Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe

  • Size

    398KB

  • MD5

    c25c9877c55e1c43283910d400d91e2c

  • SHA1

    e75a014931488473a0f220a81e83742f3afc66b7

  • SHA256

    70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

  • SHA512

    77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04

  • SSDEEP

    3072:bEhKzShSycJWiUTh0Mu3F1dMppyaoJWUytFznR/OlAuxY7PWWYa/K4bKKUDFtv09:bBnyFu10YWbFznRWGDFKnKUDFtv0koH

Score
10/10
formbookwh23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe
      "C:\Users\Admin\AppData\Local\Temp\70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
        "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
          "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
        3⤵
          PID:2400

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
      Filesize

      5KB

      MD5

      5cd14824d28319bfcac1b2e3cd8b532d

      SHA1

      49ed57453b9612e0ece3540b9740f613298a8644

      SHA256

      ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf

      SHA512

      84bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
      Filesize

      12KB

      MD5

      a8c4431de2a0d976a45531402b8bf869

      SHA1

      21c57e797f9bf60103751b697b5e7323b22bee2d

      SHA256

      8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

      SHA512

      740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
      Filesize

      12KB

      MD5

      a8c4431de2a0d976a45531402b8bf869

      SHA1

      21c57e797f9bf60103751b697b5e7323b22bee2d

      SHA256

      8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

      SHA512

      740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
      Filesize

      12KB

      MD5

      a8c4431de2a0d976a45531402b8bf869

      SHA1

      21c57e797f9bf60103751b697b5e7323b22bee2d

      SHA256

      8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

      SHA512

      740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\srumdm.hcb
      Filesize

      185KB

      MD5

      e923ffb3d4001485b028c1db73a2ad7d

      SHA1

      3974f858666c8ca752a93296a299e15e1c8228c8

      SHA256

      60240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31

      SHA512

      0ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f

      Download Submit
    • memory/1448-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1804-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1804-140-0x0000000000FD0000-0x000000000131A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1804-141-0x0000000000F50000-0x0000000000F64000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2400-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-142-0x0000000003080000-0x0000000003149000-memory.dmp
      Filesize

      804KB

      Download
    • memory/3048-150-0x0000000003150000-0x00000000031E7000-memory.dmp
      Filesize

      604KB

      Download
    • memory/3048-152-0x0000000003150000-0x00000000031E7000-memory.dmp
      Filesize

      604KB

      Download
    • memory/3764-143-0x0000000000000000-mapping.dmp
      Download
    • memory/3764-145-0x0000000001010000-0x000000000102E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3764-146-0x0000000000D50000-0x0000000000D7F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3764-148-0x00000000019C0000-0x0000000001D0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3764-149-0x0000000001800000-0x0000000001893000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3764-151-0x0000000000D50000-0x0000000000D7F000-memory.dmp
      Filesize

      188KB

      Download