Overview

overview

10

Static

static

1

NEW ORDER.docx

windows7-x64

10

NEW ORDER.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDER.docx

  • Size

    16KB

  • MD5

    0ec4a5cbc70d9e63dc8efc2197bc03fa

  • SHA1

    24715d7a38a0e3b3495d6fa7bd1164897fe36257

  • SHA256

    c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

  • SHA512

    cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403

  • SSDEEP

    384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7

Score
10/10
formbookbi09executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1548
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"
          3⤵
            PID:2152
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Users\Admin\AppData\Roaming\obi72811.scr
          "C:\Users\Admin\AppData\Roaming\obi72811.scr"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Users\Admin\AppData\Roaming\obi72811.scr
            "C:\Users\Admin\AppData\Roaming\obi72811.scr"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:828

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
        Filesize

        1KB

        MD5

        2365869258df7a66a2121b802ca4afd9

        SHA1

        73acc30a2edeb9d6830de559bb8a74f35168135d

        SHA256

        d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

        SHA512

        795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
        Filesize

        436B

        MD5

        1bfe0a81db078ea084ff82fe545176fe

        SHA1

        50b116f578bd272922fa8eae94f7b02fd3b88384

        SHA256

        5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

        SHA512

        37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
        Filesize

        174B

        MD5

        fab1b5a033a37a35139775b12422a284

        SHA1

        248bd83dcfe83301b661329c90df40afab34c9c5

        SHA256

        d1b1ba52fdc2be06028e229ee040ddc450061e3ea0a832b68825742d8009d407

        SHA512

        e2314a544b6da41f93206d7cdc4399ccdc2e58931ad8c0dc5338a89425511446569ce0815e73c98c34b99eb91f73348d62ddd4a1d48b7fcd3000ee81db6f0b70

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        32c3c25793320a74368e469e45f2bab7

        SHA1

        43737e111c7f6cd5a4e60d1f37642dcd7489f99d

        SHA256

        f2e610a193316a2ad9ab6a99d8277969bb0261575177f98f4d7325ef1a4c831b

        SHA512

        9d6346766f248d7359e1c2964e2bedac78c505ed91ab5f9d10dcc2edede5ddf4b18d9565243d94b30fccf871a5891c183a425a99aa2fb73922cb39326a59ffb4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
        Filesize

        170B

        MD5

        366cefb626a1732e36157df7ea263084

        SHA1

        3b68d0e439899e8e54a4f361cb47a00718dc1ca8

        SHA256

        7d466418c941c144e06193ff48a1e4d795617c77c9867b0b951ea4f552e17ea4

        SHA512

        5d1546561850f75e3959b4276f4620f5f6bdd405fa1045ed23858425d6045d920c920b6f16ff05f619d1387dbd07a02e76e0b65922670c0eae64e6e07374d7e1

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        9fe0fb67fd6878df3643778e68defb7a

        SHA1

        dfeab108ad81dc4796d3417aa86ccf2a9d8138d8

        SHA256

        08a91205fa31a9bf11e68c23d1a18ea268e6136ca39871f61b17ad2ad10d9b70

        SHA512

        b26d3f1e1800f46aa359f09614d2e9b924aac0f768c2477b0137cfdb89615e424174db9ecedd6bee40bdafe269d2f48d6dac405775abeba237b2eae670b11d0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\obizz[1].doc
        Filesize

        442KB

        MD5

        5b235feb1c1b78d5277c93bd7b0c2e6e

        SHA1

        5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687

        SHA256

        ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648

        SHA512

        a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab18BE.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\{93FA5F75-7E9E-4990-95FC-8FACECEFDDB6}
        Filesize

        128KB

        MD5

        0d9403fbe069c3f8dbd7d07bce1df27f

        SHA1

        7023cb282401a31aac8ea676a3f4e1dc2b4e6f9d

        SHA256

        9206126d5a5dedca07d9ec576f27ba6749698125e83ae632f319d6a847eda978

        SHA512

        a3daf1db74c51009429a7b2f17d32d3e0bd2b690cd0e8a965075a2a81e8ec17a985c60c5aeb5b259b8f1c611f451f1e8464e25972c344c3d8a75840e1220f92f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        04783cc938e075336eb6102d78eae73c

        SHA1

        8540b341347fddedbea28abf7fc6dfa134c5ccc8

        SHA256

        d7315c3e0d52e5475dddfc5c944407212dd79104727bcfd277e56116a3cb6c08

        SHA512

        b55658dbdd57937fde2a36352d63e9fc11850749166be3f79fa2187f361c02b7496609b73d0cffb98c88d2db485f05f262847114d922a7519c60ffb1fd87e6a5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit
      • \Users\Admin\AppData\Roaming\obi72811.scr
        Filesize

        593KB

        MD5

        d8c91a71029ceef428740e151acf7d33

        SHA1

        ed5da390841e9cf892db6f955c234cd8b4dc6068

        SHA256

        968fc743550d4a7e20f7db9181a51ffbd8f2f355946cc3f4e8dd578c655d97e6

        SHA512

        0d910d3c3bed77ec426b9fc75a273fd522592e402a3bf7ce012cc6ebf915614d50c7d9bb4a3574ff475380df1205642fda0b030010c3cce1b9641d3b358d1f81

        Download Submit
      • memory/828-143-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/828-145-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/828-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/828-148-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1048-155-0x00000000000C0000-0x00000000000EF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1048-154-0x0000000000D10000-0x0000000000D1D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1188-159-0x0000000004D70000-0x0000000004E35000-memory.dmp
        Filesize

        788KB

        Download
      • memory/1188-153-0x00000000003A0000-0x00000000004A0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1188-158-0x0000000003CE0000-0x0000000003EE0000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1648-128-0x00000000006B0000-0x000000000073C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/1648-141-0x00000000005A0000-0x00000000005AC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1648-122-0x0000000000AF0000-0x0000000000B88000-memory.dmp
        Filesize

        608KB

        Download
      • memory/1648-142-0x0000000004FD0000-0x0000000005046000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1648-129-0x00000000004F0000-0x0000000000502000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1648-140-0x0000000000510000-0x0000000000518000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2372-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2372-156-0x0000000070B8D000-0x0000000070B98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2372-0-0x000000002F191000-0x000000002F192000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2372-190-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2372-191-0x0000000070B8D000-0x0000000070B98000-memory.dmp
        Filesize

        44KB

        Download