Analysis
-
max time kernel
101s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 08:50
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_2457619.xlsm
Resource
win7v20210410
General
-
Target
Invoice_2457619.xlsm
-
Size
329KB
-
MD5
6cb632b4c2e9244c36ad740ef8cbfda5
-
SHA1
5c90034815dc6faf9d14da1536f05a8a9a1d0f73
-
SHA256
71fb5ec5a1424b9965bf487a41e24e04e6cd20fb256b283b8262a6592aa90114
-
SHA512
ec56dc8b6282de9ce3bf865263fbc74741ab98a70ac517f4d1637f025255c06247b11edd95edb9756032e93f7d0cdef93e639088cdd88732c3ccc060e85cc636
Malware Config
Extracted
dridex
22202
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1520 1220 mshta.exe EXCEL.EXE -
Processes:
resource yara_rule behavioral1/memory/528-71-0x000000006ABF0000-0x000000006AC20000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1520 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
mshta.exeEXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1220 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1220 EXCEL.EXE 1220 EXCEL.EXE 1220 EXCEL.EXE 1220 EXCEL.EXE 1220 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1220 wrote to memory of 1520 1220 EXCEL.EXE mshta.exe PID 1220 wrote to memory of 1520 1220 EXCEL.EXE mshta.exe PID 1220 wrote to memory of 1520 1220 EXCEL.EXE mshta.exe PID 1220 wrote to memory of 1520 1220 EXCEL.EXE mshta.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe PID 1520 wrote to memory of 528 1520 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_2457619.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theSmartTagControlLink.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qDialogSummaryInfo.dll,AddLookaside3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qDialogSummaryInfo.dllMD5
d0a9777d063838dbf9d566a8ae327c4e
SHA16f92815c9209e5d1e1bc1100b5f6c59502ab32d8
SHA256cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
SHA512174082c78d9ea76724cee9736a07400e3cb24b1d4ba0d6f4e4e4ab2b89043633af5f67cb853edd6af33f894149c66787a4eecf69dfe35abea50c1b283fdceefb
-
C:\ProgramData\theSmartTagControlLink.sctMD5
e44dbd3ba1cd50d95a143234af5426e8
SHA1c4bc233d71ad3fc0a4fd86b31180df6e5f37aab5
SHA2562d77a15c23fe7cb627e494f4aa841fb43a4921c690dcd9bd5484f0ea344c1ae2
SHA5124c696d5b8469ba018c7663da584460cb2fabf6b7ca092ee3d78d27eae43999ca1a8bcf30a4701e285c610fffd43ea8efe29615fbd308f6e11550773927b2780a
-
\ProgramData\qDialogSummaryInfo.dllMD5
d0a9777d063838dbf9d566a8ae327c4e
SHA16f92815c9209e5d1e1bc1100b5f6c59502ab32d8
SHA256cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
SHA512174082c78d9ea76724cee9736a07400e3cb24b1d4ba0d6f4e4e4ab2b89043633af5f67cb853edd6af33f894149c66787a4eecf69dfe35abea50c1b283fdceefb
-
\ProgramData\qDialogSummaryInfo.dllMD5
d0a9777d063838dbf9d566a8ae327c4e
SHA16f92815c9209e5d1e1bc1100b5f6c59502ab32d8
SHA256cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
SHA512174082c78d9ea76724cee9736a07400e3cb24b1d4ba0d6f4e4e4ab2b89043633af5f67cb853edd6af33f894149c66787a4eecf69dfe35abea50c1b283fdceefb
-
\ProgramData\qDialogSummaryInfo.dllMD5
d0a9777d063838dbf9d566a8ae327c4e
SHA16f92815c9209e5d1e1bc1100b5f6c59502ab32d8
SHA256cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
SHA512174082c78d9ea76724cee9736a07400e3cb24b1d4ba0d6f4e4e4ab2b89043633af5f67cb853edd6af33f894149c66787a4eecf69dfe35abea50c1b283fdceefb
-
\ProgramData\qDialogSummaryInfo.dllMD5
d0a9777d063838dbf9d566a8ae327c4e
SHA16f92815c9209e5d1e1bc1100b5f6c59502ab32d8
SHA256cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
SHA512174082c78d9ea76724cee9736a07400e3cb24b1d4ba0d6f4e4e4ab2b89043633af5f67cb853edd6af33f894149c66787a4eecf69dfe35abea50c1b283fdceefb
-
memory/528-65-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/528-64-0x0000000000000000-mapping.dmp
-
memory/528-71-0x000000006ABF0000-0x000000006AC20000-memory.dmpFilesize
192KB
-
memory/528-73-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1220-59-0x000000002F381000-0x000000002F384000-memory.dmpFilesize
12KB
-
memory/1220-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1220-60-0x0000000071521000-0x0000000071523000-memory.dmpFilesize
8KB
-
memory/1220-74-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1520-62-0x0000000000000000-mapping.dmp