Overview

overview

10

Static

static

10

dridex

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    07-06-2022 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe

  • Size

    328KB

  • MD5

    23e421072b6ebe8b53fde252e6990340

  • SHA1

    9a9f0b8fc33435bb8c29c55ff261b88e8b96eafa

  • SHA256

    aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38

  • SHA512

    6a0ce5b2494eacdec720e107605f95c2058fe75f8a52d72783b8dbbc2d9072a694c9a0f9eec07afc8e441fe2a88237121a2784c3f92ab44b622fc5938dc4d468

Score
10/10
formbookneshtag14spersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g14s

Decoy

highnessmagazine.com

mokeyshop.com

remotedesktop.xyz

bicielettrica.xyz

addoncarzspa.com

ironesteem.com

asset-management-int.com

newportnewsaccounting.com

seriesyonkis2.com

hhivac.com

shrmgattlnow.com

yangzhenyu1.xyz

prettylittlenail.com

phyform.com

fggloballlc.com

gamecentertx.com

apriltoken.com

agalign.com

jointventurecoop.club

pengqianyue.tech

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 5 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe
      "C:\Users\Admin\AppData\Local\Temp\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"
      2⤵
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
          C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
            C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:4196
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe"
        3⤵
          PID:3400

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\14bjwnh70000oktef97
      Filesize

      184KB

      MD5

      39caefe2282d6b8c0eef7d657db7c154

      SHA1

      cc6604f9985ae1a05f034f799dd6ee550be1d7e8

      SHA256

      47fc6884f3dee9dfd8def2b3b5f0c38856c0eef9f0c005fd02fef0c1344592f2

      SHA512

      930bb809904ff5f27420b1ae1a0005ee73b9383e21a41dbd93dbd18f4048c1bfcebbff1b6a189eb63444cd876e95b11c8c346bfa7166f4ddd172fcadbbf73cd5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe
      Filesize

      288KB

      MD5

      f3369e93b9a197294c8ede7e84c1c382

      SHA1

      32f59edb66c19b0c483e36326f59ad374231ac58

      SHA256

      4953b485a81de69f30981b5b8a9a2e65aff9be557c3e9b19c8b052f00eadfc4c

      SHA512

      2253461239a4341c8fe9fe6bc825834e4350b0e796c9308a885144a7af37af7782f4793ff0f68e941262aa037b27666e01233e3811ce576ebbe12438dcf5c34f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe
      Filesize

      288KB

      MD5

      f3369e93b9a197294c8ede7e84c1c382

      SHA1

      32f59edb66c19b0c483e36326f59ad374231ac58

      SHA256

      4953b485a81de69f30981b5b8a9a2e65aff9be557c3e9b19c8b052f00eadfc4c

      SHA512

      2253461239a4341c8fe9fe6bc825834e4350b0e796c9308a885144a7af37af7782f4793ff0f68e941262aa037b27666e01233e3811ce576ebbe12438dcf5c34f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lafzmxlg
      Filesize

      5KB

      MD5

      bce94db7c34663df2cbd9246ff73a348

      SHA1

      7ae61ec3e2de7736c42059f798e33950b558e6b4

      SHA256

      39220e3264b8bd27e6980a0edee02315c1a42e88181b8dc107122cd5d1590b29

      SHA512

      f9d3fd89a54648cebfacfe1f2f12310b438fb53e8f1eb65fab70ac56ea94da8c72eb239e50da8160a4217f723f0727aa44434b65ebe6c3356a11194d328690e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
      Filesize

      57KB

      MD5

      1690cff1fe9dbef048f6e7dbe3cbf586

      SHA1

      fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

      SHA256

      187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

      SHA512

      f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
      Filesize

      57KB

      MD5

      1690cff1fe9dbef048f6e7dbe3cbf586

      SHA1

      fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

      SHA256

      187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

      SHA512

      f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
      Filesize

      57KB

      MD5

      1690cff1fe9dbef048f6e7dbe3cbf586

      SHA1

      fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

      SHA256

      187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

      SHA512

      f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

      Download Submit
    • memory/944-202-0x0000000000000000-mapping.dmp
      Download
    • memory/2960-145-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-147-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-124-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-125-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-126-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-127-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-128-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-129-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-131-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-130-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-133-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-134-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-135-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-136-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-138-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-137-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-140-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-141-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-143-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-144-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-122-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-142-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-139-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-132-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-146-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-123-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-148-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-149-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-150-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-152-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-151-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-153-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-154-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-155-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-121-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-115-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-114-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-116-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-117-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-118-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-119-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-120-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3164-272-0x0000000006670000-0x00000000067EE000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3164-325-0x00000000068C0000-0x0000000006A2E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3164-327-0x00000000068C0000-0x0000000006A2E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3400-315-0x0000000000000000-mapping.dmp
      Download
    • memory/4196-265-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4196-248-0x000000000041F140-mapping.dmp
      Download
    • memory/4196-270-0x0000000000E00000-0x0000000000F91000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4196-268-0x0000000001250000-0x0000000001570000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4588-162-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-173-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-163-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-161-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-159-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-158-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-180-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-179-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-156-0x0000000000000000-mapping.dmp
      Download
    • memory/4588-167-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-171-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-175-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-177-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-178-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-176-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-164-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-174-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-172-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-170-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-169-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-160-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-166-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4588-168-0x00000000771F0000-0x000000007737E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4996-314-0x0000000000250000-0x000000000027F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4996-321-0x0000000004320000-0x0000000004640000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4996-323-0x0000000000250000-0x000000000027F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4996-324-0x0000000004190000-0x0000000004320000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4996-313-0x00000000003A0000-0x00000000003B9000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4996-326-0x0000000004190000-0x0000000004320000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4996-275-0x0000000000000000-mapping.dmp
      Download