Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe

  • Size

    530KB

  • MD5

    e17b0be6e0c42a0c39c5da63523af8d8

  • SHA1

    c374934cf78e71069fc628de57b3ea15fff4c36c

  • SHA256

    7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

  • SHA512

    1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089

  • SSDEEP

    6144:ukwxeWkEM+08FjAOpwh0eEnt4KHz/aOfL40QfkhzJtnXXXdxspXEWYUPwH:IHM+bsOpwh0lnt4NgIMhz3nHXTsmoPwH

Score
10/10
formbookwh23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe
      "C:\Users\Admin\AppData\Local\Temp\7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
        "C:\Users\Admin\AppData\Local\Temp\myxwn.exe" C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
          "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:400
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
        3⤵
          PID:3616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\eilfol.tsc
      Filesize

      185KB

      MD5

      663d2953e8beddc4a08aca27a1145112

      SHA1

      3293e912d9661b2736ca8d403250590eb2d5164d

      SHA256

      2aa0a26b9a38b19c34c10e53834ec199fc87cbfea15e8babee582a3df331b9cb

      SHA512

      30581e1321f0165abcfcc908e15877f080dad2bf7bbedb24fa8e8baee3176097d7f43c5e59076f095c3929438b4e5740e1871ab3716c338e765c4d3d011a630a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
      Filesize

      6KB

      MD5

      e6d82eb1bea9bca087062e488dfd575e

      SHA1

      5ec22cec8805d965d6dac1719976bef32867b595

      SHA256

      ad495d0d0e35a6ab15c042e900e0dfc20197ef36153e15559e0fdaef4c541230

      SHA512

      6ef986b00509140137d51f114ecdf7b92c1008c3fae513579634ed202f1fc4e34ba904db48cbf092cf8d12c0a5e84cc5b2a0d61e95c03f4006eca3f190f80fd2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
      Filesize

      276KB

      MD5

      2afdd35f6df6b6cbf8f3500822625d70

      SHA1

      2efd81cdd798b38908b63a7a8ae88806e5234a1d

      SHA256

      393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

      SHA512

      b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
      Filesize

      276KB

      MD5

      2afdd35f6df6b6cbf8f3500822625d70

      SHA1

      2efd81cdd798b38908b63a7a8ae88806e5234a1d

      SHA256

      393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

      SHA512

      b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
      Filesize

      276KB

      MD5

      2afdd35f6df6b6cbf8f3500822625d70

      SHA1

      2efd81cdd798b38908b63a7a8ae88806e5234a1d

      SHA256

      393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

      SHA512

      b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

      Download Submit
    • memory/400-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/400-137-0x0000000000000000-mapping.dmp
      Download
    • memory/400-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/400-140-0x00000000009E0000-0x0000000000D2A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/400-141-0x00000000009C0000-0x00000000009D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1288-147-0x0000000000F30000-0x0000000000F5F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1288-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1288-145-0x0000000000060000-0x0000000000087000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1288-146-0x0000000002FB0000-0x00000000032FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1288-149-0x0000000000F30000-0x0000000000F5F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1288-150-0x0000000002DF0000-0x0000000002E83000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3020-142-0x0000000002DF0000-0x0000000002F76000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3020-151-0x0000000003340000-0x00000000033E1000-memory.dmp
      Filesize

      644KB

      Download
    • memory/3020-152-0x0000000003340000-0x00000000033E1000-memory.dmp
      Filesize

      644KB

      Download
    • memory/3616-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3660-132-0x0000000000000000-mapping.dmp
      Download