Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584.exe

  • Size

    224KB

  • MD5

    f1f6b87aa6a7bb1c6a2beda153fc607b

  • SHA1

    2964b06681eefb74a586b17756428d6c0cc08bdd

  • SHA256

    25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584

  • SHA512

    694c35b6c161358628c0f6ec0d3233fd7b2ade2cade6547f9cfd447e46c52dd0226d95f35da0a8c57f58bf5ace49d20c49cac36ad2d327f6c90cff755ea819cb

  • SSDEEP

    6144:QBn185+KUnqBjp5S+xXVkWo3zAc/Enof7PdS5EYEdB:gaAyjp5SCVvo3zgof7P8+YEdB

Score
10/10
formbookhenzratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584.exe
      "C:\Users\Admin\AppData\Local\Temp\25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
        "C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe" C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
          "C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3036
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3456
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:4996
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:4576
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:4640
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:3524
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:1656
                • C:\Windows\SysWOW64\msiexec.exe
                  "C:\Windows\SysWOW64\msiexec.exe"
                  2⤵
                  • Suspicious use of SetThreadContext
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1404
                  • C:\Program Files\Mozilla Firefox\Firefox.exe
                    "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    3⤵
                      PID:2028

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\dvgmwmmyefz.bwe
                  Filesize

                  185KB

                  MD5

                  1c945c8ec5c2f5197948aea61cab057e

                  SHA1

                  79b9dbb2849f170c7b1de78a3c8e3818b5c8a11d

                  SHA256

                  27d5be39ba9e5aeba868a04ea4c251c3719242f656fbce09050c20b81f6ac751

                  SHA512

                  757d8028bb9397c11aebb3b7c8c8a4dc15aa9b7a03288a8c2e94e3369716c118605ba3ac42aca85901b7dd42f78454fa566a7b0f0c5570c524b4582a73f97794

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
                  Filesize

                  12KB

                  MD5

                  dee9967bfc964052c9343e69b90b7c31

                  SHA1

                  c12da34124e0f9b84685874d0970cbd55dd3ebe4

                  SHA256

                  2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

                  SHA512

                  3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
                  Filesize

                  12KB

                  MD5

                  dee9967bfc964052c9343e69b90b7c31

                  SHA1

                  c12da34124e0f9b84685874d0970cbd55dd3ebe4

                  SHA256

                  2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

                  SHA512

                  3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
                  Filesize

                  12KB

                  MD5

                  dee9967bfc964052c9343e69b90b7c31

                  SHA1

                  c12da34124e0f9b84685874d0970cbd55dd3ebe4

                  SHA256

                  2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

                  SHA512

                  3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
                  Filesize

                  5KB

                  MD5

                  4230431061fb7d5522a0bf04013fe531

                  SHA1

                  dbc2021a068247d14e65c19518fe28c42f8d9665

                  SHA256

                  26e048d856f00c449c2720f0aab7302af8212abbdfae6f7b6bfbf94469104269

                  SHA512

                  bb1dab8b2d706c780e1286dcb75ce43c0708449ef4f47c6af87001d9a39bd5deeef874ccd45115a4ab56f34bbbe56464c5a170bd43a63fa3c6a9188f0eb6d78a

                  Download Submit
                • memory/1404-150-0x0000000000150000-0x000000000017D000-memory.dmp
                  Filesize

                  180KB

                  Download
                • memory/1404-146-0x0000000000000000-mapping.dmp
                  Download
                • memory/1404-154-0x0000000000150000-0x000000000017D000-memory.dmp
                  Filesize

                  180KB

                  Download
                • memory/1404-152-0x0000000002070000-0x00000000020FF000-memory.dmp
                  Filesize

                  572KB

                  Download
                • memory/1404-151-0x0000000002210000-0x000000000255A000-memory.dmp
                  Filesize

                  3.3MB

                  Download
                • memory/1404-149-0x0000000000220000-0x0000000000232000-memory.dmp
                  Filesize

                  72KB

                  Download
                • memory/3036-142-0x00000000009E0000-0x00000000009F0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3036-144-0x0000000000E40000-0x0000000000E50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3036-147-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/3036-148-0x0000000000401000-0x000000000042F000-memory.dmp
                  Filesize

                  184KB

                  Download
                • memory/3036-137-0x0000000000000000-mapping.dmp
                  Download
                • memory/3036-141-0x0000000001010000-0x000000000135A000-memory.dmp
                  Filesize

                  3.3MB

                  Download
                • memory/3036-140-0x0000000000401000-0x000000000042F000-memory.dmp
                  Filesize

                  184KB

                  Download
                • memory/3036-139-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/3060-145-0x00000000082F0000-0x0000000008454000-memory.dmp
                  Filesize

                  1.4MB

                  Download
                • memory/3060-143-0x0000000008070000-0x00000000081EA000-memory.dmp
                  Filesize

                  1.5MB

                  Download
                • memory/3060-153-0x00000000026D0000-0x00000000027BD000-memory.dmp
                  Filesize

                  948KB

                  Download
                • memory/3060-155-0x00000000026D0000-0x00000000027BD000-memory.dmp
                  Filesize

                  948KB

                  Download
                • memory/3472-132-0x0000000000000000-mapping.dmp
                  Download