Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-04-2021 15:45
Static task
static1
Behavioral task
behavioral1
Sample
INV_369730_2393121046005.xls
Resource
win7v20201028
General
-
Target
INV_369730_2393121046005.xls
-
Size
57KB
-
MD5
f6ed1fc605203ca75f5d3e4cdf9c8f4d
-
SHA1
0c424cb3ed68823affe5f7163d18e00d47569c0e
-
SHA256
bb881851c401f18651d160438cc157a01d27640b081b7b8c909b222986948682
-
SHA512
e6c315c9a057a2456fa0885c95a79bc0eb2006bc1f4f650675fa86fd59aa386c37e0ce1c0aed38edbf4a5c573b3ee2f30ce018a141cb1bd6f94a2a50ff2bc022
Malware Config
Extracted
dridex
10444
131.100.24.215:443
210.65.244.174:6601
195.201.199.53:2303
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4548 4688 regsvr32.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral2/memory/540-11-0x0000000073CF0000-0x0000000073D2D000-memory.dmp dridex_ldr behavioral2/memory/540-12-0x0000000073CF0000-0x0000000073D2D000-memory.dmp dridex_ldr -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 540 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE 4688 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE 4688 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEregsvr32.exedescription pid process target process PID 4688 wrote to memory of 4548 4688 EXCEL.EXE regsvr32.exe PID 4688 wrote to memory of 4548 4688 EXCEL.EXE regsvr32.exe PID 4548 wrote to memory of 540 4548 regsvr32.exe regsvr32.exe PID 4548 wrote to memory of 540 4548 regsvr32.exe regsvr32.exe PID 4548 wrote to memory of 540 4548 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\INV_369730_2393121046005.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\jnjsfqgy.dll2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\jnjsfqgy.dll3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jnjsfqgy.dllMD5
30315eed5f5ade346b5ccfcc452310bf
SHA1e79c087676d5d20cf2c7772ce94defab3bb58c17
SHA256fdce1eff308b78fefc2ef730679bd5317620f3e3a52a695ebb3ad355663603c2
SHA5124815e27cac015cb89bee63fa59a8d345c67dc416ceebd930ce8432eeb41336e834cfe4e47da561239f84d4fb24570e8287c9876117e0736be182173473b7ec34
-
\Users\Admin\AppData\Local\Temp\jnjsfqgy.dllMD5
30315eed5f5ade346b5ccfcc452310bf
SHA1e79c087676d5d20cf2c7772ce94defab3bb58c17
SHA256fdce1eff308b78fefc2ef730679bd5317620f3e3a52a695ebb3ad355663603c2
SHA5124815e27cac015cb89bee63fa59a8d345c67dc416ceebd930ce8432eeb41336e834cfe4e47da561239f84d4fb24570e8287c9876117e0736be182173473b7ec34
-
memory/540-9-0x0000000000000000-mapping.dmp
-
memory/540-11-0x0000000073CF0000-0x0000000073D2D000-memory.dmpFilesize
244KB
-
memory/540-12-0x0000000073CF0000-0x0000000073D2D000-memory.dmpFilesize
244KB
-
memory/540-13-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/4548-7-0x0000000000000000-mapping.dmp
-
memory/4688-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB
-
memory/4688-5-0x00007FFEEB320000-0x00007FFEEB957000-memory.dmpFilesize
6.2MB
-
memory/4688-6-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmpFilesize
64KB