dridex | 6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e

General

Target

0e5fe8af64b1c5ead75e629b8afd34c0.xls
Size

660KB
MD5

0e5fe8af64b1c5ead75e629b8afd34c0
SHA1

3f37deb279e3ad45dd7c5c6a8656bbc07cd8157c
SHA256

6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e
SHA512

1e5dc477905df85320e06de37900763d276f11d131d818940588f5d65116d1c5c132d56630a3ae7e13df7dc351485d1833178c0c6d154b4b96f2f0d5bc591500

Score

10^/10

dridex 22201 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

178.238.236.59:443

104.245.52.73:5007

81.0.236.93:13786

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3504	652	mshta.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/2468-275-0x0000000074350000-0x0000000074380000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

27 3504 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2468 rundll32.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

flow	pid	process
27	3504	mshta.exe

pid	process
2468	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 27 qHebrewMixedAuthorizedScript
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

652 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

652 EXCEL.EXE
652 EXCEL.EXE

description	flow	ioc
HTTP User-Agent header	27	qHebrewMixedAuthorizedScript

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXEmshta.exerundll32.exe

description	pid	process	target process
PID 652 wrote to memory of 3504	652	EXCEL.EXE	mshta.exe
PID 652 wrote to memory of 3504	652	EXCEL.EXE	mshta.exe
PID 3504 wrote to memory of 2324	3504	mshta.exe	rundll32.exe
PID 3504 wrote to memory of 2324	3504	mshta.exe	rundll32.exe
PID 2324 wrote to memory of 2468	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2468	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2468	2324	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0e5fe8af64b1c5ead75e629b8afd34c0.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SYSTEM32\mshta.exe
mshta C:\ProgramData//klRangeAutoFormatTable7.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe C:\ProgramData\qDBarStacked100.dll,SetRealTimeUsage
3⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\ProgramData\qDBarStacked100.dll,SetRealTimeUsage
4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\klRangeAutoFormatTable7.sct
MD5
c6af6300f72f74ec6ad729068673f210

SHA1
a1d68d06e0accfb8b3aa9c899287aa2118dee42d

SHA256
ef77018232319cd118952f3f1e8877d87b99fb0eac2f3506d48025d788b517f1

SHA512
e5ba5aaf5d6e6402be65960745b0230dbf258d79620ddf5d67f08bf6a12694b44248b1552dc51c0b51fdb7a731dd437085d715fbe9156b80fd02ca36f1dac1b4

Download Submit
C:\ProgramData\qDBarStacked100.dll
MD5
adb1d947f0901a4f3cb0b8ad1a6ee385

SHA1
b82715bbeab52f75dd44f6396593111ae242632c

SHA256
55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

SHA512
7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

Download Submit
\ProgramData\qDBarStacked100.dll
MD5
adb1d947f0901a4f3cb0b8ad1a6ee385

SHA1
b82715bbeab52f75dd44f6396593111ae242632c

SHA256
55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1

SHA512
7eea926f405b066917262ad31e109773c40373e6254a25e2b25c53175a8ca7aabc66e275672af38e45eabcd2080f8236078f709ed0332a092cc41b5afea5a606

Download Submit
memory/652-117-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-118-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-120-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-122-0x00007FFD10780000-0x00007FFD1186E000-memory.dmp

Filesize
16.9MB

Download
memory/652-123-0x0000029F21020000-0x0000029F22F15000-memory.dmp

Filesize
31.0MB

Download
memory/652-74983-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-74977-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-114-0x00007FF7623E0000-0x00007FF765996000-memory.dmp

Filesize
53.7MB

Download
memory/652-116-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-74979-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-115-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/652-74980-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/2324-271-0x0000000000000000-mapping.dmp

Download
memory/2468-277-0x0000000003470000-0x0000000003476000-memory.dmp

Filesize
24KB

Download
memory/2468-275-0x0000000074350000-0x0000000074380000-memory.dmp

Filesize
192KB

Download
memory/2468-273-0x0000000000000000-mapping.dmp

Download
memory/3504-260-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads