Overview

overview

10

Static

static

8

Documentation 644.xls

windows7_x64

10

Documentation 644.xls

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documentation 644.xls

  • Size

    778KB

  • MD5

    955ddd57164c95530bbff3d5481c0cde

  • SHA1

    38449ef5a84f657d39228df55586fa13cab8d9f1

  • SHA256

    e9e0a2d27876dc9e0fb5e4a9675a23be3f1a8651f72d5774db0e34c0418fcbf8

  • SHA512

    3f502ef2bf16519e0992129a0070efcee4905d88f60b75f1389e39e9549192631ed796f27918b797b0de917e46f3d8c7690201ad0df049e24251844dd0007e38

Score
10/10
dridex111botnetloaderransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documentation 644.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:756
  • C:\Windows\system32\wbem\wMIc.exe
    wMIc
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j22g.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//4j22g.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2E7EF.xsl
    MD5

    bf8eb8c05f7fef58d868e7b066936a12

    SHA1

    ed97a033371ea71e271506ea015316efa652c6d9

    SHA256

    2219065f014fa13dfc5681b5f675ccd3abef2f515a5abb2d0217d2e8c766270a

    SHA512

    b76d583cfe8718f8933b845fe44521a06e36d63a26094b0f6dc3b42221505f21411682360ce20113bf0904f463eef82424e0913e5930c703069c45a62dd02fb3

    Download Submit
  • C:\Windows\Temp\4j22g.dll
    MD5

    d47ab880746796f31f9130b551ba5f63

    SHA1

    7b792f55a895ebe6c67917780f2a50df55ba1e82

    SHA256

    dd8dbc7a333d89c7c6e24affa9c1d356a47d57f3711a43cc2d87fd6a728f429f

    SHA512

    581cf0b80de0ac276821540b2126d33ee871946f9057ee3bd1b9172e97227b090b2f01ffd4551407d388225712fd63526df5af5d290bf71213963c15804191f7

    Download Submit
  • \Windows\Temp\4j22g.dll
    MD5

    d47ab880746796f31f9130b551ba5f63

    SHA1

    7b792f55a895ebe6c67917780f2a50df55ba1e82

    SHA256

    dd8dbc7a333d89c7c6e24affa9c1d356a47d57f3711a43cc2d87fd6a728f429f

    SHA512

    581cf0b80de0ac276821540b2126d33ee871946f9057ee3bd1b9172e97227b090b2f01ffd4551407d388225712fd63526df5af5d290bf71213963c15804191f7

    Download Submit
  • memory/756-2-0x00007FFFCF370000-0x00007FFFCF9A7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2576-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-8-0x0000000073E00000-0x0000000073E1F000-memory.dmp
    Filesize

    124KB

    Download