Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 16:11
Static task
static1
Behavioral task
behavioral1
Sample
9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7.xlsm
Resource
win7v20210410
General
-
Target
9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7.xlsm
-
Size
328KB
-
MD5
5049c8efe625f614b1548ddae83fc621
-
SHA1
58f791beff16d82d9ec1f65ddb327ff297c7759d
-
SHA256
9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7
-
SHA512
b11a347d28a6402404833f98936ac85d6cab8b4c8e09154b525d6bde57f66148172f5f411eff5791fc20e8d97293ed28a78729f153493f9b900c4d50bf00564c
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1764 788 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/1256-71-0x000000006AF20000-0x000000006AF50000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 3 1764 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 788 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 788 wrote to memory of 1764 788 EXCEL.EXE mshta.exe PID 788 wrote to memory of 1764 788 EXCEL.EXE mshta.exe PID 788 wrote to memory of 1764 788 EXCEL.EXE mshta.exe PID 788 wrote to memory of 1764 788 EXCEL.EXE mshta.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe PID 1764 wrote to memory of 1256 1764 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theListDataTypeDateTime.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qPublishers.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qPublishers.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
C:\ProgramData\theListDataTypeDateTime.sctMD5
e33708c84c76743f9d601956537e3466
SHA19c5c43a7d21b0ce4390aaf9c90a1091e95d8dfab
SHA256ae9b0957dba2915d5c83744e397746be4f6e0e374ceff96a5d6e5b71e5f8b0d9
SHA51224ae058bbd2360a81c41787a5e0453710dd5975c04728715f21e724911d9ca2c651659e006771beb57a0991f97993a7805ddaba45a925eb87bce7eca59d68904
-
\ProgramData\qPublishers.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qPublishers.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qPublishers.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
\ProgramData\qPublishers.dllMD5
ebdfd39f4b9ab189cd32b271db4bb3ac
SHA1839ca7bf434c05541e2df56e1eab0819a5822b1d
SHA2560f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
SHA512f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe
-
memory/788-60-0x0000000071711000-0x0000000071713000-memory.dmpFilesize
8KB
-
memory/788-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/788-59-0x000000002F0A1000-0x000000002F0A4000-memory.dmpFilesize
12KB
-
memory/1256-65-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1256-64-0x0000000000000000-mapping.dmp
-
memory/1256-71-0x000000006AF20000-0x000000006AF50000-memory.dmpFilesize
192KB
-
memory/1256-73-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/1764-62-0x0000000000000000-mapping.dmp