Analysis
-
max time kernel
100s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-07-2021 08:57
Static task
static1
Behavioral task
behavioral1
Sample
0e5fe8af64b1c5ead75e629b8afd34c0.xls
Resource
win7v20210408
General
-
Target
0e5fe8af64b1c5ead75e629b8afd34c0.xls
-
Size
660KB
-
MD5
0e5fe8af64b1c5ead75e629b8afd34c0
-
SHA1
3f37deb279e3ad45dd7c5c6a8656bbc07cd8157c
-
SHA256
6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e
-
SHA512
1e5dc477905df85320e06de37900763d276f11d131d818940588f5d65116d1c5c132d56630a3ae7e13df7dc351485d1833178c0c6d154b4b96f2f0d5bc591500
Malware Config
Extracted
dridex
22201
178.238.236.59:443
104.245.52.73:5007
81.0.236.93:13786
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 616 676 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/300-72-0x000000006A170000-0x000000006A1A0000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 616 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 300 rundll32.exe 300 rundll32.exe 300 rundll32.exe 300 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 qHebrewMixedAuthorizedScript -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 676 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 676 EXCEL.EXE 676 EXCEL.EXE 676 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 676 wrote to memory of 616 676 EXCEL.EXE mshta.exe PID 676 wrote to memory of 616 676 EXCEL.EXE mshta.exe PID 676 wrote to memory of 616 676 EXCEL.EXE mshta.exe PID 676 wrote to memory of 616 676 EXCEL.EXE mshta.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe PID 616 wrote to memory of 300 616 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0e5fe8af64b1c5ead75e629b8afd34c0.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//klRangeAutoFormatTable7.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qDBarStacked100.dll,SetRealTimeUsage3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\klRangeAutoFormatTable7.sctMD5
c6af6300f72f74ec6ad729068673f210
SHA1a1d68d06e0accfb8b3aa9c899287aa2118dee42d
SHA256ef77018232319cd118952f3f1e8877d87b99fb0eac2f3506d48025d788b517f1
SHA512e5ba5aaf5d6e6402be65960745b0230dbf258d79620ddf5d67f08bf6a12694b44248b1552dc51c0b51fdb7a731dd437085d715fbe9156b80fd02ca36f1dac1b4
-
C:\ProgramData\qDBarStacked100.dllMD5
adb1d947f0901a4f3cb0b8ad1a6ee385
SHA1b82715bbeab52f75dd44f6396593111ae242632c
SHA25655bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
SHA5127eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606
-
\ProgramData\qDBarStacked100.dllMD5
adb1d947f0901a4f3cb0b8ad1a6ee385
SHA1b82715bbeab52f75dd44f6396593111ae242632c
SHA25655bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
SHA5127eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606
-
\ProgramData\qDBarStacked100.dllMD5
adb1d947f0901a4f3cb0b8ad1a6ee385
SHA1b82715bbeab52f75dd44f6396593111ae242632c
SHA25655bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
SHA5127eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606
-
\ProgramData\qDBarStacked100.dllMD5
adb1d947f0901a4f3cb0b8ad1a6ee385
SHA1b82715bbeab52f75dd44f6396593111ae242632c
SHA25655bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
SHA5127eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606
-
\ProgramData\qDBarStacked100.dllMD5
adb1d947f0901a4f3cb0b8ad1a6ee385
SHA1b82715bbeab52f75dd44f6396593111ae242632c
SHA25655bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
SHA5127eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606
-
memory/300-65-0x0000000000000000-mapping.dmp
-
memory/300-72-0x000000006A170000-0x000000006A1A0000-memory.dmpFilesize
192KB
-
memory/300-74-0x0000000000170000-0x0000000000176000-memory.dmpFilesize
24KB
-
memory/616-63-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/616-62-0x0000000000000000-mapping.dmp
-
memory/676-59-0x000000002FEE1000-0x000000002FEE4000-memory.dmpFilesize
12KB
-
memory/676-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/676-60-0x0000000070D41000-0x0000000070D43000-memory.dmpFilesize
8KB
-
memory/676-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB