Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dffde60dc2cab7ca3e0f5c7b19c4bc654dc6941dbf3a7e5ef9b312b7c4c1c656.exe

  • Size

    289KB

  • MD5

    6ee33079ee7b4cf222209c1b8b59343f

  • SHA1

    a5d080a864977564aa336acb35fbd27b394d622b

  • SHA256

    dffde60dc2cab7ca3e0f5c7b19c4bc654dc6941dbf3a7e5ef9b312b7c4c1c656

  • SHA512

    66dfb31df07f822c7daba3c66cc06f900d8b2cd83d6e0224cb079836ca52e17d446788ffae8daa56a369e43f54fd9e3fc7017f9e8a8930293b7640752c839abd

Score
10/10
formbooks4s9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s4s9

Decoy

qianyuandianshang.com

bernardklein.com

slhomeservices.com

findasaas.com

janellelancaster.xyz

umkpro.site

nr6949.online

mersquare.club

lanariproperties.com

3rdeyefocused.com

giftexpress8260.xyz

hilleleven.xyz

beajod.com

kosazs.online

ishare.team

mb314.com

xjjinxingda.com

ayekooprojectamazing.com

ballsybanter.com

todayshoppingbd.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\dffde60dc2cab7ca3e0f5c7b19c4bc654dc6941dbf3a7e5ef9b312b7c4c1c656.exe
      "C:\Users\Admin\AppData\Local\Temp\dffde60dc2cab7ca3e0f5c7b19c4bc654dc6941dbf3a7e5ef9b312b7c4c1c656.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA=
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:392
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:1540

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/392-143-0x0000000000000000-mapping.dmp
      Download
    • memory/392-154-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/392-151-0x00000000015A0000-0x00000000015B4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/392-148-0x0000000001060000-0x0000000001074000-memory.dmp
      Filesize

      80KB

      Download
    • memory/392-147-0x00000000015F0000-0x000000000193A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/392-146-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/392-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1540-158-0x0000000000000000-mapping.dmp
      Download
    • memory/2288-137-0x0000000005530000-0x0000000005B58000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2288-135-0x0000000000000000-mapping.dmp
      Download
    • memory/2288-140-0x00000000063C0000-0x00000000063DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2288-141-0x0000000007A10000-0x000000000808A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2288-142-0x00000000068D0000-0x00000000068EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2288-138-0x00000000054B0000-0x0000000005516000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2288-139-0x0000000005C60000-0x0000000005CC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2288-136-0x0000000004E20000-0x0000000004E56000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3056-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3056-159-0x0000000000CF0000-0x0000000000D83000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3056-160-0x0000000000690000-0x00000000006BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3056-155-0x0000000000B40000-0x0000000000B4B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3056-156-0x0000000000EB0000-0x00000000011FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3056-157-0x0000000000690000-0x00000000006BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3068-149-0x00000000033E0000-0x0000000003516000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3068-162-0x0000000008C30000-0x0000000008CF9000-memory.dmp
      Filesize

      804KB

      Download
    • memory/3068-161-0x0000000008C30000-0x0000000008CF9000-memory.dmp
      Filesize

      804KB

      Download
    • memory/3068-152-0x0000000008B00000-0x0000000008C2F000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3116-130-0x0000000000140000-0x000000000018E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/3116-131-0x00000000051E0000-0x0000000005784000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3116-132-0x0000000004CD0000-0x0000000004D62000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3116-133-0x0000000005820000-0x000000000582A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3116-134-0x00000000063A0000-0x00000000063C2000-memory.dmp
      Filesize

      136KB

      Download