General

  • Target

    Inv 4529.xls

  • Size

    793KB

  • Sample

    210114-tvgx7zpg8s

  • MD5

    8db799f159631efb77a2d8c7c0099399

  • SHA1

    8f202b18d37b68a26d53a64cc6c4b7b127c6c94b

  • SHA256

    4d13b0dda7b538ae90a79ac5bbb872f3aba6fd798c2900c4580bc59ae8623b1f

  • SHA512

    78506c8a91f09a98f015462b3a88ee1c08552bb2a396a1103106a4b71438633a52a6315c50700c229e5775fb9b87f3201ccda9a9b7a4d67e906a5c6bc7ff3bcc

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain
rc4.plain

Targets

    • Target

      Inv 4529.xls

    • Size

      793KB

    • MD5

      8db799f159631efb77a2d8c7c0099399

    • SHA1

      8f202b18d37b68a26d53a64cc6c4b7b127c6c94b

    • SHA256

      4d13b0dda7b538ae90a79ac5bbb872f3aba6fd798c2900c4580bc59ae8623b1f

    • SHA512

      78506c8a91f09a98f015462b3a88ee1c08552bb2a396a1103106a4b71438633a52a6315c50700c229e5775fb9b87f3201ccda9a9b7a4d67e906a5c6bc7ff3bcc

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks