Analysis

  • max time kernel
    100s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 08:57

General

  • Target

    0e5fe8af64b1c5ead75e629b8afd34c0.xls

  • Size

    660KB

  • MD5

    0e5fe8af64b1c5ead75e629b8afd34c0

  • SHA1

    3f37deb279e3ad45dd7c5c6a8656bbc07cd8157c

  • SHA256

    6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e

  • SHA512

    1e5dc477905df85320e06de37900763d276f11d131d818940588f5d65116d1c5c132d56630a3ae7e13df7dc351485d1833178c0c6d154b4b96f2f0d5bc591500

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

178.238.236.59:443

104.245.52.73:5007

81.0.236.93:13786

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0e5fe8af64b1c5ead75e629b8afd34c0.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\ProgramData//klRangeAutoFormatTable7.sct
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\ProgramData\qDBarStacked100.dll,SetRealTimeUsage
        3⤵
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:300

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\klRangeAutoFormatTable7.sct
    MD5

    c6af6300f72f74ec6ad729068673f210

    SHA1

    a1d68d06e0accfb8b3aa9c899287aa2118dee42d

    SHA256

    ef77018232319cd118952f3f1e8877d87b99fb0eac2f3506d48025d788b517f1

    SHA512

    e5ba5aaf5d6e6402be65960745b0230dbf258d79620ddf5d67f08bf6a12694b44248b1552dc51c0b51fdb7a731dd437085d715fbe9156b80fd02ca36f1dac1b4

  • C:\ProgramData\qDBarStacked100.dll
    MD5

    adb1d947f0901a4f3cb0b8ad1a6ee385

    SHA1

    b82715bbeab52f75dd44f6396593111ae242632c

    SHA256

    55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

    SHA512

    7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

  • \ProgramData\qDBarStacked100.dll
    MD5

    adb1d947f0901a4f3cb0b8ad1a6ee385

    SHA1

    b82715bbeab52f75dd44f6396593111ae242632c

    SHA256

    55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

    SHA512

    7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

  • \ProgramData\qDBarStacked100.dll
    MD5

    adb1d947f0901a4f3cb0b8ad1a6ee385

    SHA1

    b82715bbeab52f75dd44f6396593111ae242632c

    SHA256

    55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

    SHA512

    7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

  • \ProgramData\qDBarStacked100.dll
    MD5

    adb1d947f0901a4f3cb0b8ad1a6ee385

    SHA1

    b82715bbeab52f75dd44f6396593111ae242632c

    SHA256

    55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

    SHA512

    7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

  • \ProgramData\qDBarStacked100.dll
    MD5

    adb1d947f0901a4f3cb0b8ad1a6ee385

    SHA1

    b82715bbeab52f75dd44f6396593111ae242632c

    SHA256

    55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

    SHA512

    7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

  • memory/300-65-0x0000000000000000-mapping.dmp
  • memory/300-72-0x000000006A170000-0x000000006A1A0000-memory.dmp
    Filesize

    192KB

  • memory/300-74-0x0000000000170000-0x0000000000176000-memory.dmp
    Filesize

    24KB

  • memory/616-63-0x0000000075051000-0x0000000075053000-memory.dmp
    Filesize

    8KB

  • memory/616-62-0x0000000000000000-mapping.dmp
  • memory/676-59-0x000000002FEE1000-0x000000002FEE4000-memory.dmp
    Filesize

    12KB

  • memory/676-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/676-60-0x0000000070D41000-0x0000000070D43000-memory.dmp
    Filesize

    8KB

  • memory/676-75-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB