dridex | 74a551c38c3165128be5e8c58766a1c57d38b7183f6c9977cd1eeadce159a00f

General

Target

174682_BOL.xlsm
Size

35KB
MD5

a9571044e94878cf4f9799c033305fb8
SHA1

86429d5ad991da1773fe4f485f7eea142ab5f00a
SHA256

74a551c38c3165128be5e8c58766a1c57d38b7183f6c9977cd1eeadce159a00f
SHA512

dad015bffb5d383139f462f6b55de7e3d7844d8bbf65d9a542e41b7489e404b3d22f89508f022d97a61875ecbeeae0918b91d9023a5a5cecc69ff1fdb246bdac

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

210.65.244.184:443

147.78.186.4:10051

62.75.168.152:6601

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1280	3928	regsvr32.exe	EXCEL.EXE

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/748-46-0x0000000073E80000-0x0000000073EBD000-memory.dmp	dridex_ldr
behavioral2/memory/748-47-0x0000000073E80000-0x0000000073EBD000-memory.dmp	dridex_ldr

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

748 regsvr32.exe

pid	process
748	regsvr32.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2372	3928	DW20.EXE	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

3928 EXCEL.EXE
4048 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

EXCEL.EXEdwwin.exe

pid process

3928 EXCEL.EXE
3928 EXCEL.EXE
3824 dwwin.exe
3824 dwwin.exe
3928 EXCEL.EXE
3928 EXCEL.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	process
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEregsvr32.exeDW20.EXEdwwin.exe

description	pid	process	target process
PID 3928 wrote to memory of 1280	3928	EXCEL.EXE	regsvr32.exe
PID 3928 wrote to memory of 1280	3928	EXCEL.EXE	regsvr32.exe
PID 1280 wrote to memory of 748	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 748	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 748	1280	regsvr32.exe	regsvr32.exe
PID 3928 wrote to memory of 2372	3928	EXCEL.EXE	DW20.EXE
PID 3928 wrote to memory of 2372	3928	EXCEL.EXE	DW20.EXE
PID 2372 wrote to memory of 3824	2372	DW20.EXE	dwwin.exe
PID 2372 wrote to memory of 3824	2372	DW20.EXE	dwwin.exe
PID 3824 wrote to memory of 4048	3824	dwwin.exe	EXCEL.EXE
PID 3824 wrote to memory of 4048	3824	dwwin.exe	EXCEL.EXE
PID 3824 wrote to memory of 4048	3824	dwwin.exe	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\174682_BOL.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\sdemqpiq.dll
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\sdemqpiq.dll
3⤵
- Loads dropped DLL
PID:748

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4592
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4592
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
9b233f391290766d91f7c8a28ecc7d2f

SHA1
c479ed60c54790241d0d787ad49113a4a6028558

SHA256
09e656e9ae5566784e16ee479dda2127ac63cec126832cec69fc54579526a73a

SHA512
4494a30d5bf48d0ea61cef7da1ce11b01b97620ac62409576c8628105b3e7cbc1b3cdd84f7ad3581be1341f9a7b02089d0557088407332461b145e1db5ae0519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
a032d14e5be1ec1879bea1ca60d86766

SHA1
56869190186160863a5decd7af818fd6cfe65eee

SHA256
45bbe4a8cce4d3836b78b2c992e26cc686a8f9421e2b1f533098e705f7661f6f

SHA512
e103a335b9f83bf4750f7aaa7e30630a674f1affb7eb0cd7b4e47562f5258b85e4eb16a3ba6284fcfd082b448f224aa2147598b6eb29c4f7b0084fb0f3c5f93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
dfb51782472d67c85c27f55aedfeb882

SHA1
420a0a93bc8d9a76e86ec9ee63431a4248c1628f

SHA256
b996ae970552c37d830808f00caec35b2cc9985fb1b6825cdeed827384181b60

SHA512
19f01e17ef2391ec878023fe995ce2daad7488022697acffde48fc78e39143fc07c4cfb3f221407b17a1592d3fc81f76c377fe8313f20d16ab24f83d493df10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5
f508c9f73943d2a17a41340aab7c501c

SHA1
77d83e18c0628953060f3185a9a559fe49ac49c6

SHA256
bbacd9c4083da9ef7424b5de8b9c9be012105f181ba8bf8e71651ba81fdf9ee0

SHA512
9784825368ca8490a8f26dbe4c20aff3ba06e029c72e28da101d90cd137c8b5def84c560df69ffe1594e77d52ac5e1a74b477f2488dda57fe4dda7795719243c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdemqpiq.dll
MD5
9c9e5f27fd0f4d044e4d9d6c89fe8216

SHA1
13d2db72cd29a4bdcc6af3cbf198e8e67b63f90f

SHA256
7d16b486189c010f74ad58e73a5c6acbd38c4f502d1ed5b52d611d9956a53df2

SHA512
3ac67b6ded54bf6e2d5d71e2bc3e4a0b331c7c358a4041e6be38bca1d5a0bb02d792bcadd9dfb52447b38d484f56a4b67b21960322c4c1d810a63dd460f43236

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
\Users\Admin\AppData\Local\Temp\sdemqpiq.dll
MD5
9c9e5f27fd0f4d044e4d9d6c89fe8216

SHA1
13d2db72cd29a4bdcc6af3cbf198e8e67b63f90f

SHA256
7d16b486189c010f74ad58e73a5c6acbd38c4f502d1ed5b52d611d9956a53df2

SHA512
3ac67b6ded54bf6e2d5d71e2bc3e4a0b331c7c358a4041e6be38bca1d5a0bb02d792bcadd9dfb52447b38d484f56a4b67b21960322c4c1d810a63dd460f43236

Download Submit
memory/748-9-0x0000000000000000-mapping.dmp

Download
memory/748-46-0x0000000073E80000-0x0000000073EBD000-memory.dmp

Filesize
244KB

Download
memory/748-47-0x0000000073E80000-0x0000000073EBD000-memory.dmp

Filesize
244KB

Download
memory/748-48-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1280-7-0x0000000000000000-mapping.dmp

Download
memory/2372-10-0x0000000000000000-mapping.dmp

Download
memory/2372-36-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/2372-39-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/2372-38-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/2372-35-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3824-15-0x00000237A1B70000-0x00000237A1B71000-memory.dmp

Filesize
4KB

Download
memory/3824-16-0x00000237A1B70000-0x00000237A1B71000-memory.dmp

Filesize
4KB

Download
memory/3824-14-0x0000000000000000-mapping.dmp

Download
memory/3824-27-0x00000237A2520000-0x00000237A2521000-memory.dmp

Filesize
4KB

Download
memory/3824-26-0x00000237A2520000-0x00000237A2521000-memory.dmp

Filesize
4KB

Download
memory/3824-25-0x00000237A2520000-0x00000237A2521000-memory.dmp

Filesize
4KB

Download
memory/3824-20-0x00000237A2200000-0x00000237A2201000-memory.dmp

Filesize
4KB

Download
memory/3824-23-0x00000237A2600000-0x00000237A2601000-memory.dmp

Filesize
4KB

Download
memory/3928-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-6-0x00007FF8E8EB0000-0x00007FF8E94E7000-memory.dmp

Filesize
6.2MB

Download
memory/3928-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/4048-34-0x00007FF8E8EF0000-0x00007FF8E9527000-memory.dmp

Filesize
6.2MB

Download
memory/4048-30-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads