dridex | f3b8f148365e3e24d29954ef8541d32bdf7da1f0bc644adf3a9bd702bb2b8e5f

General

Target

Invoice_238880.xlsm
Size

332KB
MD5

814593d39bfff7912ad3b235d72880f1
SHA1

e22a41f3e27deb098f2b6663c174cf1ff2d8becc
SHA256

f3b8f148365e3e24d29954ef8541d32bdf7da1f0bc644adf3a9bd702bb2b8e5f
SHA512

d7fde5c8292b5cc2f0443c6ec593ec9c4a3a073d1c3f6c6a308471340e2247ae56ac269737474ca805244030d95bc55a898bb84771c07367e1411ae2dfded642

Score

10^/10

dridex 22201 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

45.79.33.48:443

139.162.202.74:5007

68.183.216.174:7443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1364	1628	mshta.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1688-73-0x000000006B040000-0x000000006B070000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 1364 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1688 rundll32.exe
1688 rundll32.exe
1688 rundll32.exe
1688 rundll32.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
5	1364	mshta.exe

pid	process
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1628 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1628 EXCEL.EXE
1628 EXCEL.EXE
1628 EXCEL.EXE
1628 EXCEL.EXE
1628 EXCEL.EXE

pid	process
1628	EXCEL.EXE

pid	process
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 1628 wrote to memory of 1364	1628	EXCEL.EXE	mshta.exe
PID 1628 wrote to memory of 1364	1628	EXCEL.EXE	mshta.exe
PID 1628 wrote to memory of 1364	1628	EXCEL.EXE	mshta.exe
PID 1628 wrote to memory of 1364	1628	EXCEL.EXE	mshta.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe
PID 1364 wrote to memory of 1688	1364	mshta.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_238880.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\mshta.exe
mshta C:\ProgramData//theLowerCaseColumnLetter.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\ProgramData\qKatakanaHalf.dll,AddLookaside
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qKatakanaHalf.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
C:\ProgramData\theLowerCaseColumnLetter.sct
MD5
211328ccfdf739bb99c84b0e05b8c671

SHA1
bed9c7ab07c7d898c898f467ea0d473253bec68c

SHA256
ac1e1e446879047d2c187ef007d3b53cf09123517611168e3b1c7519d0033896

SHA512
007c836043d7b981b39345946398bbbaa7c6f7e42ab842003806a58ae11c3fa7c9d677633866eee680aefd7ce3edb9a9d8e001407dc08dfb513b8c73ccd1537d

Download Submit
\ProgramData\qKatakanaHalf.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qKatakanaHalf.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qKatakanaHalf.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qKatakanaHalf.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
memory/1364-63-0x0000000000000000-mapping.dmp

Download
memory/1364-64-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1628-60-0x000000002F8B1000-0x000000002F8B4000-memory.dmp

Filesize
12KB

Download
memory/1628-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1628-61-0x0000000071831000-0x0000000071833000-memory.dmp

Filesize
8KB

Download
memory/1628-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1688-66-0x0000000000000000-mapping.dmp

Download
memory/1688-73-0x000000006B040000-0x000000006B070000-memory.dmp

Filesize
192KB

Download
memory/1688-75-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads