dridex | 346a5f545abd67c879755d34f5985f038b30704d97ed59b5597d9dc251336080

General

Target

Inv #147.xls
Size

706KB
MD5

77e05d6f0c417328a50a29af170e1efd
SHA1

3167568a7dcef3faba0a4636ff71f2844d6d8962
SHA256

346a5f545abd67c879755d34f5985f038b30704d97ed59b5597d9dc251336080
SHA512

2ea0153df0240a964e92ef4b5477ed361a20614149f36992496914a89bf3fc5abb582fd3fe4478aa0b6b2c8de6f1d4358aa5baec664f4fa5caf2aa1b841433e1

Score

10^/10

dridex 111 botnet loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmiC.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 68 wmiC.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	68	wmiC.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/816-8-0x00000000741B0000-0x00000000741CF000-memory.dmp	dridex_ldr

Blocklisted process makes network request 3 IoCs

Processes:

wmiC.exe

flow pid process

28 508 wmiC.exe
30 508 wmiC.exe
32 508 wmiC.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

816 rundll32.exe

flow	pid	process
28	508	wmiC.exe
30	508	wmiC.exe
32	508	wmiC.exe

pid	process
816	rundll32.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\8p10k.dll	js
\Windows\Temp\8p10k.dll	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

500 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmiC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	508	wmiC.exe
Token: SeSecurityPrivilege	508	wmiC.exe
Token: SeTakeOwnershipPrivilege	508	wmiC.exe
Token: SeLoadDriverPrivilege	508	wmiC.exe
Token: SeSystemProfilePrivilege	508	wmiC.exe
Token: SeSystemtimePrivilege	508	wmiC.exe
Token: SeProfSingleProcessPrivilege	508	wmiC.exe
Token: SeIncBasePriorityPrivilege	508	wmiC.exe
Token: SeCreatePagefilePrivilege	508	wmiC.exe
Token: SeBackupPrivilege	508	wmiC.exe
Token: SeRestorePrivilege	508	wmiC.exe
Token: SeShutdownPrivilege	508	wmiC.exe
Token: SeDebugPrivilege	508	wmiC.exe
Token: SeSystemEnvironmentPrivilege	508	wmiC.exe
Token: SeRemoteShutdownPrivilege	508	wmiC.exe
Token: SeUndockPrivilege	508	wmiC.exe
Token: SeManageVolumePrivilege	508	wmiC.exe
Token: 33	508	wmiC.exe
Token: 34	508	wmiC.exe
Token: 35	508	wmiC.exe
Token: 36	508	wmiC.exe
Token: SeIncreaseQuotaPrivilege	508	wmiC.exe
Token: SeSecurityPrivilege	508	wmiC.exe
Token: SeTakeOwnershipPrivilege	508	wmiC.exe
Token: SeLoadDriverPrivilege	508	wmiC.exe
Token: SeSystemProfilePrivilege	508	wmiC.exe
Token: SeSystemtimePrivilege	508	wmiC.exe
Token: SeProfSingleProcessPrivilege	508	wmiC.exe
Token: SeIncBasePriorityPrivilege	508	wmiC.exe
Token: SeCreatePagefilePrivilege	508	wmiC.exe
Token: SeBackupPrivilege	508	wmiC.exe
Token: SeRestorePrivilege	508	wmiC.exe
Token: SeShutdownPrivilege	508	wmiC.exe
Token: SeDebugPrivilege	508	wmiC.exe
Token: SeSystemEnvironmentPrivilege	508	wmiC.exe
Token: SeRemoteShutdownPrivilege	508	wmiC.exe
Token: SeUndockPrivilege	508	wmiC.exe
Token: SeManageVolumePrivilege	508	wmiC.exe
Token: 33	508	wmiC.exe
Token: 34	508	wmiC.exe
Token: 35	508	wmiC.exe
Token: 36	508	wmiC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE
500	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmiC.exerundll32.exe

description	pid	process	target process
PID 508 wrote to memory of 1480	508	wmiC.exe	rundll32.exe
PID 508 wrote to memory of 1480	508	wmiC.exe	rundll32.exe
PID 1480 wrote to memory of 816	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 816	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 816	1480	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Inv #147.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:500

C:\Windows\system32\wbem\wmiC.exe
wmiC
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//8p10k.dll InitHelperDll
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//8p10k.dll InitHelperDll
3⤵
- Loads dropped DLL
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2092E.XSL
MD5
6dbdd2b3310032a65b0435e8afcad218

SHA1
67542823e1d2a526c4b9a3206be1f1d54f9dfd8b

SHA256
3a7c2bc8d86e18f0e6458ad150f052574475e1c34c382d200b7f832b08e43c12

SHA512
6fb08152de538afc6ac5bad3469c7be9647884611a6b97236b2a62e617844fa493592a81e6e6a05a658c302d49a0d9454a5474bd5df82633ec6f093f6c9af764

Download Submit
C:\Windows\Temp\8p10k.dll
MD5
806279bd4aa02e4ca543f4df70a97071

SHA1
510d71a67521be4dc0d6b1da67492e7834e8fb59

SHA256
481adb7aee323dc6e2725682cd17fba1e94b3ea4fed0d94fb6189b7afd8378fd

SHA512
f6a014cf9e6d6df59770b4ba7eb96d86b643f7ca02e12d0be3c502ca8caead589d0829cdc09833a086e54a5998077117ee940610fce34cb1eed417799d90a844

Download Submit
\Windows\Temp\8p10k.dll
MD5
806279bd4aa02e4ca543f4df70a97071

SHA1
510d71a67521be4dc0d6b1da67492e7834e8fb59

SHA256
481adb7aee323dc6e2725682cd17fba1e94b3ea4fed0d94fb6189b7afd8378fd

SHA512
f6a014cf9e6d6df59770b4ba7eb96d86b643f7ca02e12d0be3c502ca8caead589d0829cdc09833a086e54a5998077117ee940610fce34cb1eed417799d90a844

Download Submit
memory/500-2-0x00007FFAB59F0000-0x00007FFAB6027000-memory.dmp

Filesize
6.2MB

Download
memory/816-6-0x0000000000000000-mapping.dmp

Download
memory/816-8-0x00000000741B0000-0x00000000741CF000-memory.dmp

Filesize
124KB

Download
memory/1480-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads