dridex | 876692ae15f9f333ab388773d219f0b6937d2e24fe96bf834dc681de220dfaa9

General

Target

Invoice_158572.xlsm
Size

331KB
MD5

725b1026b0aebbd378424aa9cde30b22
SHA1

b637df8ceab8bca97aee7c40bfe6ce06a3d89c74
SHA256

876692ae15f9f333ab388773d219f0b6937d2e24fe96bf834dc681de220dfaa9
SHA512

129387072cc9a22af3a28e7565cb80f786f7fc30046fb504ce43de2966f089f2ee9243d4d7de08f28c3e237e460f22db24ea7a2d3a4e3cbe4b1eff03ea324972

Score

10^/10

dridex 22202 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

45.79.33.48:443

139.162.202.74:5007

68.183.216.174:7443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1692	1308	mshta.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/320-73-0x000000006A5F0000-0x000000006A620000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

2 1692 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

320 rundll32.exe
320 rundll32.exe
320 rundll32.exe
320 rundll32.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
2	1692	mshta.exe

pid	process
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE
1308 EXCEL.EXE
1308 EXCEL.EXE
1308 EXCEL.EXE
1308 EXCEL.EXE

pid	process
1308	EXCEL.EXE

pid	process
1308	EXCEL.EXE
1308	EXCEL.EXE
1308	EXCEL.EXE
1308	EXCEL.EXE
1308	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 1308 wrote to memory of 1692	1308	EXCEL.EXE	mshta.exe
PID 1308 wrote to memory of 1692	1308	EXCEL.EXE	mshta.exe
PID 1308 wrote to memory of 1692	1308	EXCEL.EXE	mshta.exe
PID 1308 wrote to memory of 1692	1308	EXCEL.EXE	mshta.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe
PID 1692 wrote to memory of 320	1692	mshta.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_158572.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\mshta.exe
mshta C:\ProgramData//theMillions.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\ProgramData\qCurrencyTrailingZeros.dll,AddLookaside
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qCurrencyTrailingZeros.dll
MD5
71571c1702739aa58db4c5ac426c9817

SHA1
24b25a50153f98d95c81e6a49648b778891caf35

SHA256
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be

SHA512
ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47

Download Submit
C:\ProgramData\theMillions.sct
MD5
543b5073292e18f6d86747af0dfb751a

SHA1
0e58d660389cd4e7c476f3e582e56389e0531e8e

SHA256
ad50d644539f25d89bf06bd8d5f5fcd6ab7b3db1b84c519b5767d8799f2b885a

SHA512
48f6a9b0700f4a4968ec79e0e33c10013a3695c3aeed41f7293c2495e325df6e831429b9a1871c51f9122f5591d34f6e731f496bf8fb68469b72d6c522901ecb

Download Submit
\ProgramData\qCurrencyTrailingZeros.dll
MD5
71571c1702739aa58db4c5ac426c9817

SHA1
24b25a50153f98d95c81e6a49648b778891caf35

SHA256
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be

SHA512
ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47

Download Submit
\ProgramData\qCurrencyTrailingZeros.dll
MD5
71571c1702739aa58db4c5ac426c9817

SHA1
24b25a50153f98d95c81e6a49648b778891caf35

SHA256
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be

SHA512
ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47

Download Submit
\ProgramData\qCurrencyTrailingZeros.dll
MD5
71571c1702739aa58db4c5ac426c9817

SHA1
24b25a50153f98d95c81e6a49648b778891caf35

SHA256
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be

SHA512
ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47

Download Submit
\ProgramData\qCurrencyTrailingZeros.dll
MD5
71571c1702739aa58db4c5ac426c9817

SHA1
24b25a50153f98d95c81e6a49648b778891caf35

SHA256
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be

SHA512
ded731b963949fcb69c19333acad21e87540561e1c06ba2499a68355d64c87f0bcba5b4dc10ca1f212e8578b677480c2f1443984b2bee8fd31e505055d624b47

Download Submit
memory/320-66-0x0000000000000000-mapping.dmp

Download
memory/320-73-0x000000006A5F0000-0x000000006A620000-memory.dmp

Filesize
192KB

Download
memory/320-75-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1308-60-0x000000002FC01000-0x000000002FC04000-memory.dmp

Filesize
12KB

Download
memory/1308-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-61-0x0000000070E11000-0x0000000070E13000-memory.dmp

Filesize
8KB

Download
memory/1308-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-64-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1692-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads