Overview

overview

10

Static

static

8

BANK RECEIPT.exe

windows7_x64

10

BANK RECEIPT.exe

windows10_x64

10

BOL.xlsm

windows7_x64

10

BOL.xlsm

windows10_x64

10

Inv_399139_86191.xlsm

windows7_x64

10

Inv_399139_86191.xlsm

windows10_x64

10

Ordine 400...xs.exe

windows7_x64

10

Ordine 400...xs.exe

windows10_x64

10

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

STATEMENT ...NT.exe

windows7_x64

10

STATEMENT ...NT.exe

windows10_x64

10

SWIFT-MT10...df.exe

windows7_x64

10

SWIFT-MT10...df.exe

windows10_x64

10

inquiries ...B .exe

windows7_x64

10

inquiries ...B .exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-05-2021 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inv_399139_86191.xlsm

  • Size

    26KB

  • MD5

    498adcc5b1c0e59baa8779fb8a1b72df

  • SHA1

    e5c0063a99e22394ce84104ea5d775e48dbd70a4

  • SHA256

    7db855d25c3468c8b0cc6ed349e16f8611a875aa0c8b95b98c4c1845fc503c7b

  • SHA512

    0effc72caeb94dc7475c4371fdaa692676bf24fbcc2f79386e5f05f9012734afa46984d80547a2c1cf61f5b4d5574944d4ac24163b02aa39bf568f6b7a1884f2

Score
10/10
dridex10444botnetloader

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nsc.demasys.net/z5pkv7mb8.gif
xlm40.dropper

https://testnew.yourpageserver.com/h6em3w4c.jpg

Extracted

Family

dridex

Botnet

10444

C2

195.154.237.245:443

46.105.131.73:8172

91.238.160.158:18443

213.183.128.99:3786
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Inv_399139_86191.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\xhkdc._WB
      2⤵
      • Process spawned unexpected child process
      PID:376
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\gvtvbpcp._ML
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gvtvbpcp._ML
    MD5

    f6e9f6de099449b84d37f8c9c959c0a3

    SHA1

    407a7e9d982caea11ebb525d1bd51e2617febe74

    SHA256

    4801b61a1dc7a14b4c2efc9840a933b7dbfc595cca11bca2632f7e59a0624c65

    SHA512

    8027bd6e4f7ea23d435fa3654c793b34c715bc2b4a2915df78e4f227d9a3f782de5e7bea86c9dcd8cefd612ac5a8ff4d28f1d3d6c6a3a1d6b89863ef94575fc9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\gvtvbpcp._ML
    MD5

    f6e9f6de099449b84d37f8c9c959c0a3

    SHA1

    407a7e9d982caea11ebb525d1bd51e2617febe74

    SHA256

    4801b61a1dc7a14b4c2efc9840a933b7dbfc595cca11bca2632f7e59a0624c65

    SHA512

    8027bd6e4f7ea23d435fa3654c793b34c715bc2b4a2915df78e4f227d9a3f782de5e7bea86c9dcd8cefd612ac5a8ff4d28f1d3d6c6a3a1d6b89863ef94575fc9

    Download Submit
  • memory/376-64-0x0000000000000000-mapping.dmp
    Download
  • memory/376-65-0x00000000757C1000-0x00000000757C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/992-66-0x0000000000000000-mapping.dmp
    Download
  • memory/992-70-0x0000000001ED0000-0x0000000001FB4000-memory.dmp
    Filesize

    912KB

    Download
  • memory/992-71-0x0000000001ED0000-0x0000000001F0D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/992-72-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1788-60-0x000000002FB51000-0x000000002FB54000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1788-61-0x00000000717B1000-0x00000000717B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1788-63-0x0000000005BD0000-0x0000000005BD2000-memory.dmp
    Filesize

    8KB

    Download