Analysis
-
max time kernel
147s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 12:44
Static task
static1
Behavioral task
behavioral1
Sample
DOC0_92221-09222021112118.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DOC0_92221-09222021112118.doc
Resource
win10-en-20210920
General
-
Target
DOC0_92221-09222021112118.doc
-
Size
15KB
-
MD5
5425f15c6cd1a267b6ee3675ced9ba3a
-
SHA1
8c85d41e1eb25f784c4badc1959bf0f4f3abd55b
-
SHA256
79c8fd1442aab68baf4347c21376163936d5bba720acc046c6bd04908479552a
-
SHA512
39dc3968cf6e00ae39a4b3adc9ba85d519b1baf73637f73bd95b287401bcf1106ba76c2b4f275c7460de20e992dce6000a2e522c1692b11d351caf67ed86dd6c
Malware Config
Extracted
formbook
4.1
vngb
http://www.gvlc0.club/vngb/
omertalasvegas.com
payyep.com
modasportss.com
gestionestrategicadl.com
teamolemiss.club
geektranslate.com
versatileventure.com
athletic-hub.com
vitanovaretreats.com
padison8t.com
tutoeasy.com
ediblewholesale.com
kangrungao.com
satode.com
prohibitionfeeds.com
getmorevacations.com
blinkworldbeauty.com
kdlabsallr.com
almanasef.com
transportationservicellc.com
goodtime.photos
pkmpresensi.com
banddwoodworks.com
agoodhotel.com
sec-waliet.com
unitybookkeepingsolutions.com
msbyjenny.com
thefilipinostory.com
nez-care.com
jobsforjabless.com
joeyzelinka.com
springeqx.com
doubletreeankamall.com
tribal-treasures.com
kickbikedepot.com
ez.money
norpandco.com
alanavieira.online
studybugger.net
giaohangtietkiemhcm.com
soundlifeonline.com
mindbodyweightlossmethod.com
arcelius.one
executivecenterlacey.com
summergreenarea.com
skydaddy.guru
peblish.com
croworld.tools
99099888.com
48rmz6.biz
globalshadowboards.com
420doggy.com
sikratek.com
pradaexch9.com
fashionbusinessmanagement.com
givemeyouroil.com
recifetopschoolteacher.com
dealhay.net
bitpaa.com
insidersbyio.com
atheanas.com
projectcentered.com
mmj0115.xyz
yektaburgers.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1140-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1140-77-0x000000000041F0E0-mapping.dmp formbook behavioral1/memory/1836-88-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1708 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
mpomtuq8971.exempomtuq8971.exepid process 1792 mpomtuq8971.exe 1140 mpomtuq8971.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1708 EQNEDT32.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
mpomtuq8971.exempomtuq8971.exemsdt.exedescription pid process target process PID 1792 set thread context of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1140 set thread context of 1224 1140 mpomtuq8971.exe Explorer.EXE PID 1140 set thread context of 1224 1140 mpomtuq8971.exe Explorer.EXE PID 1836 set thread context of 1224 1836 msdt.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
mpomtuq8971.exemsdt.exepid process 1140 mpomtuq8971.exe 1140 mpomtuq8971.exe 1140 mpomtuq8971.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe 1836 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
mpomtuq8971.exemsdt.exepid process 1140 mpomtuq8971.exe 1140 mpomtuq8971.exe 1140 mpomtuq8971.exe 1140 mpomtuq8971.exe 1836 msdt.exe 1836 msdt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mpomtuq8971.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1140 mpomtuq8971.exe Token: SeDebugPrivilege 1836 msdt.exe Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1988 WINWORD.EXE 1988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEmpomtuq8971.exeExplorer.EXEmsdt.exedescription pid process target process PID 1708 wrote to memory of 1792 1708 EQNEDT32.EXE mpomtuq8971.exe PID 1708 wrote to memory of 1792 1708 EQNEDT32.EXE mpomtuq8971.exe PID 1708 wrote to memory of 1792 1708 EQNEDT32.EXE mpomtuq8971.exe PID 1708 wrote to memory of 1792 1708 EQNEDT32.EXE mpomtuq8971.exe PID 1988 wrote to memory of 1880 1988 WINWORD.EXE splwow64.exe PID 1988 wrote to memory of 1880 1988 WINWORD.EXE splwow64.exe PID 1988 wrote to memory of 1880 1988 WINWORD.EXE splwow64.exe PID 1988 wrote to memory of 1880 1988 WINWORD.EXE splwow64.