Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2022 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5399fd8bbc8978896233268aa24421cd3d206c606d11bcf64548e8a628be6fc3.exe

  • Size

    725KB

  • MD5

    dc4fbd4c5afc724315acba1b784d042c

  • SHA1

    2e1cdca264a4e29571079c2c2a2b36d899812ec8

  • SHA256

    5399fd8bbc8978896233268aa24421cd3d206c606d11bcf64548e8a628be6fc3

  • SHA512

    a2371f0158f41e0bdc651a81e299292f9a73b233074b6ed829d2caab3fedf1ba657a57b890c44b89ed1a0c02f5e38fb14ddd13da6069ed864e1966526bd63c1e

  • SSDEEP

    12288:4i/Pag+5072eFlCk2D3U6xMrDpm6UssNkIhGM/:vF+iquCxnxMrNlU5kq

Score
10/10
formbookoc5eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

oc5e

Decoy

ODVenWNCx27xmAQc

4XFONwe0gAX06UZqkA==

AD3Pph7KlPo7lQ==

UR3vF7OcYyyilfE=

dYHbq1q35dWIhecnJZ3aFJEGlDwKDoVM

ZjGUfBForJkYdek=

eHXQr1tI+ySegwM4iBtUkk4KNg0FYMk=

4a8FTkEp+vCjm+4=

aCWI49e/KcsQ8E+EU4GeShabmBah

E6V1p68mgTWfSkhOiA==

iWj9y0Sg3MU2lw==

oHsJ45Ot5v14oRA8Ut6Tqxw=

trdTtZNlNF+VuwQU

tEUYVnll1L4ojA==

Es81jGdN1YW3luwCr3T+WFk0wA==

g5eqC/tlYmtjxxJjnZM4

lFju1HzZ7iWVxxEe

4KE7NhR0YoW9Wllpmw==

qWVEpocCITjplgcphg==

FuCHb/9aumc7

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\5399fd8bbc8978896233268aa24421cd3d206c606d11bcf64548e8a628be6fc3.exe
      "C:\Users\Admin\AppData\Local\Temp\5399fd8bbc8978896233268aa24421cd3d206c606d11bcf64548e8a628be6fc3.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EJiyRa.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EJiyRa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3700
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:2648
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4876
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1736

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp
        Filesize

        1KB

        MD5

        5085e4241453ea087a8712c15a53c19b

        SHA1

        ca99b9137fae0842459ac28f718666a8f41e4533

        SHA256

        14e94519b152b7d51bd1dc30f1215583c6048aeaab91eb4629ad4be971441174

        SHA512

        7c93344e6360cd9034b9245ae74b4915447600bc31e6c1eadf8a5437285ee967e34b5ec8ebfe0544c9a8e5f766a869add6a42be2493a6323cf2609e3e7ae6471

        Download Submit

      • memory/652-176-0x00000000088F0000-0x00000000089F4000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/652-178-0x00000000088F0000-0x00000000089F4000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/652-168-0x0000000002FC0000-0x000000000307B000-memory.dmp

        Filesize

        748KB

        Download

      • memory/652-155-0x0000000008260000-0x0000000008376000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/964-172-0x0000000000200000-0x0000000000227000-memory.dmp

        Filesize

        156KB

        Download

      • memory/964-173-0x0000000003110000-0x000000000345A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/964-174-0x0000000001100000-0x000000000112D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/964-169-0x0000000000000000-mapping.dmp

        Download

      • memory/964-177-0x0000000001100000-0x000000000112D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/964-175-0x0000000002F70000-0x0000000002FFF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2564-160-0x0000000007350000-0x000000000736A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2564-156-0x0000000006640000-0x0000000006672000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2564-146-0x0000000005080000-0x00000000050A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2564-147-0x0000000005950000-0x00000000059B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2564-141-0x0000000005170000-0x0000000005798000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2564-152-0x0000000006040000-0x000000000605E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2564-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2564-165-0x0000000007670000-0x0000000007678000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2564-148-0x0000000005A30000-0x0000000005A96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2564-139-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2564-164-0x0000000007690000-0x00000000076AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2564-163-0x0000000007580000-0x000000000758E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2564-157-0x0000000070C80000-0x0000000070CCC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2564-158-0x0000000006600000-0x000000000661E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2564-159-0x00000000079A0000-0x000000000801A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2564-162-0x00000000075D0000-0x0000000007666000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2564-161-0x00000000073C0000-0x00000000073CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2648-142-0x0000000000000000-mapping.dmp

        Download

      • memory/3404-134-0x0000000004B50000-0x0000000004BE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3404-132-0x0000000000080000-0x000000000013A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/3404-133-0x0000000005100000-0x00000000056A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3404-136-0x0000000008A80000-0x0000000008B1C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3404-135-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3700-138-0x0000000000000000-mapping.dmp

        Download

      • memory/4876-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4876-171-0x0000000000401000-0x000000000042F000-memory.dmp

        Filesize

        184KB

        Download

      • memory/4876-170-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4876-167-0x00000000013C0000-0x00000000013D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-166-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4876-154-0x0000000000BF0000-0x0000000000C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-153-0x0000000001440000-0x000000000178A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4876-150-0x0000000000401000-0x000000000042F000-memory.dmp

        Filesize

        184KB

        Download

      • memory/4876-149-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4876-144-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download