Analysis Report Dridex-06-bc1b.xlsm

Overview

General Information

Sample Name:	Dridex-06-bc1b.xlsm
Analysis ID:	344478
MD5:	f72f88ebdf048fdfedf0aa3e298d9e71
SHA1:	b8ea58415338bed65d4cd194ead6ac663ad71a6c
SHA256:	78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Dridex-06-bc1b.xlsm

Avira: detected

Multi AV Scanner detection for domain / URL

Source: compagniamaestro.com

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: Dridex-06-bc1b.xlsm	Virustotal: Detection: 50%			Perma Link
Source: Dridex-06-bc1b.xlsm	ReversingLabs: Detection: 58%

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 199.192.21.36:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: compagniamaestro.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 199.192.21.36:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 199.192.21.36:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.192.21.36 199.192.21.36

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\841CAADE.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: compagniamaestro.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000003.00000002.2105763000.0000000001DB0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2106436897.0000000001C30000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107554860.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: 960.0.dr	String found in binary or memory: https://crbug.com/740629)
Source: 960.0.dr	String found in binary or memory: https://github.com/google/closure-compiler/issues/544

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown

HTTPS traffic detected: 199.192.21.36:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8

Screenshot OCR: Enable Macros Disable Macros Opening: x|sm.sheet,csv, Press ESC to cancel. a @1 iGi %10 m '00

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module Foglio1, Function PagamentoDocumento, API Run("Auto_io22")			Name: PagamentoDocumento
Source: VBA code instrumentation	OLE, VBA macro: Module Foglio1, Function PagamentoDocumento, API Run("Auto_io22")			Name: PagamentoDocumento

Found Excel 4.0 Macro with suspicious formulas

Source: Dridex-06-bc1b.xlsm	Initial sample: CALL
Source: Dridex-06-bc1b.xlsm	Initial sample: CALL
Source: Dridex-06-bc1b.xlsm	Initial sample: CALL
Source: Dridex-06-bc1b.xlsm	Initial sample: CALL

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Dridex-06-bc1b.xlsm	OLE, VBA macro line: Private Sub pagoUno_Layout()
Source: VBA code instrumentation	OLE, VBA macro: Module Foglio1, Function pagoUno_Layout			Name: pagoUno_Layout

Document contains embedded VBA macros

Source: Dridex-06-bc1b.xlsm

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal92.expl.evad.winXLSM@7/16@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD873.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Dridex-06-bc1b.xlsm	Virustotal: Detection: 50%
Source: Dridex-06-bc1b.xlsm	ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960.
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960.
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960.	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960.	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960.	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Dridex-06-bc1b.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: Dridex-06-bc1b.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: Dridex-06-bc1b.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Dridex-06-bc1b.xlsm

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.192.21.36	unknown	United States		22612	NAMECHEAP-NETUS	true

Contacted Domains

Name	IP	Active
compagniamaestro.com	199.192.21.36	true

ID:	344478
Product:	CloudBasic
Start time:	16:15:51
Start date:	26.01.2021
Sample:	Dridex-06-bc1b.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	f72f88ebdf048fdfedf0aa3e298d9e71
SHA1:	b8ea58415338bed65d4cd194ead6ac663ad71a6c
SHA256:	78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%

Name	Type	MD5	SHA1	SHA256
C:\LO400F\PI909U\960	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	4B04126D788D6958C2C62DCE6FE37988	1705C60E4BD29956E80BD34267F16F800037ED35	00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
C:\QP101F\TL941X\960	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	4B04126D788D6958C2C62DCE6FE37988	1705C60E4BD29956E80BD34267F16F800037ED35	00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
C:\SD120E\EP146E\960	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	4B04126D788D6958C2C62DCE6FE37988	1705C60E4BD29956E80BD34267F16F800037ED35	00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	7E0054FA6C074543BC9B37D934E8D2DF	BF35F8FEE206925C323B66BCE8E35582F97AA141	DBE4735D4110A227E4A873ADC52C6A58A80929FF1B260ED44E300AF874586F2C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	515ABC50F072563813F74B645FAA09D5	5140FDCA9F17840721C22BEA2AF5B78EBA18C08E	BC1FB59C03A1BC54D0EF895C91E04B0BFD80CA55D3CA39BC311B3899EA94087B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\MAS3QXWU.htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	4B04126D788D6958C2C62DCE6FE37988	1705C60E4BD29956E80BD34267F16F800037ED35	00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\841CAADE.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	1C7221B8A7104792FDEEA41E5D7BA0D0	D49122E2BF94D92ED067570D638B672855C05893	76F287B1E3251B7E0E5BA27BFB05B35831150CC665DE00F9FD2D807E2D2A028D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1372147.png	PNG image data, 650 x 85, 8-bit colormap, non-interlaced	DA5C67B7042BB04E6BFB9F60D9470287	BFBDC4596111EF5D95183DB0526353CBCA84C43F	0522D7C7600F1DD56346450DFE1466BA51CFEBCD095CD3154FB30DC563F96763
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6FDFA9C.png	PNG image data, 415 x 291, 8-bit colormap, non-interlaced	31F86AA3BD1ADA53D99B7BBEF6A1DEFC	148331C2D5EB437437D48ABE51866384D7154044	E0EC55345EDC7EF4BBE4F20ABD6F8FE965475C632766FAE6CA1853674F2DC34C
C:\Users\user\AppData\Local\Temp\9DFE0000	data	4729F4D4D3E6A40897714474BD193698	1732E41AD6A7A026F51541AF370BBEDDC3C29192	BBC203190FCC1C1C9B14E09A5A17DB8C20DFF8792DFA2F75387C66C93D36AADB
C:\Users\user\AppData\Local\Temp\CabF70C.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	FDC005848930295BD2BEDC28CDDF4E57	425ACD9C11F3ADD39533B5859DA2D4FBFC3C66EE	14D206152AB901B785CA013A80585FBA93F329324E1304DB04AA380A3C76F1A9
C:\Users\user\AppData\Local\Temp\TarF70D.tmp	data	D0682A3C344DFC62FB18D5A539F81F61	09D3E9B899785DA377DF2518C6175D70CCF9DA33	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Analysis Report Dridex-06-bc1b.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains