Analysis
-
max time kernel
151s -
max time network
182s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-07-2021 09:28
Static task
static1
Behavioral task
behavioral1
Sample
PO-829ARTS-PI 2021-7-17.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO-829ARTS-PI 2021-7-17.xlsx
Resource
win10v20210410
General
-
Target
PO-829ARTS-PI 2021-7-17.xlsx
-
Size
1.1MB
-
MD5
ba24c9c748b75fb64abc01cc6c18ed81
-
SHA1
a08173593973d23242ad28722cf60924f77fdcff
-
SHA256
25cf0d59c10c48159f55b2ed560b6f3974f5b007b9b4bb31b9cfd5e33ca0bd09
-
SHA512
2536da0aacd37188278d31205b912096d37e9c62cb9247cae0e15d7999ec02ab9697db71b72c3e188e07240064bae77d584606cf9f3c3746bdadabd59177528d
Malware Config
Extracted
formbook
4.1
http://www.fortmyerscruisevacation.com/dd2v/
jkrqzmeyd.icu
cbluedottvwdshop.com
yhchen.space
premierhealthnwellness.com
szkuyaju.com
harvestmoonloans.net
dadematerial.com
mariaclarahairstudio.com
hwunvy.online
puloutjbmere.com
kossu1989.com
dubbedos.com
ncylis.com
hybrid-sol.com
travelature.com
gracefulcounts.com
66secretgarden.com
eslonyourcell.com
wisersponsorship.com
sepn3.com
mozambiquematrimony.com
valvulasyconexiones.com
drinksupercofee.com
universe-direct.com
alvesdeabreu.info
sitepew.life
tentenflower.net
jqclean.com
lotusinplay247.com
safaricaretransportation.com
bosscheschool.com
rentahome.online
syeddropship.com
dsavohv.icu
mainspaceforcontenting.club
onlinemedsus.com
getueaqaredre.com
raregirlgem.net
cohenone.com
luxsot.com
levelupbbqcleaning.com
bttjagalan.xyz
nisheying.com
2299diamond301.com
soilfoodwebofcolorado.com
postcomanetwork.com
directivewellness.com
adewalesolarin-maths.com
kumarendran.com
wgan3rdpartyserviceprovider.com
kidsclothing.center
lielm.com
codebcodeenforcement.net
cash4monero.com
greatlookingmom.com
laconices.com
q99f.com
olimpobarberiaspa.com
urockoffroad.com
bestselfcoachingforfitpros.com
collectionbypaty.com
hindustanpu.com
atlerz.com
strategyonerealty.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-73-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/724-86-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1960 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1084 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exesvchost.exewuapp.exedescription pid process target process PID 1084 set thread context of 1500 1084 vbc.exe svchost.exe PID 1500 set thread context of 1208 1500 svchost.exe Explorer.EXE PID 1500 set thread context of 1208 1500 svchost.exe Explorer.EXE PID 724 set thread context of 1208 724 wuapp.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
svchost.exewuapp.exepid process 1500 svchost.exe 1500 svchost.exe 1500 svchost.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe 724 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exesvchost.exewuapp.exepid process 1084 vbc.exe 1500 svchost.exe 1500 svchost.exe 1500 svchost.exe 1500 svchost.exe 724 wuapp.exe 724 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
svchost.exeExplorer.EXEwuapp.exedescription pid process Token: SeDebugPrivilege 1500 svchost.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeDebugPrivilege 724 wuapp.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwuapp.exedescription pid process target process PID 1960 wrote to memory of 1084 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 1084 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 1084 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 1084 1960 EQNEDT32.EXE vbc.exe PID 1084 wrote to memory of 1500 1084 vbc.exe svchost.exe PID 1084 wrote to memory of 1500 1084 vbc.exe svchost.exe PID 1084 wrote to memory of 1500 1084 vbc.exe svchost.exe PID 1084 wrote to memory of 1500 1084 vbc.exe svchost.exe PID 1084 wrote to memory of 1500 1084 vbc.exe svchost.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 724 1208 Explorer.EXE wuapp.exe PID 724 wrote to memory of 940 724 wuapp.exe cmd.exe PID 724 wrote to memory of 940 724 wuapp.exe cmd.exe PID 724 wrote to memory of 940 724 wuapp.exe cmd.exe PID 724 wrote to memory of 940 724 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO-829ARTS-PI 2021-7-17.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:940
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Public\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
C:\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
\Users\Public\vbc.exeMD5
a584c1efdc2d5911278ab43d1fc671af
SHA158bbfeda525cd20cde716d8d587b96a58a494d6f
SHA2568c988a622b822f0fc226b928ab317dc7a6130b395f74a3e39c3443b275c93771
SHA5122bbc2892dca895ed1e2ede7a198c08baeb943e701defad1415efc4d78e3e9eeabaa9056cb5c64bad904b926ff51d8d4b234bef55657cd1478ddf2f1e0625bbcc
-
memory/724-86-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/724-83-0x0000000000000000-mapping.dmp
-
memory/724-88-0x0000000000900000-0x0000000000993000-memory.dmpFilesize
588KB
-
memory/724-85-0x00000000012B0000-0x00000000012BB000-memory.dmpFilesize
44KB
-
memory/724-87-0x0000000000A90000-0x0000000000D93000-memory.dmpFilesize
3.0MB
-
memory/940-84-0x0000000000000000-mapping.dmp
-
memory/1084-68-0x0000000000000000-mapping.dmp
-
memory/1084-72-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1208-82-0x0000000004CF0000-0x0000000004E2A000-memory.dmpFilesize
1.2MB
-
memory/1208-89-0x0000000003D40000-0x0000000003DE7000-memory.dmpFilesize
668KB
-
memory/1208-76-0x0000000007340000-0x00000000074E2000-memory.dmpFilesize
1.6MB
-
memory/1500-74-0x0000000000780000-0x0000000000A83000-memory.dmpFilesize
3.0MB
-
memory/1500-75-0x0000000000360000-0x0000000000374000-memory.dmpFilesize
80KB
-
memory/1500-71-0x000000000041EC70-mapping.dmp
-
memory/1500-73-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1500-81-0x00000000003A0000-0x00000000003B4000-memory.dmpFilesize
80KB
-
memory/1648-60-0x000000002F791000-0x000000002F794000-memory.dmpFilesize
12KB
-
memory/1648-78-0x0000000005D20000-0x0000000005E7C000-memory.dmpFilesize
1.4MB
-
memory/1648-77-0x0000000005D20000-0x0000000005E7C000-memory.dmpFilesize
1.4MB
-
memory/1648-80-0x0000000005D20000-0x0000000005E7C000-memory.dmpFilesize
1.4MB
-
memory/1648-79-0x0000000005D20000-0x0000000005E7C000-memory.dmpFilesize
1.4MB
-
memory/1648-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-61-0x00000000716D1000-0x00000000716D3000-memory.dmpFilesize
8KB
-
memory/1648-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1960-63-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB