Overview

overview

10

Static

static

PROFORMA INVOICE.xlsx

windows7_x64

10

PROFORMA INVOICE.xlsx

windows10_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    24-11-2021 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROFORMA INVOICE.xlsx

  • Size

    228KB

  • MD5

    0193aca82acbba4004353cc61a526cfd

  • SHA1

    27b9f7396ac1ac67e5215b6e046e070eceb13313

  • SHA256

    46fc6bd623a690f8b431b110bf5a0a1e030897c6d0f8945a9fb31e407a542d1f

  • SHA512

    f6459401a6a49080265e9277a6e7481df1cd2b2c67b3563ad83aaa9caf3b0b4980e124cc91c944f67c62f75cc0b89e2ee434e53a3cde6332e675222824ee71f9

Score
10/10
formbookog2wratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.celikkaya.xyz/og2w/

Decoy

drivenexpress.info

pdfproxy.com

zyz999.top

oceanserver1.com

948289.com

nubilewoman.com

ibizadiamonds.com

bosniantv-australia.com

juliehutzell.com

poshesocial.events

icsrwk.xyz

nap-con.com

womansslippers.com

invictusfarm.com

search-panel-avg-rock.rest

desencriptar.com

imperialexoticreptiles.com

agastify.com

strinvstr.com

julianapeloi.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1260
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1080
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\SysWOW64\wlanext.exe
          "C:\Windows\SysWOW64\wlanext.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Public\vbc.exe"
            5⤵
              PID:1788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd145C.tmp\sifdcrtzcf.dll
      MD5

      26bf6c1c9418d1436cca4f8e751a4e98

      SHA1

      30247b287ac6393da3bcc49383d2dcd1742d3d86

      SHA256

      11887f9b0e0d3219fafa09a754d466b9fa8c79447cb8f596fc6fcfb2b294c17e

      SHA512

      1847fe94da8d216476819b6727b4eb4b444472140125a837a17522bc9b21a5a956f63efa8f965515267a82582252541b0c54dba5eb6d561c37606e156ea4832a

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      5a7590d95bea1d652bc15e61f0fb9305

      SHA1

      26c9ef5ef0db8052f9eb9c4ad5e46e993d602b71

      SHA256

      8ecc67e648078fa01a53b0c20ffaa8896e0bd3cc1ce5baca9ff6ddd7cd41b266

      SHA512

      505ca1a2ef061f83fd843632317ab2b9011cb51a0bc99d70e6e433dacfad2e60721fb1bcab0f3d303d4e9d0d2c1913cf7194645513a787baf7fb3810a63738d2

      Download Submit
    • memory/516-58-0x0000000075A61000-0x0000000075A63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1080-84-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1080-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1080-55-0x000000002FAD1000-0x000000002FAD4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1080-56-0x0000000071851000-0x0000000071853000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1260-76-0x0000000005F60000-0x0000000006032000-memory.dmp
      Filesize

      840KB

      Download
    • memory/1260-83-0x0000000006FD0000-0x00000000070FE000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1260-73-0x0000000006C20000-0x0000000006D40000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1316-79-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1316-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1316-78-0x0000000000C00000-0x0000000000C16000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1316-81-0x0000000002020000-0x0000000002323000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1316-82-0x0000000000860000-0x00000000008F3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1368-71-0x0000000000700000-0x0000000000A03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1368-74-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1368-72-0x0000000000580000-0x0000000000594000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1368-75-0x0000000002210000-0x0000000002224000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1368-68-0x000000000041F130-mapping.dmp
      Download
    • memory/1368-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1788-80-0x0000000000000000-mapping.dmp
      Download
    • memory/2012-62-0x0000000000000000-mapping.dmp
      Download