Analysis
-
max time kernel
102s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_158572.xlsm
Resource
win7v20210408
General
-
Target
Invoice_158572.xlsm
-
Size
331KB
-
MD5
725b1026b0aebbd378424aa9cde30b22
-
SHA1
b637df8ceab8bca97aee7c40bfe6ce06a3d89c74
-
SHA256
876692ae15f9f333ab388773d219f0b6937d2e24fe96bf834dc681de220dfaa9
-
SHA512
129387072cc9a22af3a28e7565cb80f786f7fc30046fb504ce43de2966f089f2ee9243d4d7de08f28c3e237e460f22db24ea7a2d3a4e3cbe4b1eff03ea324972
Malware Config
Extracted
dridex
22202
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1692 1308 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/320-73-0x000000006A5F0000-0x000000006A620000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 2 1692 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 320 rundll32.exe 320 rundll32.exe 320 rundll32.exe 320 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1308 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1308 EXCEL.EXE 1308 EXCEL.EXE 1308 EXCEL.EXE 1308 EXCEL.EXE 1308 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1308 wrote to memory of 1692 1308 EXCEL.EXE mshta.exe PID 1308 wrote to memory of 1692 1308 EXCEL.EXE mshta.exe PID 1308 wrote to memory of 1692 1308 EXCEL.EXE mshta.exe PID 1308 wrote to memory of 1692 1308 EXCEL.EXE mshta.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe PID 1692 wrote to memory of 320 1692 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_158572.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theMillions.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qCurrencyTrailingZeros.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qCurrencyTrailingZeros.dllMD5
71571c1702739aa58db4c5ac426c9817
SHA124b25a50153f98d95c81e6a49648b778891caf35
SHA256828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
SHA512ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47
-
C:\ProgramData\theMillions.sctMD5
543b5073292e18f6d86747af0dfb751a
SHA10e58d660389cd4e7c476f3e582e56389e0531e8e
SHA256ad50d644539f25d89bf06bd8d5f5fcd6ab7b3db1b84c519b5767d8799f2b885a
SHA51248f6a9b0700f4a4968ec79e0e33c10013a3695c3aeed41f7293c2495e325df6e831429b9a1871c51f9122f5591d34f6e731f496bf8fb68469b72d6c522901ecb
-
\ProgramData\qCurrencyTrailingZeros.dllMD5
71571c1702739aa58db4c5ac426c9817
SHA124b25a50153f98d95c81e6a49648b778891caf35
SHA256828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
SHA512ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47
-
\ProgramData\qCurrencyTrailingZeros.dllMD5
71571c1702739aa58db4c5ac426c9817
SHA124b25a50153f98d95c81e6a49648b778891caf35
SHA256828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
SHA512ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47
-
\ProgramData\qCurrencyTrailingZeros.dllMD5
71571c1702739aa58db4c5ac426c9817
SHA124b25a50153f98d95c81e6a49648b778891caf35
SHA256828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
SHA512ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47
-
\ProgramData\qCurrencyTrailingZeros.dllMD5
71571c1702739aa58db4c5ac426c9817
SHA124b25a50153f98d95c81e6a49648b778891caf35
SHA256828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
SHA512ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47
-
memory/320-66-0x0000000000000000-mapping.dmp
-
memory/320-73-0x000000006A5F0000-0x000000006A620000-memory.dmpFilesize
192KB
-
memory/320-75-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1308-60-0x000000002FC01000-0x000000002FC04000-memory.dmpFilesize
12KB
-
memory/1308-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1308-61-0x0000000070E11000-0x0000000070E13000-memory.dmpFilesize
8KB
-
memory/1308-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1692-64-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1692-63-0x0000000000000000-mapping.dmp