Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869.exe

  • Size

    334KB

  • MD5

    2b087c00777a630a4100c122f4687783

  • SHA1

    618f5bf8bea9d2c431c4389c18e2dd91082a0d67

  • SHA256

    12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

  • SHA512

    cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

  • SSDEEP

    6144:QBn1W74u851+xu+La/EZ4sAR7Im/VvQgUJ5IBjiIQ1XhXXMaXTEZ2iaH4hY:gW7OgxLLaE2R7IwY5MjinzEoPHKY

Score
10/10
formbookhenzratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869.exe
      "C:\Users\Admin\AppData\Local\Temp\12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\AppData\Local\Temp\rbygg.exe
        "C:\Users\Admin\AppData\Local\Temp\rbygg.exe" C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tkt
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Users\Admin\AppData\Local\Temp\rbygg.exe
          "C:\Users\Admin\AppData\Local\Temp\rbygg.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2152

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tkt
      Filesize

      5KB

      MD5

      5def413bb305e22659152545633d4394

      SHA1

      ea186096bc4445be3a749bfe98ff1549f822da5e

      SHA256

      69ac40a2aeebad2a280bb794d8a8f0a2e2d195739b6317d4f94897bc22a51309

      SHA512

      e4917aced9bae7c29d4bb553a8675596719c8ff5e39cd8f034ae897197fd662b596b013311d010b9282fa269ae03fdc6aba27c2e84ba9f350771ff7a022e2144

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rbygg.exe
      Filesize

      267KB

      MD5

      8dcd475914550c7b97c0692d42b0b5cc

      SHA1

      07f9a2e01086f31881d2b46447a30032ddaf1b75

      SHA256

      408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

      SHA512

      5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rbygg.exe
      Filesize

      267KB

      MD5

      8dcd475914550c7b97c0692d42b0b5cc

      SHA1

      07f9a2e01086f31881d2b46447a30032ddaf1b75

      SHA256

      408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

      SHA512

      5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rbygg.exe
      Filesize

      267KB

      MD5

      8dcd475914550c7b97c0692d42b0b5cc

      SHA1

      07f9a2e01086f31881d2b46447a30032ddaf1b75

      SHA256

      408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

      SHA512

      5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wiidn.o
      Filesize

      185KB

      MD5

      c985ca943df871d4ca23679cb7be7dd7

      SHA1

      a6d315d44a90d685deb4eea6c6778ed2e5f0f575

      SHA256

      2b159ae78ee415b70683cbc5fc7d479b9dc62c127d98afa021f10824ca8fb8ab

      SHA512

      5d471a2a84751b756863e4766f7ec1f288c08482ac365e90726501dc385a99da72a6b7104e7dfeb365926997c7df1aa22f9f9c8b343ed60d53ed868b3e8933c4

      Download Submit

    • memory/760-143-0x00000000081F0000-0x000000000839C000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/760-151-0x00000000083A0000-0x00000000084A4000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/760-150-0x00000000083A0000-0x00000000084A4000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2156-142-0x0000000001000000-0x0000000001010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2156-140-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2156-141-0x00000000015F0000-0x000000000193A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2156-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2156-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3948-144-0x0000000000000000-mapping.dmp

      Download

    • memory/3948-145-0x0000000000990000-0x000000000099E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3948-146-0x0000000000190000-0x00000000001BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3948-147-0x0000000000E00000-0x000000000114A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3948-148-0x0000000000190000-0x00000000001BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3948-149-0x0000000000CC0000-0x0000000000D4F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/4804-132-0x0000000000000000-mapping.dmp

      Download