping.dmp
-
memory/3756-8-0x0000000073E80000-0x0000000073E9F000-memory.dmpFilesize
124KB
-
memory/3888-2-0x00007FFF6D2A0000-0x00007FFF6D8D7000-memory.dmpFilesize
6.2MB