Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe

  • Size

    387KB

  • MD5

    420f3718285fef98dcbb490383c40efd

  • SHA1

    58b55c7c809e3e126c0985fd67fe1053f790924d

  • SHA256

    89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6

  • SHA512

    0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382

  • SSDEEP

    6144:0Ea0MrcKg0tmqPCAUtQjt/+kuVnC0bdltM2qkF0stSDVhvLP0ZvXDPLyiO3t2v3S:mrMLArj5+kElJqBOwVhTPKvLmiOd2v3S

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe
      "C:\Users\Admin\AppData\Local\Temp\89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
        "C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
          "C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4736
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ncqoft.eol
      Filesize

      5KB

      MD5

      872dea5a3ca22c3d6fbc5eaa4e2558e0

      SHA1

      eb40667be3e42a9da334f20a4b72e6ba021e2445

      SHA256

      7f0349c9b3ad573965322a7e8102fb0682d33cd1f98d73f204fd547098c014d2

      SHA512

      847ecd49c1888a31953e98576d1b4c0d3bd2a44d35504310ed479c034205640022c869978e6be7ad8934720aa44100300d215cc0ed412fd385e7fc486ed1476b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qjvkrwgt.e
      Filesize

      185KB

      MD5

      5609a56cc339285224848fc96a673fdc

      SHA1

      9cc33599cca2093e330ab52ea2d4bae081682c55

      SHA256

      cedfd0094c9116d779e665c7292eb57abe50ac11a84be080578c40fa19ae0f60

      SHA512

      712f0837d24b01c74a5ef7a9c3fff227b5e3401575f0f0a3055465d3489fc57c109fc63555a73675f42a3e0b9debc4aac0518548931e2c10ab364882693d38ae

      Download Submit
    • memory/2132-153-0x0000000008220000-0x0000000008328000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2132-152-0x0000000008220000-0x0000000008328000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2132-143-0x0000000004570000-0x0000000004635000-memory.dmp
      Filesize

      788KB

      Download
    • memory/4248-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4736-142-0x00000000017B0000-0x00000000017C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4736-141-0x00000000017C0000-0x0000000001B0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4736-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4736-145-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4736-146-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4736-140-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4736-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5052-144-0x0000000000000000-mapping.dmp
      Download
    • memory/5052-148-0x0000000000950000-0x000000000097D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5052-147-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5052-149-0x00000000013F0000-0x000000000173A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5052-150-0x0000000000950000-0x000000000097D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5052-151-0x0000000001150000-0x00000000011DF000-memory.dmp
      Filesize

      572KB

      Download