Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe

  • Size

    732KB

  • MD5

    3374b87be5da25a09046d0b59ccc34c7

  • SHA1

    4bef0bfa8de1d50a3804f3af6394673fbe2cf81a

  • SHA256

    c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d

  • SHA512

    92cca738e000d7bef12847babfea8e14b5f2b5122d208236ed1ec9d1ede984a91620371fbb5d7bd60d11c4477140e4afc5e9b068d8ae63b87915364445f988b5

  • SSDEEP

    12288:jwluhmomPZefCJBhaDUA7UAQ1PSxbUYW+DceP2NObN4VEsjJGPtqvyuv/m:eomxiiBhaDUAFQ1qazU5uUXvQF3m

Score
10/10
formbookpgntratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe
    "C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XkAsuB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XkAsuB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF29D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe
      "C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe"
      2⤵
        PID:1240
      • C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe
        "C:\Users\Admin\AppData\Local\Temp\c5066450d674e2d7729d0acb5d3b571c948064c68bf82efc27497b56ddfb562d.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4516

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF29D.tmp
      Filesize

      1KB

      MD5

      643687cd4f61a0a4d3804eeba6bbb262

      SHA1

      9f2a48c9b3f090372ee8ed69b5d76eb58b4a51ea

      SHA256

      e01730912c8d2a0c99f5ad9c64fca81a6c4748a310536fbaad9ea3188bbb36c2

      SHA512

      1fc89ca700774fb60d76e72408f17a1077e5150528bd4ea3a90f1ff1089a753cdd3ffd54a55e77ab288f10545222709620a5bfcc051c0dfd850cf4adc5e92a52

      Download Submit
    • memory/1240-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2648-154-0x0000000070E30000-0x0000000070E7C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2648-160-0x0000000006E40000-0x0000000006E4E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2648-161-0x00000000071B0000-0x00000000071CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2648-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2648-159-0x0000000007110000-0x00000000071A6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2648-139-0x00000000021E0000-0x0000000002216000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2648-158-0x0000000006E60000-0x0000000006E6A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2648-141-0x0000000004ED0000-0x00000000054F8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2648-157-0x0000000006DF0000-0x0000000006E0A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2648-156-0x0000000007470000-0x0000000007AEA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2648-155-0x0000000006070000-0x000000000608E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2648-149-0x0000000004B20000-0x0000000004B42000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2648-162-0x00000000070F0000-0x00000000070F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2648-152-0x0000000005B60000-0x0000000005B7E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2648-153-0x0000000006090000-0x00000000060C2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2648-150-0x0000000004BC0000-0x0000000004C26000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2648-151-0x0000000004C30000-0x0000000004C96000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2744-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4516-146-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4516-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4516-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4516-148-0x00000000012E0000-0x000000000162A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4516-147-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4916-135-0x00000000051B0000-0x00000000051BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4916-132-0x0000000000750000-0x000000000080C000-memory.dmp
      Filesize

      752KB

      Download
    • memory/4916-133-0x0000000005730000-0x0000000005CD4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4916-134-0x0000000005220000-0x00000000052B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4916-136-0x000000000AEA0000-0x000000000AF3C000-memory.dmp
      Filesize

      624KB

      Download