Overview

overview

10

Static

static

PN210700369.doc

windows7_x64

10

PN210700369.doc

windows10_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    28-09-2021 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PN210700369.doc

  • Size

    12KB

  • MD5

    0ab8548f84307cc143104f8557e39f20

  • SHA1

    1a7472fc4e86faa731c4870e2ca3999f1aab5d6b

  • SHA256

    ae5beb31d816f7bc882e8422ea7d06fcd48d210d120ab9c505343f87d93e5b00

  • SHA512

    da2f86e69be7e0d8b8c0beafeee2230ec7ebfba7dd48c99d31bd23061eb27199145e6e65ec0ea49dc92aa50a2349454953ff3333442c1f6c3acf517b1245e3ee

Score
10/10
formbooked9sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ed9s

C2

http://www.vaughnmethod.com/ed9s/

Decoy

pocketoptioniraq.com

merabestsolutions.com

atelectronics.site

fuxueshi.net

infinitystay.com

forensicconcept.site

txpmachine.com

masterwhs.xyz

dia-gnwsis.art

fulltiltnodes.com

bigbnbbsc.com

formation-figma.com

bonanacroin.net

medicalmarijuanasatx.com

bagnavy.com

aaegiscares.net

presentationpublicschool.com

bestyousite.site

prescriptionn.com

beyondthenormbouquets.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PN210700369.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1680
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"
          3⤵
            PID:1644
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
          "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
            "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"
            3⤵
            • Executes dropped EXE
            PID:1952
          • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
            "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"
            3⤵
            • Executes dropped EXE
            PID:1512
          • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
            "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1520

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • C:\Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • \Users\Admin\AppData\Roaming\obinahwi7863.exe
        MD5

        45703e2e8fea96fffb9db9aa78213b20

        SHA1

        4c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea

        SHA256

        9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

        SHA512

        ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753

        Download Submit
      • memory/580-88-0x0000000002100000-0x0000000002403000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/580-85-0x0000000000B40000-0x0000000000B66000-memory.dmp
        Filesize

        152KB

        Download
      • memory/580-86-0x0000000000170000-0x000000000019F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/580-84-0x0000000000000000-mapping.dmp
        Download
      • memory/580-89-0x0000000002010000-0x00000000020A3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1224-83-0x0000000006130000-0x000000000625C000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1224-90-0x0000000006260000-0x00000000063BC000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1520-82-0x0000000000290000-0x00000000002A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1520-78-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1520-81-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1520-79-0x000000000041F160-mapping.dmp
        Download
      • memory/1644-87-0x0000000000000000-mapping.dmp
        Download
      • memory/1680-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1680-73-0x000007FEFC051000-0x000007FEFC053000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1796-75-0x0000000004370000-0x00000000043A1000-memory.dmp
        Filesize

        196KB

        Download
      • memory/1796-74-0x0000000005220000-0x0000000005282000-memory.dmp
        Filesize

        392KB

        Download
      • memory/1796-71-0x0000000000360000-0x000000000036E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1796-70-0x0000000004C00000-0x0000000004C01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1796-68-0x0000000000A40000-0x0000000000A41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1796-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1968-59-0x0000000072B51000-0x0000000072B54000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1968-62-0x00000000767B1000-0x00000000767B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1968-60-0x00000000705D1000-0x00000000705D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download