Overview

overview

10

Static

static

1

20062024_1...R.docx

windows7-x64

10

20062024_1...R.docx

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20062024_1448_20062024_NEW ORDER.docx

  • Size

    16KB

  • MD5

    0ec4a5cbc70d9e63dc8efc2197bc03fa

  • SHA1

    24715d7a38a0e3b3495d6fa7bd1164897fe36257

  • SHA256

    c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

  • SHA512

    cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403

  • SSDEEP

    384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7

Score
10/10
formbookbi09executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20062024_1448_20062024_NEW ORDER.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:888
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1868
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1388
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:1792
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:1844
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\SysWOW64\cmd.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:328
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"
                  3⤵
                    PID:1600
              • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                1⤵
                • Blocklisted process makes network request
                • Loads dropped DLL
                • Launches Equation Editor
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Users\Admin\AppData\Roaming\obi72811.scr
                  "C:\Users\Admin\AppData\Roaming\obi72811.scr"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:2712
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:708
                  • C:\Users\Admin\AppData\Roaming\obi72811.scr
                    "C:\Users\Admin\AppData\Roaming\obi72811.scr"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:452

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Exploitation for Client Execution

              1
              T1203

              Persistence

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                Filesize

                1KB

                MD5

                2365869258df7a66a2121b802ca4afd9

                SHA1

                73acc30a2edeb9d6830de559bb8a74f35168135d

                SHA256

                d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

                SHA512

                795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
                Filesize

                436B

                MD5

                1bfe0a81db078ea084ff82fe545176fe

                SHA1

                50b116f578bd272922fa8eae94f7b02fd3b88384

                SHA256

                5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

                SHA512

                37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                Filesize

                174B

                MD5

                d8620d80519e09a3fcb4e10275d78151

                SHA1

                cefa8a48e6ee8c197b9a5fdc626c1d0cf5dbcd8f

                SHA256

                b0af76657c866e92eecb7447ba6a83552e6703a73b897d993ff0983885a068bb

                SHA512

                0f0bbd7b061e73f9564d3299e0d0ae54d9f001a8bfc84de8558e90b3f7943cf39b518ca71d47c7d078f7b2ca8bd4ca06bb05871319fd7a2b377706624472eabc

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                344B

                MD5

                93545d8f7eb151ac79f26cc9a86e2437

                SHA1

                31f9d49d5cb437652c4f1c7a8db6364150643231

                SHA256

                2090c31a41e460e497718c39e64f7dd1648571b6d14b9c6a1a48c03df69e8cae

                SHA512

                25940f2a941823807f2b3ac4fe2159984921e6407e5fb75bf99f17e73f910a74d1a8df0239cd00108eb20bce00cd57c750d50b171c60cea536309c7a4fa3bbef

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
                Filesize

                170B

                MD5

                05ecb423b4e40cc6445736f14068d5c2

                SHA1

                bdc74c4d23bd1de28cb50a44c7fb168fbaa61105

                SHA256

                0ff27ec8efca20fdd2819f129fedd815bd78d16d3ba1f91fe9903b925120c3e8

                SHA512

                79d4fa0339a6741e93c8f60d3c4f788f47dc073a5a2b929680e3bdfc8c1064abac5841df5ecdb3c2ae64acdba3cb0a42f06fc2ef32483166ce1446b37e23fec9

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
                Filesize

                128KB

                MD5

                9d3771c15977ccd1d6cef273233c5d8c

                SHA1

                db3428f97f53a76b173c3308acfc73dd0e064900

                SHA256

                b53ad4e66fcaf58ba83d8fa58b2c064ddf8b3f5a9321fc78b2d1a6baa5fd2d03

                SHA512

                aefb0790f9ec3396cae3fd9b49c383f00f26abf4b22c21a39527d8f95a38a688bd5f461c0aac980ace8169d40761aa9aa8fd64c479be61a719f8a593f7c33bfe

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C9DB261F-19AE-4ABF-A993-7CBF1E199596}.FSD
                Filesize

                128KB

                MD5

                ab089639b456168578db12fb9695c8b9

                SHA1

                97684745b9dd511d6dd6c18c5b4b2c2a72624bec

                SHA256

                880f1a57a83468db9784ead788051f0bacee75faa05ab8a6ba66398c03f9d9e7

                SHA512

                2032316cf30957aad11763acdafc6463fcc1d42119db659723732edefe95815473882eb1cecab8bfc11d79d1de06d7debc24aa8a517f63a6b9247b4c1bc65516

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\obizz[1].doc
                Filesize

                442KB

                MD5

                5b235feb1c1b78d5277c93bd7b0c2e6e

                SHA1

                5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687

                SHA256

                ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648

                SHA512

                a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\Cab1FFF.tmp
                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\{AD2F8924-FCB1-483C-86BA-CF0266B7E198}
                Filesize

                128KB

                MD5

                9cc4e99378773823936e044ae6bd113d

                SHA1

                f7b7b537c22c1b637e3b2f329488b1ad598a3b10

                SHA256

                0f6a7539a80820d08bc835ec170559e1a08517848b1b8123e5b7e63921db5cf1

                SHA512

                2fd67ec9734df1c9fcda5e99068a4124d3e6c60052763597604ede62dbeac3595826ee1f18d3a99b17afa4b06a6298fdcd5874134850cf4f1f9c1da5ea7bf2fa

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                Filesize

                20KB

                MD5

                b6cee332000cbb1d0d62d081303b41be

                SHA1

                1b49aa20d29364375bcbb2c80f1b0ce52dde53eb

                SHA256

                49991525662299f4ee2a52563dcafb131acfa66fef4437ad0a28a5facb4debb3

                SHA512

                3a09709de5f710a760a0b21607b02c0938b6fdebc1107d4819d0181cd6189151a3cce64640d32ba6bbfce41a600f2751a4f516d64ed36fdf65da487663689a6f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • \Users\Admin\AppData\Roaming\obi72811.scr
                Filesize

                732KB

                MD5

                78a1f9ac9d0f07f86ed18c7561c06766

                SHA1

                dff85c261f40f3534cd9c83b12f6f01238e839c1

                SHA256

                f9858bec8a0e0f21208bc5cf989bd6d878f4cd527e23a6a1938883e71257fedc

                SHA512

                24db7443ac438221922be6c357fa339bf87c10aa3e614c912d93e861f26d7078ecee2f384f2ce87de54a1f3c132c09693a5dd7ef3cc59f576aa38c992ef8916a

                Download Submit
              • memory/328-155-0x0000000000080000-0x00000000000AF000-memory.dmp
                Filesize

                188KB

                Download
              • memory/328-154-0x0000000049DC0000-0x0000000049E0C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/452-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                Filesize

                4KB

                Download
              • memory/452-142-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

                Download
              • memory/452-147-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

                Download
              • memory/452-144-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

                Download
              • memory/1208-159-0x0000000003CD0000-0x0000000003D77000-memory.dmp
                Filesize

                668KB

                Download
              • memory/1208-150-0x00000000000C0000-0x00000000001C0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2292-156-0x0000000070B8D000-0x0000000070B98000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2292-0-0x000000002F8F1000-0x000000002F8F2000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2292-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2292-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2292-189-0x000000005FFF0000-0x0000000060000000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2292-190-0x0000000070B8D000-0x0000000070B98000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2712-141-0x0000000007AB0000-0x0000000007B26000-memory.dmp
                Filesize

                472KB

                Download
              • memory/2712-140-0x0000000000520000-0x000000000052C000-memory.dmp
                Filesize

                48KB

                Download
              • memory/2712-139-0x00000000004F0000-0x00000000004F8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2712-122-0x0000000000A40000-0x0000000000AFA000-memory.dmp
                Filesize

                744KB

                Download
              • memory/2712-129-0x0000000000310000-0x0000000000322000-memory.dmp
                Filesize

                72KB

                Download
              • memory/2712-128-0x00000000020A0000-0x000000000212C000-memory.dmp
                Filesize

                560KB

                Download