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1792 wrote to memory of 1140 1792 mpomtuq8971.exe mpomtuq8971.exe PID 1224 wrote to memory of 1836 1224 Explorer.EXE msdt.exe PID 1224 wrote to memory of 1836 1224 Explorer.EXE msdt.exe PID 1224 wrote to memory of 1836 1224 Explorer.EXE msdt.exe PID 1224 wrote to memory of 1836 1224 Explorer.EXE msdt.exe PID 1836 wrote to memory of 676 1836 msdt.exe cmd.exe PID 1836 wrote to memory of 676 1836 msdt.exe cmd.exe PID 1836 wrote to memory of 676 1836 msdt.exe cmd.exe PID 1836 wrote to memory of 676 1836 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DOC0_92221-09222021112118.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\mpomtuq8971.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mpomtuq8971.exe"C:\Users\Admin\AppData\Roaming\mpomtuq8971.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mpomtuq8971.exe"C:\Users\Admin\AppData\Roaming\mpomtuq8971.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mpomtuq8971.exeMD5
132e157793925e5d203c1641e313d95d
SHA13d01108b60fb36cc24ba4ed9f20989f3c646d2dc
SHA256e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
SHA51275c43c4bb2dc63d51d9e79a29a842dc65f75070f7863d1cec163ebc66298a562655f34b55c443d90b976c5797c488b2aa8a9d237bea8e4903858bb0d31aaff58
-
C:\Users\Admin\AppData\Roaming\mpomtuq8971.exeMD5
132e157793925e5d203c1641e313d95d
SHA13d01108b60fb36cc24ba4ed9f20989f3c646d2dc
SHA256e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
SHA51275c43c4bb2dc63d51d9e79a29a842dc65f75070f7863d1cec163ebc66298a562655f34b55c443d90b976c5797c488b2aa8a9d237bea8e4903858bb0d31aaff58
-
C:\Users\Admin\AppData\Roaming\mpomtuq8971.exeMD5
132e157793925e5d203c1641e313d95d
SHA13d01108b60fb36cc24ba4ed9f20989f3c646d2dc
SHA256e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
SHA51275c43c4bb2dc63d51d9e79a29a842dc65f75070f7863d1cec163ebc66298a562655f34b55c443d90b976c5797c488b2aa8a9d237bea8e4903858bb0d31aaff58
-
\Users\Admin\AppData\Roaming\mpomtuq8971.exeMD5
132e157793925e5d203c1641e313d95d
SHA13d01108b60fb36cc24ba4ed9f20989f3c646d2dc
SHA256e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
SHA51275c43c4bb2dc63d51d9e79a29a842dc65f75070f7863d1cec163ebc66298a562655f34b55c443d90b976c5797c488b2aa8a9d237bea8e4903858bb0d31aaff58
-
memory/676-86-0x0000000000000000-mapping.dmp
-
memory/1140-82-0x0000000000620000-0x0000000000634000-memory.dmpFilesize
80KB
-
memory/1140-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1140-79-0x0000000000AF0000-0x0000000000DF3000-memory.dmpFilesize
3.0MB
-
memory/1140-80-0x0000000000150000-0x0000000000164000-memory.dmpFilesize
80KB
-
memory/1140-77-0x000000000041F0E0-mapping.dmp
-
memory/1224-91-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/1224-83-0x0000000002AD0000-0x0000000002B9A000-memory.dmpFilesize
808KB
-
memory/1224-81-0x00000000061B0000-0x000000000631D000-memory.dmpFilesize
1.4MB
-
memory/1792-71-0x0000000000480000-0x000000000048E000-memory.dmpFilesize
56KB
-
memory/1792-75-0x00000000009B0000-0x00000000009E1000-memory.dmpFilesize
196KB
-
memory/1792-74-0x0000000005370000-0x00000000053D0000-memory.dmpFilesize
384KB
-
memory/1792-65-0x0000000000000000-mapping.dmp
-
memory/1792-70-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1792-68-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1836-87-0x0000000000DF0000-0x0000000000EE4000-memory.dmpFilesize
976KB
-
memory/1836-90-0x0000000000B60000-0x0000000000BF3000-memory.dmpFilesize
588KB
-
memory/1836-88-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1836-89-0x00000000022F0000-0x00000000025F3000-memory.dmpFilesize
3.0MB
-
memory/1836-84-0x0000000000000000-mapping.dmp
-
memory/1880-73-0x000007FEFC051000-0x000007FEFC053000-memory.dmpFilesize
8KB
-
memory/1880-72-0x0000000000000000-mapping.dmp
-
memory/1988-60-0x00000000705D1000-0x00000000705D3000-memory.dmpFilesize
8KB
-
memory/1988-59-0x0000000072B51000-0x0000000072B54000-memory.dmpFilesize
12KB
-
memory/1988-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1988-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1988-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB