Analysis
-
max time kernel
101s -
max time network
87s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 18:13
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_238880.xlsm
Resource
win7v20210408
General
-
Target
Invoice_238880.xlsm
-
Size
332KB
-
MD5
814593d39bfff7912ad3b235d72880f1
-
SHA1
e22a41f3e27deb098f2b6663c174cf1ff2d8becc
-
SHA256
f3b8f148365e3e24d29954ef8541d32bdf7da1f0bc644adf3a9bd702bb2b8e5f
-
SHA512
d7fde5c8292b5cc2f0443c6ec593ec9c4a3a073d1c3f6c6a308471340e2247ae56ac269737474ca805244030d95bc55a898bb84771c07367e1411ae2dfded642
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1364 1628 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/1688-73-0x000000006B040000-0x000000006B070000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1364 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1628 wrote to memory of 1364 1628 EXCEL.EXE mshta.exe PID 1628 wrote to memory of 1364 1628 EXCEL.EXE mshta.exe PID 1628 wrote to memory of 1364 1628 EXCEL.EXE mshta.exe PID 1628 wrote to memory of 1364 1628 EXCEL.EXE mshta.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe PID 1364 wrote to memory of 1688 1364 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_238880.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theLowerCaseColumnLetter.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qKatakanaHalf.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qKatakanaHalf.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
C:\ProgramData\theLowerCaseColumnLetter.sctMD5
211328ccfdf739bb99c84b0e05b8c671
SHA1bed9c7ab07c7d898c898f467ea0d473253bec68c
SHA256ac1e1e446879047d2c187ef007d3b53cf09123517611168e3b1c7519d0033896
SHA512007c836043d7b981b39345946398bbbaa7c6f7e42ab842003806a58ae11c3fa7c9d677633866eee680aefd7ce3edb9a9d8e001407dc08dfb513b8c73ccd1537d
-
\ProgramData\qKatakanaHalf.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qKatakanaHalf.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qKatakanaHalf.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qKatakanaHalf.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
memory/1364-63-0x0000000000000000-mapping.dmp
-
memory/1364-64-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1628-60-0x000000002F8B1000-0x000000002F8B4000-memory.dmpFilesize
12KB
-
memory/1628-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1628-61-0x0000000071831000-0x0000000071833000-memory.dmpFilesize
8KB
-
memory/1628-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1688-66-0x0000000000000000-mapping.dmp
-
memory/1688-73-0x000000006B040000-0x000000006B070000-memory.dmpFilesize
192KB
-
memory/1688-75-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB