Overview

overview

10

Static

static

1

20062024_1...zz.rtf

windows7-x64

10

20062024_1...zz.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20062024_1449_obizz.rtf

  • Size

    442KB

  • MD5

    5b235feb1c1b78d5277c93bd7b0c2e6e

  • SHA1

    5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687

  • SHA256

    ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648

  • SHA512

    a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75

  • SSDEEP

    6144:1wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAlnp/bVl7GR:xpy

Score
10/10
formbookbi09executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20062024_1449_obizz.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2908
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"
          3⤵
            PID:2652
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\AppData\Roaming\obi72811.scr
          "C:\Users\Admin\AppData\Roaming\obi72811.scr"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Users\Admin\AppData\Roaming\obi72811.scr
            "C:\Users\Admin\AppData\Roaming\obi72811.scr"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1980

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        a20e8892aec4ed15656e960cc6641465

        SHA1

        f21b2e30312fce948d5e1984435d7f7bee883ede

        SHA256

        8697e0172edf192401cb9b932421d206ec9f68193fb7b3ba661d999164bcd3b4

        SHA512

        cccd62b6ab12740ade8d2e25ad15619344daa773b300a25b3ea96ae7819d1f602e5bc7a9f0b59665a5fca085807d4a135ff3686ffcf7d9072cef1cc605b922f9

        Download Submit
      • \Users\Admin\AppData\Roaming\obi72811.scr
        Filesize

        732KB

        MD5

        78a1f9ac9d0f07f86ed18c7561c06766

        SHA1

        dff85c261f40f3534cd9c83b12f6f01238e839c1

        SHA256

        f9858bec8a0e0f21208bc5cf989bd6d878f4cd527e23a6a1938883e71257fedc

        SHA512

        24db7443ac438221922be6c357fa339bf87c10aa3e614c912d93e861f26d7078ecee2f384f2ce87de54a1f3c132c09693a5dd7ef3cc59f576aa38c992ef8916a

        Download Submit
      • memory/1220-56-0x00000000001A0000-0x00000000002A0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1220-59-0x00000000051B0000-0x0000000005299000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1220-52-0x00000000001A0000-0x00000000002A0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1684-55-0x000000007196D000-0x0000000071978000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1684-86-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1684-0-0x000000002FA81000-0x000000002FA82000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1684-2-0x000000007196D000-0x0000000071978000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1980-42-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1980-47-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1980-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1980-44-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2640-53-0x0000000000890000-0x0000000000895000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2640-54-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2716-31-0x00000000001D0000-0x000000000028A000-memory.dmp
        Filesize

        744KB

        Download
      • memory/2716-41-0x0000000006F10000-0x0000000006F86000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2716-40-0x0000000000530000-0x000000000053C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2716-39-0x0000000000480000-0x0000000000488000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2716-37-0x00000000003D0000-0x00000000003E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2716-36-0x0000000002190000-0x000000000221C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/2716-29-0x000000006BA4E000-0x000000006BA4F000-memory.dmp
        Filesize

        4KB

        Download