Analysis Report Dridex-06-bc1b.xlsm

Overview

General Information

Sample Name: Dridex-06-bc1b.xlsm
Analysis ID: 344478
MD5: f72f88ebdf048fdfedf0aa3e298d9e71
SHA1: b8ea58415338bed65d4cd194ead6ac663ad71a6c
SHA256: 78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b

Most interesting Screenshot:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
One or more processes crash

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Dridex-06-bc1b.xlsm Avira: detected
Multi AV Scanner detection for submitted file
Source: Dridex-06-bc1b.xlsm Virustotal: Detection: 50% Perma Link
Source: Dridex-06-bc1b.xlsm ReversingLabs: Detection: 58%

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56C9D0A7.emf Jump to behavior
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: DWWIN.EXE, 00000003.00000002.3521034549.00000000023E0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Dridex-06-bc1b.xlsm OLE, VBA macro line: Private Sub pagoUno_Layout()
Document contains embedded VBA macros
Source: Dridex-06-bc1b.xlsm OLE indicator, VBA macros: true
One or more processes crash
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal64.expl.winXLSM@5/6@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1916
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF66F.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Dridex-06-bc1b.xlsm Virustotal: Detection: 50%
Source: Dridex-06-bc1b.xlsm ReversingLabs: Detection: 58%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228
Source: unknown Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228 Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228 Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713AACC8-3B71-435C-A3A1-BE4E53621AB1}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Dridex-06-bc1b.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: Dridex-06-bc1b.xlsm Initial sample: OLE zip file path = xl/media/image3.png
Source: Dridex-06-bc1b.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Dridex-06-bc1b.xlsm Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\DWWIN.EXE Window / User API: foregroundWindowGot 483 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228 Jump to behavior
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp Binary or memory string: !Progman
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344478 Sample: Dridex-06-bc1b.xlsm Startdate: 26/01/2021 Architecture: WINDOWS Score: 64 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 7 EXCEL.EXE 142 25 2->7         started        process3 file4 15 C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm, data 7->15 dropped 21 Document exploit detected (process start blacklist hit) 7->21 23 Document exploit detected (UrlDownloadToFile) 7->23 11 DW20.EXE 7->11         started        signatures5 process6 process7 13 DWWIN.EXE 11->13         started       
No contacted IP infos