Static

static

Companypro...3.xlsx

windows7_x64

10

Companypro...3.xlsx

windows10_x64

1

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-12-2020 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Companyprofile_Order_384658353.xlsx

  • Size

    2.1MB

  • MD5

    c30d91c05ecd94de4ee314be1f27bf22

  • SHA1

    fed9790f0ebc832445b34ef1caabe137ed15e3ce

  • SHA256

    836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89

  • SHA512

    0053323cf2d7fada473a23ddaffd7be38f3015613f651c15bc10d524db3a656c7ed20d522feb9a7f3183efeb3588d53865a3a9d259c7707ce1dbbf2d2981fcfb

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.herbmedia.net/csv8/

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Companyprofile_Order_384658353.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:740
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1328
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Users\Public\vbc.exe
          "{path}"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/560-10-0x000000006C560000-0x000000006CC4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/560-11-0x00000000008F0000-0x00000000008F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/560-13-0x0000000000880000-0x00000000008E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/560-16-0x0000000000640000-0x000000000064E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/560-17-0x0000000005190000-0x00000000051F1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/1220-2-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1324-18-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1788-23-0x0000000000C90000-0x0000000000C9B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1788-25-0x00000000042E0000-0x0000000004463000-memory.dmp

      Filesize

      1.5MB

      Download