Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48fcd109b51adcad58459318c092f4b6e8e5dcca682f9d60e1592e53dbb6174b.exe

  • Size

    226KB

  • MD5

    27b4c55d335f86868e234f8aa79ca058

  • SHA1

    1ecc8c5fefd7ad001b37078bd79d68f4331dc9ba

  • SHA256

    48fcd109b51adcad58459318c092f4b6e8e5dcca682f9d60e1592e53dbb6174b

  • SHA512

    e2c11d73be4c98dd7ddeab92898020e7bc2c9df16d99a4f2a54e4d5d5b3fbcb6c34c1869974fd43044535910756d058a761520a922dc0249ba93cfa963eec617

  • SSDEEP

    6144:QBn1XvXjPujhRD+dVfowhWJ2lBFlrggcZ:gfXjPyYVfoz0lnZKZ

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\48fcd109b51adcad58459318c092f4b6e8e5dcca682f9d60e1592e53dbb6174b.exe
      "C:\Users\Admin\AppData\Local\Temp\48fcd109b51adcad58459318c092f4b6e8e5dcca682f9d60e1592e53dbb6174b.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Users\Admin\AppData\Local\Temp\kkkwip.exe
        "C:\Users\Admin\AppData\Local\Temp\kkkwip.exe" C:\Users\Admin\AppData\Local\Temp\xtbjmdn.oa
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Users\Admin\AppData\Local\Temp\kkkwip.exe
          "C:\Users\Admin\AppData\Local\Temp\kkkwip.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3528
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4008

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hlcjqqbiwe.o
      Filesize

      185KB

      MD5

      08802e2334fc7a7e96163ab9ffcf1e5b

      SHA1

      bef786f25b7fcdae25667884cf6d1ebf700f9235

      SHA256

      5b4a3315959525220d36bf43e36fedb57c84803806a0193f94bbc6718eda893a

      SHA512

      ffdaf485c4fec423b85c01d5946803fa539d9a23fadcf4d120444a623fd3f3a9e853f5ff7a6a39958a379a398b9f3a84633c3d1fc7d1fc6774a280b71533700f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kkkwip.exe
      Filesize

      11KB

      MD5

      f485d2be0df438d4714137d8d50d61d9

      SHA1

      3de101c55aee16e8f3f8b33394fe811ad3445921

      SHA256

      7a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38

      SHA512

      df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kkkwip.exe
      Filesize

      11KB

      MD5

      f485d2be0df438d4714137d8d50d61d9

      SHA1

      3de101c55aee16e8f3f8b33394fe811ad3445921

      SHA256

      7a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38

      SHA512

      df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kkkwip.exe
      Filesize

      11KB

      MD5

      f485d2be0df438d4714137d8d50d61d9

      SHA1

      3de101c55aee16e8f3f8b33394fe811ad3445921

      SHA256

      7a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38

      SHA512

      df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xtbjmdn.oa
      Filesize

      5KB

      MD5

      a5cd02ce4509c4505db1c1e97f6bcd9f

      SHA1

      bdbdb5a12668d23097651f982aa5c7946ec66398

      SHA256

      89caa0fe5b8024fa4c49bb5e5dcff2dd9cccba8989de27bbd3bce6ec61610f41

      SHA512

      69d4a424124eed8b73edbf215b37bb3bba0367ee533ec2a864551cc700c314a1fad4e5dbce755b852d6e8cf11458490fbe76cd83bfc07ceb09654ba681e456dd

      Download Submit
    • memory/372-154-0x0000000008F20000-0x0000000009094000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/372-153-0x0000000008F20000-0x0000000009094000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/372-150-0x0000000003360000-0x000000000345E000-memory.dmp
      Filesize

      1016KB

      Download
    • memory/372-143-0x0000000003360000-0x000000000345E000-memory.dmp
      Filesize

      1016KB

      Download
    • memory/2300-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3528-142-0x00000000009C0000-0x00000000009D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3528-141-0x0000000000F80000-0x00000000012CA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3528-145-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3528-146-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3528-140-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3528-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3528-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4636-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4636-147-0x00000000002B0000-0x00000000003EA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4636-148-0x00000000006F0000-0x000000000071D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4636-149-0x00000000026C0000-0x0000000002A0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4636-151-0x00000000024F0000-0x000000000257F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4636-152-0x00000000006F0000-0x000000000071D000-memory.dmp
      Filesize

      180KB

      Download