dridex | 137bdd679664e951ea9c919cb447b64d6d24251c406350e78471c1d589f12706

General

Target

Report 290.xls
Size

730KB
MD5

59539fde938ac6da898bd587f1850c96
SHA1

2fb5d4ffe1a88cffe59463ac2e7e3996574b1556
SHA256

137bdd679664e951ea9c919cb447b64d6d24251c406350e78471c1d589f12706
SHA512

2ba1a2c5063a7bdab49c4c4f54d637658fe627b4150e0878cdae469811d3a289b6ac07aa7fd7eb02b27ebb64c4e2461712be6b116bba41fdba1e042d1bd2c3b9

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wMIc.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 4080 wMIc.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4080	wMIc.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/496-8-0x0000000073DD0000-0x0000000073DEF000-memory.dmp	dridex_ldr

Blocklisted process makes network request 3 IoCs

Processes:

wMIc.exe

flow pid process

32 2224 wMIc.exe
34 2224 wMIc.exe
36 2224 wMIc.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

496 rundll32.exe

flow	pid	process
32	2224	wMIc.exe
34	2224	wMIc.exe
36	2224	wMIc.exe

pid	process
496	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\100se.dll	js
\Windows\Temp\100se.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wMIc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wMIc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wMIc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2432 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wMIc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2224	wMIc.exe
Token: SeSecurityPrivilege	2224	wMIc.exe
Token: SeTakeOwnershipPrivilege	2224	wMIc.exe
Token: SeLoadDriverPrivilege	2224	wMIc.exe
Token: SeSystemProfilePrivilege	2224	wMIc.exe
Token: SeSystemtimePrivilege	2224	wMIc.exe
Token: SeProfSingleProcessPrivilege	2224	wMIc.exe
Token: SeIncBasePriorityPrivilege	2224	wMIc.exe
Token: SeCreatePagefilePrivilege	2224	wMIc.exe
Token: SeBackupPrivilege	2224	wMIc.exe
Token: SeRestorePrivilege	2224	wMIc.exe
Token: SeShutdownPrivilege	2224	wMIc.exe
Token: SeDebugPrivilege	2224	wMIc.exe
Token: SeSystemEnvironmentPrivilege	2224	wMIc.exe
Token: SeRemoteShutdownPrivilege	2224	wMIc.exe
Token: SeUndockPrivilege	2224	wMIc.exe
Token: SeManageVolumePrivilege	2224	wMIc.exe
Token: 33	2224	wMIc.exe
Token: 34	2224	wMIc.exe
Token: 35	2224	wMIc.exe
Token: 36	2224	wMIc.exe
Token: SeIncreaseQuotaPrivilege	2224	wMIc.exe
Token: SeSecurityPrivilege	2224	wMIc.exe
Token: SeTakeOwnershipPrivilege	2224	wMIc.exe
Token: SeLoadDriverPrivilege	2224	wMIc.exe
Token: SeSystemProfilePrivilege	2224	wMIc.exe
Token: SeSystemtimePrivilege	2224	wMIc.exe
Token: SeProfSingleProcessPrivilege	2224	wMIc.exe
Token: SeIncBasePriorityPrivilege	2224	wMIc.exe
Token: SeCreatePagefilePrivilege	2224	wMIc.exe
Token: SeBackupPrivilege	2224	wMIc.exe
Token: SeRestorePrivilege	2224	wMIc.exe
Token: SeShutdownPrivilege	2224	wMIc.exe
Token: SeDebugPrivilege	2224	wMIc.exe
Token: SeSystemEnvironmentPrivilege	2224	wMIc.exe
Token: SeRemoteShutdownPrivilege	2224	wMIc.exe
Token: SeUndockPrivilege	2224	wMIc.exe
Token: SeManageVolumePrivilege	2224	wMIc.exe
Token: 33	2224	wMIc.exe
Token: 34	2224	wMIc.exe
Token: 35	2224	wMIc.exe
Token: 36	2224	wMIc.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wMIc.exerundll32.exe

description	pid	process	target process
PID 2224 wrote to memory of 3560	2224	wMIc.exe	rundll32.exe
PID 2224 wrote to memory of 3560	2224	wMIc.exe	rundll32.exe
PID 3560 wrote to memory of 496	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 496	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 496	3560	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Report 290.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\system32\wbem\wMIc.exe
wMIc
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//100se.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//100se.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\14BD2.xSL
MD5
4896536b767ba4574e2a9621652fb457

SHA1
a6fc2118a9cabd80e90fcb3c802b8ce21b8ac274

SHA256
45966761b08e8d946b9ec207bfe44be1ed9c6e947ac534f49b9595d5e5d5b824

SHA512
cb4759d30824cf20170d42f9ef2ea9c313f7b2cbfc07ce8e54a91c7451396a7c3a5b644a21174d9a13e20c9b36b693b4dfa7bcb3b95c90217ecb312837202564

Download Submit
C:\Windows\Temp\100se.dll
MD5
91f40f266cab7ab3810ef15193a5994e

SHA1
96e9d19f1000b1d9616de2f2611fa3a02f96444e

SHA256
99f8643948a2f4830ed06053bdeca1cc394d516e64b73cdbab442b2f5c4d07f2

SHA512
a0b8b8c61192d18358136f4ef529c7d6f05217f9831831b6c2557b1df128703d5d5b5124a1ea9b55d50ed34b02bc9b321f0271a2984eccdba347a9467a81cac3

Download Submit
\Windows\Temp\100se.dll
MD5
91f40f266cab7ab3810ef15193a5994e

SHA1
96e9d19f1000b1d9616de2f2611fa3a02f96444e

SHA256
99f8643948a2f4830ed06053bdeca1cc394d516e64b73cdbab442b2f5c4d07f2

SHA512
a0b8b8c61192d18358136f4ef529c7d6f05217f9831831b6c2557b1df128703d5d5b5124a1ea9b55d50ed34b02bc9b321f0271a2984eccdba347a9467a81cac3

Download Submit
memory/496-6-0x0000000000000000-mapping.dmp

Download
memory/496-8-0x0000000073DD0000-0x0000000073DEF000-memory.dmp

Filesize
124KB

Download
memory/2432-2-0x00007FFD88A90000-0x00007FFD890C7000-memory.dmp

Filesize
6.2MB

Download
memory/3560-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads