Analysis

  • max time kernel
    1231s
  • max time network
    1562s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-03-2021 22:49

General

  • Target

    SpaceX Starbase Invite.xlsm

  • Size

    242KB

  • MD5

    b46aa5f81d293bc7791a720b6447d01f

  • SHA1

    a8ab19110c407b6e04e460fa8bc33685868a026d

  • SHA256

    2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518

  • SHA512

    8c3b80ff99948aa1f67ed9b6a9c5b2b1225b9246b71b7a8f97661bd054339f67e82aa7f118fed8462ce20ff1a58d9f07cb07c91f1220ac48d8fd1502f1be1e93

Malware Config

Extracted

Family

dridex

Botnet

111

C2

77.220.64.135:443

107.180.90.10:6601

31.24.158.56:7275

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1656
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\1DF1C.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//n10tn.dll ValidateLog
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//n10tn.dll ValidateLog
        3⤵
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1DF1C.xsl
    MD5

    ea71d43dea5ac0a4f1687d4b4c0f7a73

    SHA1

    06abfa510041b5eadaaad4aed4a196eca63f475a

    SHA256

    9aecdb029868fb446bad577f10695472497bb2bfe87d30b3ef13da834742efaa

    SHA512

    7e597efd1045738621da21c0972f46f360fe13d9988085fc29b479bb73d7de0506d6eef396eca1e6526505b5874760eaa73c1e09fcd149846306edd5bd73a40f

  • C:\Windows\Temp\n10tn.dll
    MD5

    aca3ec396cbe8b33718eef86dd26f3c8

    SHA1

    df6a2d47889a6bf49bb82170690a2324b498c1e2

    SHA256

    6a081487cc498419c436fd3539a0ec4172575fc2b213f3e685a28c2871ede102

    SHA512

    014e868d13091e76cde23b31444450130f4a783cb533924a4ff67acaa821c4071e8998aec7498a5789feab1c25f6a6b11f29c5a9b3a92adf2d6aaeb813f513f4

  • \Windows\Temp\n10tn.dll
    MD5

    aca3ec396cbe8b33718eef86dd26f3c8

    SHA1

    df6a2d47889a6bf49bb82170690a2324b498c1e2

    SHA256

    6a081487cc498419c436fd3539a0ec4172575fc2b213f3e685a28c2871ede102

    SHA512

    014e868d13091e76cde23b31444450130f4a783cb533924a4ff67acaa821c4071e8998aec7498a5789feab1c25f6a6b11f29c5a9b3a92adf2d6aaeb813f513f4

  • \Windows\Temp\n10tn.dll
    MD5

    aca3ec396cbe8b33718eef86dd26f3c8

    SHA1

    df6a2d47889a6bf49bb82170690a2324b498c1e2

    SHA256

    6a081487cc498419c436fd3539a0ec4172575fc2b213f3e685a28c2871ede102

    SHA512

    014e868d13091e76cde23b31444450130f4a783cb533924a4ff67acaa821c4071e8998aec7498a5789feab1c25f6a6b11f29c5a9b3a92adf2d6aaeb813f513f4

  • \Windows\Temp\n10tn.dll
    MD5

    aca3ec396cbe8b33718eef86dd26f3c8

    SHA1

    df6a2d47889a6bf49bb82170690a2324b498c1e2

    SHA256

    6a081487cc498419c436fd3539a0ec4172575fc2b213f3e685a28c2871ede102

    SHA512

    014e868d13091e76cde23b31444450130f4a783cb533924a4ff67acaa821c4071e8998aec7498a5789feab1c25f6a6b11f29c5a9b3a92adf2d6aaeb813f513f4

  • \Windows\Temp\n10tn.dll
    MD5

    aca3ec396cbe8b33718eef86dd26f3c8

    SHA1

    df6a2d47889a6bf49bb82170690a2324b498c1e2

    SHA256

    6a081487cc498419c436fd3539a0ec4172575fc2b213f3e685a28c2871ede102

    SHA512

    014e868d13091e76cde23b31444450130f4a783cb533924a4ff67acaa821c4071e8998aec7498a5789feab1c25f6a6b11f29c5a9b3a92adf2d6aaeb813f513f4

  • memory/272-7-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp
    Filesize

    2.5MB

  • memory/1604-18-0x000000006B760000-0x000000006B781000-memory.dmp
    Filesize

    132KB

  • memory/1604-17-0x00000000000F0000-0x00000000000F6000-memory.dmp
    Filesize

    24KB

  • memory/1604-16-0x000000006B760000-0x000000006B792000-memory.dmp
    Filesize

    200KB

  • memory/1604-10-0x0000000000000000-mapping.dmp
  • memory/1604-11-0x0000000074D11000-0x0000000074D13000-memory.dmp
    Filesize

    8KB

  • memory/1656-2-0x000000002FFF1000-0x000000002FFF4000-memory.dmp
    Filesize

    12KB

  • memory/1656-5-0x0000000005B10000-0x0000000005B12000-memory.dmp
    Filesize

    8KB

  • memory/1656-3-0x0000000070E31000-0x0000000070E33000-memory.dmp
    Filesize

    8KB

  • memory/1656-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/2024-8-0x0000000000000000-mapping.dmp