Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510.exe

  • Size

    286KB

  • MD5

    78a95a8cb18e37d6565520be5e8013c4

  • SHA1

    36557486465d9d133f2ea5aceaec9731f0663f91

  • SHA256

    85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510

  • SHA512

    7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44

  • SSDEEP

    6144:AYa66rPn6SbiaFiPvZNU2tpErTwf4ceMXIECWoqgruCRnMti4oZQ:AYsrPn6Mia4PXU2tpswfx4WvCRwoZQ

Score
10/10
formbookbn26ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bn26

Decoy

juweipai.com

assurance-mon-espace-sante.com

robqq.com

ablindear.com

socialmonkeys.co.uk

learningworldtech.com

imprese-it.com

themoodcollectives.africa

lutonmethodists.org.uk

castawaycovebnb.com

caronthemove.com

carolinacastro.uk

dcfashionweekintl.com

branchbasicsa.com

drpatrickakinsanya.africa

inventourownfuture.com

applege.top

whatamitiredof.com

daphan.pics

gardenstatevinyl.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510.exe
      "C:\Users\Admin\AppData\Local\Temp\85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe" C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
          "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3160
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"
        3⤵
          PID:836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
      Filesize

      54KB

      MD5

      7b3f0fa0f8b825f576c98b25aab2507e

      SHA1

      2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

      SHA256

      d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

      SHA512

      06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
      Filesize

      54KB

      MD5

      7b3f0fa0f8b825f576c98b25aab2507e

      SHA1

      2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

      SHA256

      d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

      SHA512

      06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
      Filesize

      54KB

      MD5

      7b3f0fa0f8b825f576c98b25aab2507e

      SHA1

      2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

      SHA256

      d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

      SHA512

      06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\potdzpp.y
      Filesize

      205KB

      MD5

      57e7a6532f1ee86992e7b4fa6580cb19

      SHA1

      3d8ea00a0b9d9f167e0433afea928b68de50980f

      SHA256

      7b96a34af9cd31c98ddc997366b3576174a392071ab344ac8f6a072d53c42547

      SHA512

      e25a318bc187ff13f50a6bdafd7ced1a141297895600b750aaf52831c38aa229a9fc964fd5eaf8abee7fc803ac8d872d2a88883f07b7a4f4df8de7849c28aa25

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv
      Filesize

      5KB

      MD5

      2756cf827356d936638f325fc53574a1

      SHA1

      1d05b474adb777cb85ecd0ad2f06ff9fca1ee2ab

      SHA256

      efae399d371cd9d2132b7c4143469da0c72f4aa559dadfcd03011e4f06cec9e7

      SHA512

      fb635c25243ea0bc0d74bce2e203ce7a12a7b5fad3e4603c1fde7dbe16415be12578d804f911d1d07cb80be6ee6230ee6848ab9130f9bfb8e784f05ec05a7ad6

      Download Submit

    • memory/1276-153-0x0000000000BC0000-0x0000000000BD9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1276-158-0x0000000002660000-0x00000000026F4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1276-156-0x0000000000820000-0x000000000084F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1276-155-0x0000000002820000-0x0000000002B6A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1276-154-0x0000000000820000-0x000000000084F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1276-151-0x0000000000BC0000-0x0000000000BD9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2988-140-0x00000000009C0000-0x00000000009C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3152-149-0x0000000008430000-0x00000000085DC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3152-159-0x0000000006F90000-0x0000000007055000-memory.dmp

      Filesize

      788KB

      Download

    • memory/3152-160-0x0000000006F90000-0x0000000007055000-memory.dmp

      Filesize

      788KB

      Download

    • memory/3152-162-0x0000000006F90000-0x0000000007055000-memory.dmp

      Filesize

      788KB

      Download

    • memory/3160-147-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3160-148-0x00000000005B0000-0x00000000005C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3160-146-0x0000000000B10000-0x0000000000E5A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3160-142-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download