Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 09:27
Static task
static1
URLScan task
urlscan1
Sample
https://cdn.discordapp.com/attachments/869191622208925709/869213951068614656/Invoice_3326809.xlsm
General
Malware Config
Extracted
dridex
22202
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4452 2732 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/4576-287-0x000000006F350000-0x000000006F380000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 27 4452 mshta.exe -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OVHLE5P6\Invoice_3326809.xlsm.9unrd1b.partial office_macros -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4576 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 339704ea112ed701 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5EB9B191-EEBC-11EB-A11C-56F1F4F21F1A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "863297995" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "873767490" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30900937" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "334142813" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30900937" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "334191400" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "863297995" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "334159408" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30900937" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{B0750D46-F511-4271-AF8D-FC4ECE3A5A2A}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2732 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exeEXCEL.EXEpid process 3944 iexplore.exe 3944 iexplore.exe 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
iexplore.exeIEXPLORE.EXEEXCEL.EXEpid process 3944 iexplore.exe 3944 iexplore.exe 1328 IEXPLORE.EXE 1328 IEXPLORE.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
iexplore.exeEXCEL.EXEmshta.exerundll32.exedescription pid process target process PID 3944 wrote to memory of 1328 3944 iexplore.exe IEXPLORE.EXE PID 3944 wrote to memory of 1328 3944 iexplore.exe IEXPLORE.EXE PID 3944 wrote to memory of 1328 3944 iexplore.exe IEXPLORE.EXE PID 3944 wrote to memory of 2732 3944 iexplore.exe EXCEL.EXE PID 3944 wrote to memory of 2732 3944 iexplore.exe EXCEL.EXE PID 3944 wrote to memory of 2732 3944 iexplore.exe EXCEL.EXE PID 2732 wrote to memory of 4452 2732 EXCEL.EXE mshta.exe PID 2732 wrote to memory of 4452 2732 EXCEL.EXE mshta.exe PID 4452 wrote to memory of 4552 4452 mshta.exe rundll32.exe PID 4452 wrote to memory of 4552 4452 mshta.exe rundll32.exe PID 4552 wrote to memory of 4576 4552 rundll32.exe rundll32.exe PID 4552 wrote to memory of 4576 4552 rundll32.exe rundll32.exe PID 4552 wrote to memory of 4576 4552 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/869191622208925709/869213951068614656/Invoice_3326809.xlsm1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OVHLE5P6\Invoice_3326809.xlsm"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta C:\ProgramData//theParamTypeSmallInt.sct3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe C:\ProgramData\qPaperEnvelopePersonal.dll,AddLookaside4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qPaperEnvelopePersonal.dll,AddLookaside5⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qPaperEnvelopePersonal.dllMD5
98cba5d4e3bc55750e6716b3d952e375
SHA12b8ae91d2d044eeae4456fb000cd92583abcdfe3
SHA25600072be4185289677e5babb9fda5279b5c2886683ebd7ea22d36f4bc9683b3e5
SHA51252a392878a8fd99ea1100f36c42c29886cd49a2c03c3aec862731f97517950010c0af44a04a304861c9402d3aa8405e6e04408d52e3ee42d311dbdd1960ff953
-
C:\ProgramData\theParamTypeSmallInt.sctMD5
92a9626c7da7b2e83ffc085503d472dd
SHA19eb0f57b72a6ebb0be7d6c2008cda52e4dbd70fc
SHA25604a3042944f0aeab3f11c71769513509a2c697bdb0a19b8d0cd42a9f77d5b987
SHA51289a9f0485f348f991bc63559ae34d3cc739f6e60639c162415b59b48aef24815f86628a60415bf81c9d58e4064ebae7102181e2de69c06022766127c6cdec6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OVHLE5P6\Invoice_3326809.xlsm.9unrd1b.partialMD5
86c63e5a375f54c79cfa007828400a5d
SHA1858168c7285d60d905470d70c32962a1367ea947
SHA256297fa628e174f62edfc8ecf1e4ec79d8f177fe89308a0c04a0b55693af0a776f
SHA51239c357bef2f317080dc115803d211a1d8294360a7002e38a8e7d7a5cd86d2b3c0d6faaa9535e2c5787dfc00b7e450ee03e3b3f259e0dd95e196a850a16d45f79
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DQN394Q4.cookieMD5
81fce24bf7ee966b37a21910dd50bd3e
SHA164ce52e9c4cf38d088dcaf4ccfe40bb7171ec20f
SHA256293e1410b11bcb08f89a8a9f26195856caffb697296cfe0cf10d81a321526477
SHA5129ac5c31a88664259154a8d20d89cf46495556f7d5f9f2971ceed7f4c4b2029f56c327eb8b0ff89bf67a146104145824ccf47d28757438f948f7cf21b47b5dd44
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ITSAV4WV.cookieMD5
6f6b3684523e5fe4554b6464bbfe9565
SHA1151349d9c58c5c6e7f26415b929d569786c6dcee
SHA2560bf327af597893982b72f8f7e349df4835073762a9231c06f6ce4a6c1a53ad05
SHA512496934cbdfebd800ee7b33ec814a2e905d9910eea49938b035f976a631df260b60a2d74af25903e0e81139b067cedd73b67f5f1a291aaa3a72b8df643e67249a
-
\ProgramData\qPaperEnvelopePersonal.dllMD5
98cba5d4e3bc55750e6716b3d952e375
SHA12b8ae91d2d044eeae4456fb000cd92583abcdfe3
SHA25600072be4185289677e5babb9fda5279b5c2886683ebd7ea22d36f4bc9683b3e5
SHA51252a392878a8fd99ea1100f36c42c29886cd49a2c03c3aec862731f97517950010c0af44a04a304861c9402d3aa8405e6e04408d52e3ee42d311dbdd1960ff953
-
memory/1328-115-0x0000000000000000-mapping.dmp
-
memory/2732-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-91933-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-123-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-126-0x00007FFDC2530000-0x00007FFDC361E000-memory.dmpFilesize
16.9MB
-
memory/2732-127-0x00007FFDC0630000-0x00007FFDC2525000-memory.dmpFilesize
31.0MB
-
memory/2732-117-0x0000000000000000-mapping.dmp
-
memory/2732-121-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-122-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-120-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-91929-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-64717-0x00007FFDBA0B0000-0x00007FFDBAF7D000-memory.dmpFilesize
14.8MB
-
memory/2732-91932-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-91928-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/2732-118-0x00007FF7E0A10000-0x00007FF7E3FC6000-memory.dmpFilesize
53.7MB
-
memory/3944-114-0x00007FFDD9A80000-0x00007FFDD9AEB000-memory.dmpFilesize
428KB
-
memory/4452-269-0x0000000000000000-mapping.dmp
-
memory/4552-280-0x0000000000000000-mapping.dmp
-
memory/4576-289-0x0000000000940000-0x0000000000A8A000-memory.dmpFilesize
1.3MB
-
memory/4576-287-0x000000006F350000-0x000000006F380000-memory.dmpFilesize
192KB
-
memory/4576-282-0x0000000000000000-mapping.dmp