dridex | 4d13b0dda7b538ae90a79ac5bbb872f3aba6fd798c2900c4580bc59ae8623b1f

General

Target

Inv 4529.xls
Size

793KB
MD5

8db799f159631efb77a2d8c7c0099399
SHA1

8f202b18d37b68a26d53a64cc6c4b7b127c6c94b
SHA256

4d13b0dda7b538ae90a79ac5bbb872f3aba6fd798c2900c4580bc59ae8623b1f
SHA512

78506c8a91f09a98f015462b3a88ee1c08552bb2a396a1103106a4b71438633a52a6315c50700c229e5775fb9b87f3201ccda9a9b7a4d67e906a5c6bc7ff3bcc

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WmiC.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 4304 WmiC.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4304	WmiC.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/4504-8-0x0000000073990000-0x00000000739AF000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

WmiC.exe

flow pid process

26 3212 WmiC.exe
29 3212 WmiC.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4504 rundll32.exe

flow	pid	process
26	3212	WmiC.exe
29	3212	WmiC.exe

pid	process
4504	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\t0nue.dll	js
\Windows\Temp\t0nue.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4712 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WmiC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3212	WmiC.exe
Token: SeSecurityPrivilege	3212	WmiC.exe
Token: SeTakeOwnershipPrivilege	3212	WmiC.exe
Token: SeLoadDriverPrivilege	3212	WmiC.exe
Token: SeSystemProfilePrivilege	3212	WmiC.exe
Token: SeSystemtimePrivilege	3212	WmiC.exe
Token: SeProfSingleProcessPrivilege	3212	WmiC.exe
Token: SeIncBasePriorityPrivilege	3212	WmiC.exe
Token: SeCreatePagefilePrivilege	3212	WmiC.exe
Token: SeBackupPrivilege	3212	WmiC.exe
Token: SeRestorePrivilege	3212	WmiC.exe
Token: SeShutdownPrivilege	3212	WmiC.exe
Token: SeDebugPrivilege	3212	WmiC.exe
Token: SeSystemEnvironmentPrivilege	3212	WmiC.exe
Token: SeRemoteShutdownPrivilege	3212	WmiC.exe
Token: SeUndockPrivilege	3212	WmiC.exe
Token: SeManageVolumePrivilege	3212	WmiC.exe
Token: 33	3212	WmiC.exe
Token: 34	3212	WmiC.exe
Token: 35	3212	WmiC.exe
Token: 36	3212	WmiC.exe
Token: SeIncreaseQuotaPrivilege	3212	WmiC.exe
Token: SeSecurityPrivilege	3212	WmiC.exe
Token: SeTakeOwnershipPrivilege	3212	WmiC.exe
Token: SeLoadDriverPrivilege	3212	WmiC.exe
Token: SeSystemProfilePrivilege	3212	WmiC.exe
Token: SeSystemtimePrivilege	3212	WmiC.exe
Token: SeProfSingleProcessPrivilege	3212	WmiC.exe
Token: SeIncBasePriorityPrivilege	3212	WmiC.exe
Token: SeCreatePagefilePrivilege	3212	WmiC.exe
Token: SeBackupPrivilege	3212	WmiC.exe
Token: SeRestorePrivilege	3212	WmiC.exe
Token: SeShutdownPrivilege	3212	WmiC.exe
Token: SeDebugPrivilege	3212	WmiC.exe
Token: SeSystemEnvironmentPrivilege	3212	WmiC.exe
Token: SeRemoteShutdownPrivilege	3212	WmiC.exe
Token: SeUndockPrivilege	3212	WmiC.exe
Token: SeManageVolumePrivilege	3212	WmiC.exe
Token: 33	3212	WmiC.exe
Token: 34	3212	WmiC.exe
Token: 35	3212	WmiC.exe
Token: 36	3212	WmiC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WmiC.exerundll32.exe

description	pid	process	target process
PID 3212 wrote to memory of 4500	3212	WmiC.exe	rundll32.exe
PID 3212 wrote to memory of 4500	3212	WmiC.exe	rundll32.exe
PID 4500 wrote to memory of 4504	4500	rundll32.exe	rundll32.exe
PID 4500 wrote to memory of 4504	4500	rundll32.exe	rundll32.exe
PID 4500 wrote to memory of 4504	4500	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv 4529.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\system32\wbem\WmiC.exe
WmiC
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//t0nue.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//t0nue.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2C986.Xsl
MD5
ce8fe37f9e9fe345494f4abc26bc8486

SHA1
7165984ae2fff5e25a95b52215ff1575bb08a7ed

SHA256
e43dc63bb5855d140266ae4105d391dbbbb99633621affba06a8e3dec5e2b287

SHA512
86eb6722aa6d3d916a9116caf45310254cdba5ab99337e6324385ef91e2b1d9e800d1a9e915c7ab4f40fa48bcb095bf783bf1b5a801b0652a9c283df77fe4b8d

Download Submit
C:\Windows\Temp\t0nue.dll
MD5
0da1b3631ac12b39bfaba514cd1c9bd3

SHA1
59d9ab5be0b558167463e8c3e5ca81777f394156

SHA256
1835950bd36618da010f46baac9f05fc01d773c28147ab9afc503f53f962538a

SHA512
50480417561bbd714329af59ebc95a039c4cf8f4aaa7aeb30d4973cc73ba412ffede4a33f337f862c7a8eec1d1441440aa9d63e08dfb98938e1d6012049741a2

Download Submit
\Windows\Temp\t0nue.dll
MD5
0da1b3631ac12b39bfaba514cd1c9bd3

SHA1
59d9ab5be0b558167463e8c3e5ca81777f394156

SHA256
1835950bd36618da010f46baac9f05fc01d773c28147ab9afc503f53f962538a

SHA512
50480417561bbd714329af59ebc95a039c4cf8f4aaa7aeb30d4973cc73ba412ffede4a33f337f862c7a8eec1d1441440aa9d63e08dfb98938e1d6012049741a2

Download Submit
memory/4500-4-0x0000000000000000-mapping.dmp

Download
memory/4504-6-0x0000000000000000-mapping.dmp

Download
memory/4504-8-0x0000000073990000-0x00000000739AF000-memory.dmp

Filesize
124KB

Download
memory/4712-2-0x00007FF864190000-0x00007FF8647C7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads