dridex | 9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7

General

Target

9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7.xlsm
Size

328KB
MD5

5049c8efe625f614b1548ddae83fc621
SHA1

58f791beff16d82d9ec1f65ddb327ff297c7759d
SHA256

9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7
SHA512

b11a347d28a6402404833f98936ac85d6cab8b4c8e09154b525d6bde57f66148172f5f411eff5791fc20e8d97293ed28a78729f153493f9b900c4d50bf00564c

Score

10^/10

dridex 22201 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

45.79.33.48:443

139.162.202.74:5007

68.183.216.174:7443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1764	788	mshta.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1256-71-0x000000006AF20000-0x000000006AF50000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

3 1764 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1256 rundll32.exe
1256 rundll32.exe
1256 rundll32.exe
1256 rundll32.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	1764	mshta.exe

pid	process
1256	rundll32.exe
1256	rundll32.exe
1256	rundll32.exe
1256	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

788 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE

pid	process
788	EXCEL.EXE

pid	process
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 788 wrote to memory of 1764	788	EXCEL.EXE	mshta.exe
PID 788 wrote to memory of 1764	788	EXCEL.EXE	mshta.exe
PID 788 wrote to memory of 1764	788	EXCEL.EXE	mshta.exe
PID 788 wrote to memory of 1764	788	EXCEL.EXE	mshta.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe
PID 1764 wrote to memory of 1256	1764	mshta.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9384bb6127c78785cdb717a01f7d8efcb9c8b401a0aec4d943b3214c1032fac7.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\mshta.exe
mshta C:\ProgramData//theListDataTypeDateTime.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\ProgramData\qPublishers.dll,AddLookaside
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qPublishers.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
C:\ProgramData\theListDataTypeDateTime.sct
MD5
e33708c84c76743f9d601956537e3466

SHA1
9c5c43a7d21b0ce4390aaf9c90a1091e95d8dfab

SHA256
ae9b0957dba2915d5c83744e397746be4f6e0e374ceff96a5d6e5b71e5f8b0d9

SHA512
24ae058bbd2360a81c41787a5e0453710dd5975c04728715f21e724911d9ca2c651659e006771beb57a0991f97993a7805ddaba45a925eb87bce7eca59d68904

Download Submit
\ProgramData\qPublishers.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qPublishers.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qPublishers.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
\ProgramData\qPublishers.dll
MD5
ebdfd39f4b9ab189cd32b271db4bb3ac

SHA1
839ca7bf434c05541e2df56e1eab0819a5822b1d

SHA256
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53

SHA512
f050cf3506ba11bb06710590e050c7e18a50815d5401d065fa4c3732afae718a509dbe3cc2a14fa040f7555414f2a183eba841e63d4df8112f00fcc78842afbe

Download Submit
memory/788-60-0x0000000071711000-0x0000000071713000-memory.dmp

Filesize
8KB

Download
memory/788-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/788-59-0x000000002F0A1000-0x000000002F0A4000-memory.dmp

Filesize
12KB

Download
memory/1256-65-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1256-64-0x0000000000000000-mapping.dmp

Download
memory/1256-71-0x000000006AF20000-0x000000006AF50000-memory.dmp

Filesize
192KB

Download
memory/1256-73-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1764-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads