dridex | 4a8c152ef7c7e3ced93e8629691f6f66bb67f78c4e17caf0198db18300b19acf

General

Target

15d1252024d046b76737f80017b31b5e.xls
Size

371KB
MD5

15d1252024d046b76737f80017b31b5e
SHA1

9d61edbf4819eb9ee8e6de03120ee06e1a8b592e
SHA256

4a8c152ef7c7e3ced93e8629691f6f66bb67f78c4e17caf0198db18300b19acf
SHA512

8f2819cfe537ba891ddc49d3eca12d2cb80c20a270e307822e5e79e2c1c246ad3a1099a1720d2ea9a3f0d6ab630e8bafd93a746f2267b888e3e61c9ee3289179

Score

10^/10

dridex 22202 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

178.238.236.59:443

104.245.52.73:5007

81.0.236.93:13786

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	540	1652	mshta.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1624-73-0x000000006A300000-0x000000006A331000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

3 540 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1624 rundll32.exe
1624 rundll32.exe
1624 rundll32.exe
1624 rundll32.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	540	mshta.exe

pid	process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1652 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE

pid	process
1652	EXCEL.EXE

pid	process
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 1652 wrote to memory of 540	1652	EXCEL.EXE	mshta.exe
PID 1652 wrote to memory of 540	1652	EXCEL.EXE	mshta.exe
PID 1652 wrote to memory of 540	1652	EXCEL.EXE	mshta.exe
PID 1652 wrote to memory of 540	1652	EXCEL.EXE	mshta.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe
PID 540 wrote to memory of 1624	540	mshta.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\15d1252024d046b76737f80017b31b5e.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\ProgramData//klDialogDeleteFormat.sct
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\ProgramData\qRangeAutoFormatTable1.dll,SetRealTimeUsage
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\klDialogDeleteFormat.sct

MD5
8b456844dd984b342462d648348d6e41

SHA1
b1f0e5628bc6a5ded67d2ba843a4b701d44960da

SHA256
2c7694742f9fb9dd2c61fea62054b2acca9dfc458d880723285b02d01b0bf6e8

SHA512
9c7aa647e1386c2454d9ca43e9ec3a561e7a31677b93471d38f0a2c38ca56a88cdffbd0572a523dad45c0affd65019788d36bb5703ef367bd5dd3f989c8e8d30

Download Submit
C:\ProgramData\qRangeAutoFormatTable1.dll

MD5
fa5ec3e53520d0d4de5e26611b8cd51d

SHA1
6ce8c358ec95955f2816ab1bb376c025ade61922

SHA256
ec705e006b4074a61b4b001660ce083e1948bb7ef17c69a90ad5ef5bb635d132

SHA512
f3d538eb8e584079fe7dc57472a5859b2c935eacb449e94ece4bb6390d97bc4035015de3c5cb0836c58db581e40b821cdc98f16e5f9e6c344ce331372c914360

Download Submit
\ProgramData\qRangeAutoFormatTable1.dll

MD5
fa5ec3e53520d0d4de5e26611b8cd51d

SHA1
6ce8c358ec95955f2816ab1bb376c025ade61922

SHA256
ec705e006b4074a61b4b001660ce083e1948bb7ef17c69a90ad5ef5bb635d132

SHA512
f3d538eb8e584079fe7dc57472a5859b2c935eacb449e94ece4bb6390d97bc4035015de3c5cb0836c58db581e40b821cdc98f16e5f9e6c344ce331372c914360

Download Submit
\ProgramData\qRangeAutoFormatTable1.dll

MD5
fa5ec3e53520d0d4de5e26611b8cd51d

SHA1
6ce8c358ec95955f2816ab1bb376c025ade61922

SHA256
ec705e006b4074a61b4b001660ce083e1948bb7ef17c69a90ad5ef5bb635d132

SHA512
f3d538eb8e584079fe7dc57472a5859b2c935eacb449e94ece4bb6390d97bc4035015de3c5cb0836c58db581e40b821cdc98f16e5f9e6c344ce331372c914360

Download Submit
\ProgramData\qRangeAutoFormatTable1.dll

MD5
fa5ec3e53520d0d4de5e26611b8cd51d

SHA1
6ce8c358ec95955f2816ab1bb376c025ade61922

SHA256
ec705e006b4074a61b4b001660ce083e1948bb7ef17c69a90ad5ef5bb635d132

SHA512
f3d538eb8e584079fe7dc57472a5859b2c935eacb449e94ece4bb6390d97bc4035015de3c5cb0836c58db581e40b821cdc98f16e5f9e6c344ce331372c914360

Download Submit
\ProgramData\qRangeAutoFormatTable1.dll

MD5
fa5ec3e53520d0d4de5e26611b8cd51d

SHA1
6ce8c358ec95955f2816ab1bb376c025ade61922

SHA256
ec705e006b4074a61b4b001660ce083e1948bb7ef17c69a90ad5ef5bb635d132

SHA512
f3d538eb8e584079fe7dc57472a5859b2c935eacb449e94ece4bb6390d97bc4035015de3c5cb0836c58db581e40b821cdc98f16e5f9e6c344ce331372c914360

Download Submit
memory/540-63-0x0000000000000000-mapping.dmp

Download
memory/540-64-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1624-66-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x000000006A300000-0x000000006A331000-memory.dmp

Filesize
196KB

Download
memory/1624-75-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/1652-60-0x000000002F6C1000-0x000000002F6C4000-memory.dmp

Filesize
12KB

Download
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-61-0x0000000070F81000-0x0000000070F83000-memory.dmp

Filesize
8KB

Download
memory/1652-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads