Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_020634.xlsm
Resource
win7v20210410
General
-
Target
Invoice_020634.xlsm
-
Size
73KB
-
MD5
86a156d545f23e81be35433443bb6da2
-
SHA1
c5df03d08806f1faa990ea3a71ac447aecc7185c
-
SHA256
e08fa4239a4c5ed68a5efd79953489da0ba5c3505c19888be83533dea837f99c
-
SHA512
18f07926d0d8f59243824c19825c5b1c6e8589c40b13d780f280ae9279f186c05c8a48768301b68926086eb82803da923bfa154844a1af9ace0a2d0c0010bbd8
Malware Config
Extracted
dridex
22201
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1236 4068 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral2/memory/752-271-0x00000000755E0000-0x0000000075610000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 24 1236 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 752 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4068 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEmshta.exerundll32.exedescription pid process target process PID 4068 wrote to memory of 1236 4068 EXCEL.EXE mshta.exe PID 4068 wrote to memory of 1236 4068 EXCEL.EXE mshta.exe PID 1236 wrote to memory of 2112 1236 mshta.exe rundll32.exe PID 1236 wrote to memory of 2112 1236 mshta.exe rundll32.exe PID 2112 wrote to memory of 752 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 752 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 752 2112 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice_020634.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta C:\ProgramData//theSourceQuery.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe C:\ProgramData\qSides.dll,AddLookaside3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qSides.dll,AddLookaside4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
C:\ProgramData\theSourceQuery.sctMD5
5c56b7f33c69ec4b073ff35a29a539c0
SHA1c3d3c992e7ea804bb3d07558666351fcd7bba4aa
SHA256d329171de4aee78c1edf6df59c1d7d33b3f2763e6273ce4636347a47eb5d951e
SHA5121ecc81c62f6b968cb6530bf36d6b66aad821f40bb1f45921d0720160bc285a0118ddf0505c437470ba2cbd5a3029b497454dc75f0e63bb20338f47e9676a1ffd
-
\ProgramData\qSides.dllMD5
02e1f7df34415ccd004320ce55c0ff05
SHA172c99a54916d987c896bd40e0cad8a99d3898edf
SHA256e474b412e62ee6b6b270e0c4d1666a8c66ddac50277bccbc83a01fd8f36aca6d
SHA512565e6ad0166b27caaff4576ebc314fc73283ae7ebe120fe4e6ceba1d6d44f409498965e80f55c021db219b17dc6f72f3b0ac182a8a85ad4d105e2ecca8391cc0
-
memory/752-273-0x0000000002C00000-0x0000000002D4A000-memory.dmpFilesize
1.3MB
-
memory/752-271-0x00000000755E0000-0x0000000075610000-memory.dmpFilesize
192KB
-
memory/752-269-0x0000000000000000-mapping.dmp
-
memory/1236-263-0x0000000000000000-mapping.dmp
-
memory/2112-267-0x0000000000000000-mapping.dmp
-
memory/4068-123-0x00007FFDC1130000-0x00007FFDC3025000-memory.dmpFilesize
31.0MB
-
memory/4068-122-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-114-0x00007FF6B0CB0000-0x00007FF6B4266000-memory.dmpFilesize
53.7MB
-
memory/4068-121-0x00007FFDC3030000-0x00007FFDC411E000-memory.dmpFilesize
16.9MB
-
memory/4068-118-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-91312-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-91314-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-91316-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4068-91317-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB