Loading ...

Play interactive tourEdit tour

Analysis Report sample20210113-01.xlsm

Overview

General Information

Sample Name:sample20210113-01.xlsm
Analysis ID:339173
MD5:b777540ad31de24618cb9818debb2fd4
SHA1:6e18fab506aefe0e1d1bdbb7bf61963075a4db61
SHA256:39c47b42df4d66fe9b9e4cb03f486a6a8a11770010dd6537c55d2899b2e2021a
Tags:Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2448 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2540 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1100 cmdline: -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 1296 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2808 cmdline: -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2832 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 3", "221.126.244.72:443", "195.231.69.151:3889", "157.7.166.26:5353"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.bf0000.0.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 3", "221.126.244.72:443", "195.231.69.151:3889", "157.7.166.26:5353"]}
Multi AV Scanner detection for domain / URLShow sources
Source: http://bipolarmalta.mccarthy.ws/lpxtpiw.zipVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: sample20210113-01.xlsmVirustotal: Detection: 25%Perma Link
Source: sample20210113-01.xlsmReversingLabs: Detection: 10%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ndrztpo.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgjasrqd.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49225 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49313 version: TLS 1.2