Analysis
-
max time kernel
118s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VB.Trojan.Valyria.5105.29893.19434.xlsm
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.VB.Trojan.Valyria.5105.29893.19434.xlsm
-
Size
334KB
-
MD5
1f196d875fd7d89ac57831926bbb9563
-
SHA1
3ed1e676f334ab3f82d3a056dad079f85458bfb4
-
SHA256
081618f7d9c6c92271f8d6bc65c8e13f33dfe9e5022f06aaec95664ee31fead4
-
SHA512
299011aff7cf8e9d2c2b74f0ffa64ea733516fb22f4aeed0400c5e3da9f548199024ce7317d849c4af27c3c9de95bc947eaa3f3ffc0e211d94cf60ec4c71f7b2
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1184 1728 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/1832-73-0x000000006AA80000-0x000000006AAB0000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 1184 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe 1832 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1728 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1728 EXCEL.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1728 wrote to memory of 1184 1728 EXCEL.EXE mshta.exe PID 1728 wrote to memory of 1184 1728 EXCEL.EXE mshta.exe PID 1728 wrote to memory of 1184 1728 EXCEL.EXE mshta.exe PID 1728 wrote to memory of 1184 1728 EXCEL.EXE mshta.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe PID 1184 wrote to memory of 1832 1184 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Trojan.Valyria.5105.29893.19434.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theExcel2FarEast.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qRangeAutoFormatReport3.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qRangeAutoFormatReport3.dllMD5
fde6b5be428ee0956ab4ef231ed21dd7
SHA1a223c73bdf81d1cee58b20bfaeab412c0b2a99d9
SHA256b60c01e98969144fc8d3229a9d3b82de13879444d91f558ea4483547141b85a5
SHA5129f5de9a37e2e61622d2d1c8e8c52d39f782c093d64feeffd5fc3b7f5a53f8258a80a274c58a4d15651c8e1c4f219a7856aa5f864b449ffc9d2c6566ad6a0209e
-
C:\ProgramData\theExcel2FarEast.sctMD5
d502793876b466c8d509f07f69dd6647
SHA1b4e10b05725012686f5ae04df9c29df280d8687c
SHA25617fa31bbdfae8ac22fca19c90c18e0a97e50400f889bdc73d1fa940d16a791f5
SHA512d135b0528e4e32f8a4b9508078385a1c2e95b8068d3dc771c0a5a51942278624ee9d0f730e77d3684c103ce422ebf923e9bfb62152e7c48db06251ec06a79856
-
\ProgramData\qRangeAutoFormatReport3.dllMD5
fde6b5be428ee0956ab4ef231ed21dd7
SHA1a223c73bdf81d1cee58b20bfaeab412c0b2a99d9
SHA256b60c01e98969144fc8d3229a9d3b82de13879444d91f558ea4483547141b85a5
SHA5129f5de9a37e2e61622d2d1c8e8c52d39f782c093d64feeffd5fc3b7f5a53f8258a80a274c58a4d15651c8e1c4f219a7856aa5f864b449ffc9d2c6566ad6a0209e
-
\ProgramData\qRangeAutoFormatReport3.dllMD5
fde6b5be428ee0956ab4ef231ed21dd7
SHA1a223c73bdf81d1cee58b20bfaeab412c0b2a99d9
SHA256b60c01e98969144fc8d3229a9d3b82de13879444d91f558ea4483547141b85a5
SHA5129f5de9a37e2e61622d2d1c8e8c52d39f782c093d64feeffd5fc3b7f5a53f8258a80a274c58a4d15651c8e1c4f219a7856aa5f864b449ffc9d2c6566ad6a0209e
-
\ProgramData\qRangeAutoFormatReport3.dllMD5
fde6b5be428ee0956ab4ef231ed21dd7
SHA1a223c73bdf81d1cee58b20bfaeab412c0b2a99d9
SHA256b60c01e98969144fc8d3229a9d3b82de13879444d91f558ea4483547141b85a5
SHA5129f5de9a37e2e61622d2d1c8e8c52d39f782c093d64feeffd5fc3b7f5a53f8258a80a274c58a4d15651c8e1c4f219a7856aa5f864b449ffc9d2c6566ad6a0209e
-
\ProgramData\qRangeAutoFormatReport3.dllMD5
fde6b5be428ee0956ab4ef231ed21dd7
SHA1a223c73bdf81d1cee58b20bfaeab412c0b2a99d9
SHA256b60c01e98969144fc8d3229a9d3b82de13879444d91f558ea4483547141b85a5
SHA5129f5de9a37e2e61622d2d1c8e8c52d39f782c093d64feeffd5fc3b7f5a53f8258a80a274c58a4d15651c8e1c4f219a7856aa5f864b449ffc9d2c6566ad6a0209e
-
memory/1184-63-0x0000000000000000-mapping.dmp
-
memory/1184-64-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1728-60-0x000000002F1C1000-0x000000002F1C4000-memory.dmpFilesize
12KB
-
memory/1728-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1728-61-0x00000000716F1000-0x00000000716F3000-memory.dmpFilesize
8KB
-
memory/1728-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1832-66-0x0000000000000000-mapping.dmp
-
memory/1832-73-0x000000006AA80000-0x000000006AAB0000-memory.dmpFilesize
192KB
-
memory/1832-75-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB