Analysis
-
max time kernel
101s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_020634.xlsm
Resource
win7v20210410
General
-
Target
Invoice_020634.xlsm
-
Size
73KB
-
MD5
86a156d545f23e81be35433443bb6da2
-
SHA1
c5df03d08806f1faa990ea3a71ac447aecc7185c
-
SHA256
e08fa4239a4c5ed68a5efd79953489da0ba5c3505c19888be83533dea837f99c
-
SHA512
18f07926d0d8f59243824c19825c5b1c6e8589c40b13d780f280ae9279f186c05c8a48768301b68926086eb82803da923bfa154844a1af9ace0a2d0c0010bbd8
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1628 1208 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/708-71-0x000000006AB40000-0x000000006AB70000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 1628 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 708 rundll32.exe 708 rundll32.exe 708 rundll32.exe 708 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1208 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1208 EXCEL.EXE 1208 EXCEL.EXE 1208 EXCEL.EXE 1208 EXCEL.EXE 1208 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1208 wrote to memory of 1628 1208 EXCEL.EXE mshta.exe PID 1208 wrote to memory of 1628 1208 EXCEL.EXE mshta.exe PID 1208 wrote to memory of 1628 1208 EXCEL.EXE mshta.exe PID 1208 wrote to memory of 1628 1208 EXCEL.EXE mshta.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe PID 1628 wrote to memory of 708 1628 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_020634.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theSourceQuery.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qSides.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
C:\ProgramData\theSourceQuery.sctMD5
5c56b7f33c69ec4b073ff35a29a539c0
SHA1c3d3c992e7ea804bb3d07558666351fcd7bba4aa
SHA256d329171de4aee78c1edf6df59c1d7d33b3f2763e6273ce4636347a47eb5d951e
SHA5121ecc81c62f6b968cb6530bf36d6b66aad821f40bb1f45921d0720160bc285a0118ddf0505c437470ba2cbd5a3029b497454dc75f0e63bb20338f47e9676a1ffd
-
\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
memory/708-65-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/708-64-0x0000000000000000-mapping.dmp
-
memory/708-71-0x000000006AB40000-0x000000006AB70000-memory.dmpFilesize
192KB
-
memory/708-73-0x00000000000C0000-0x00000000000C6000-memory.dmpFilesize
24KB
-
memory/1208-59-0x000000002FE71000-0x000000002FE74000-memory.dmpFilesize
12KB
-
memory/1208-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1208-60-0x0000000071671000-0x0000000071673000-memory.dmpFilesize
8KB
-
memory/1208-74-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1628-62-0x0000000000000000-mapping.dmp