#dridex_010221

#IOC #OptiData #VR #dridex #macro #regsvr32 #dll

https://pastebin.com/hp4fvBqb

previous_contact:

attack_vector
--------------
email attach .zip (passwd) > .xlsm > macro > EXCEL download > regsvr32.exe > %temp%\%name%.dll

email_headers
--------------
n/a

files
--------------
SHA-256		b721618810b06ed4089d1469fc5c5b37be1a907fc1ae14222f913c6e2b0001c2
File name	printouts_of_outstanding_as_of FEB_01_2021.xlsm     [ Excel Microsoft Office Open XML Format document (with Macro)]
File size	115.81 KB (118587 bytes)

SHA-256		2954fff16d963d718ba0518ebdcadb61c71bf4d5cdd13d4c6bc7058329229c21
File name	ekwhaz.dll
File size	584.50 KB (598528 bytes)

activity
**************
PL_SCR		https://smithcalendar.cstdevs.com/qv9p5brpm.zip

C2	        77.220.64.131:443
            5.196.204.251:5037
            192.99.41.136:981
            24.229.3.146:4664

netwrk
--------------
109.203.107.71	talklivebuddy.com		Client Hello
77.220.64.131	Client Hello
5.196.204.251	50598 → 5037 [SYN]
192.99.41.136	50599 → 981 [SYN]

comp
--------------
EXCEL.EXE	    3200	TCP	109.203.107.71	443	    ESTABLISHED
regsvr32.exe	3464	TCP	77.220.64.131	443	    ESTABLISHED
regsvr32.exe	3464	TCP	5.196.204.251	5037	ESTABLISHED
regsvr32.exe	3464	TCP	192.99.41.136	981	    ESTABLISHED

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
	"C:\Windows\System32\regsvr32.exe"  -s C:\Users\operator\AppData\Local\Temp\kwiehbiv.dll

persist
--------------
n/a

drop
--------------
C:\temp\~DFD866A6C2D60EA793.TMP
C:\Users\operator\AppData\Local\Temp\kwiehbiv.dll

# # #
https://www.virustotal.com/gui/file/b721618810b06ed4089d1469fc5c5b37be1a907fc1ae14222f913c6e2b0001c2/details
https://www.virustotal.com/gui/file/2954fff16d963d718ba0518ebdcadb61c71bf4d5cdd13d4c6bc7058329229c21/details
https://analyze.intezer.com/analyses/124e33ce-91e1-46be-b8f4-b154bc4d9104

VR