Analysis
-
max time kernel
101s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_94145565.xlsm
Resource
win7v20210410
General
-
Target
Invoice_94145565.xlsm
-
Size
334KB
-
MD5
84dfcbf8006b609714e14ae85d94baa4
-
SHA1
3cbd6c0a05e587d0ebcb46c125bcb9a31814865c
-
SHA256
c6ec076b4821de409d2fa1416b8419635421b732960a62e62bac6161040ab342
-
SHA512
d9fec51e549006a400d1822445833651dc99055478d637630885ec54a93608f0417a0b49056008d18fbdc5af1c8c9c760ae4bb4b50cbb9a30a2e02f67b92b920
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1884 2000 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/1784-72-0x000000006B210000-0x000000006B240000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 2 1884 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
mshta.exeEXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2000 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 2000 EXCEL.EXE 2000 EXCEL.EXE 2000 EXCEL.EXE 2000 EXCEL.EXE 2000 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 2000 wrote to memory of 1884 2000 EXCEL.EXE mshta.exe PID 2000 wrote to memory of 1884 2000 EXCEL.EXE mshta.exe PID 2000 wrote to memory of 1884 2000 EXCEL.EXE mshta.exe PID 2000 wrote to memory of 1884 2000 EXCEL.EXE mshta.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe PID 1884 wrote to memory of 1784 1884 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_94145565.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theChartTitle.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qSmartTagControlHelp.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qSmartTagControlHelp.dllMD5
58bf730c02fb67e6de279877eb281925
SHA1db2380c9d4e6ff9cd7dae6394f315753604adf6b
SHA256fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
SHA512b56283bc1a3f440d118e3c07b33dae78b4aca822fb18d195ed6754934cc210314a770cfede8d05b64357d785e75314c19f52a0e5c3841a69ca114e7936fd395f
-
C:\ProgramData\theChartTitle.sctMD5
17554e4f20c91f8ba5810f4ac2ac24a8
SHA162faf509ab7acadf5ba052e8bd36370a65ea9629
SHA2566553dd838a05151eb7ba9d84336187b165f12c7003e5e4b2b32a04979f42e1ab
SHA51245f57db4500538e573c0dcbcac4472711a0f165dff3c6be616959d82ae3cea38cbfad567580ab0cd89e31da4378e5fee5bcb94cad24257175961e59f200f252f
-
\ProgramData\qSmartTagControlHelp.dllMD5
58bf730c02fb67e6de279877eb281925
SHA1db2380c9d4e6ff9cd7dae6394f315753604adf6b
SHA256fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
SHA512b56283bc1a3f440d118e3c07b33dae78b4aca822fb18d195ed6754934cc210314a770cfede8d05b64357d785e75314c19f52a0e5c3841a69ca114e7936fd395f
-
\ProgramData\qSmartTagControlHelp.dllMD5
58bf730c02fb67e6de279877eb281925
SHA1db2380c9d4e6ff9cd7dae6394f315753604adf6b
SHA256fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
SHA512b56283bc1a3f440d118e3c07b33dae78b4aca822fb18d195ed6754934cc210314a770cfede8d05b64357d785e75314c19f52a0e5c3841a69ca114e7936fd395f
-
\ProgramData\qSmartTagControlHelp.dllMD5
58bf730c02fb67e6de279877eb281925
SHA1db2380c9d4e6ff9cd7dae6394f315753604adf6b
SHA256fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
SHA512b56283bc1a3f440d118e3c07b33dae78b4aca822fb18d195ed6754934cc210314a770cfede8d05b64357d785e75314c19f52a0e5c3841a69ca114e7936fd395f
-
\ProgramData\qSmartTagControlHelp.dllMD5
58bf730c02fb67e6de279877eb281925
SHA1db2380c9d4e6ff9cd7dae6394f315753604adf6b
SHA256fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
SHA512b56283bc1a3f440d118e3c07b33dae78b4aca822fb18d195ed6754934cc210314a770cfede8d05b64357d785e75314c19f52a0e5c3841a69ca114e7936fd395f
-
memory/1784-66-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/1784-65-0x0000000000000000-mapping.dmp
-
memory/1784-72-0x000000006B210000-0x000000006B240000-memory.dmpFilesize
192KB
-
memory/1784-74-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/1884-63-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x000000002FFA1000-0x000000002FFA4000-memory.dmpFilesize
12KB
-
memory/2000-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2000-61-0x0000000071CC1000-0x0000000071CC3000-memory.dmpFilesize
8KB
-
memory/2000-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB