Overview

overview

10

Static

static

New order ...3.xlsx

windows7_x64

10

New order ...3.xlsx

windows10_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-11-2021 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New order - C.S.I No. 04183.xlsx

  • Size

    228KB

  • MD5

    bc2d171f6ea23a58ce5cca820869295c

  • SHA1

    dafd3a3276c12ee6d20206573d65d6fb10e6af7b

  • SHA256

    408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226

  • SHA512

    f46d62b6cd47184db12bd302def63e945063e471bbab3f02483c9c66c83d751e65c97d3f4f4d1d5f4d08bad1e1fd3bb882f97a85f363945a1659913ce47077b3

Score
10/10
formbookog2wratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.celikkaya.xyz/og2w/

Decoy

drivenexpress.info

pdfproxy.com

zyz999.top

oceanserver1.com

948289.com

nubilewoman.com

ibizadiamonds.com

bosniantv-australia.com

juliehutzell.com

poshesocial.events

icsrwk.xyz

nap-con.com

womansslippers.com

invictusfarm.com

search-panel-avg-rock.rest

desencriptar.com

imperialexoticreptiles.com

agastify.com

strinvstr.com

julianapeloi.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New order - C.S.I No. 04183.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1600
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1076
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:288
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Public\vbc.exe"
            3⤵
              PID:564
        • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          1⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Launches Equation Editor
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Users\Public\vbc.exe
            "C:\Users\Public\vbc.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Users\Public\vbc.exe
              "C:\Users\Public\vbc.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1764

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scripting

        1
        T1064

        Exploitation for Client Execution

        1
        T1203

        Persistence

        Privilege Escalation

        Defense Evasion

        Scripting

        1
        T1064

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • C:\Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • C:\Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nso6385.tmp\folvcfp.dll
          MD5

          cf3b520e83af10cd581888715e23c700

          SHA1

          a03e9da020c79a0b110e05bb8cffcaec9275720b

          SHA256

          57e5b81aa1d1c628dd849e005e32b19a3dc3af9e3f5797f5770aa2462d13b489

          SHA512

          a5e773947de896269c9ba6e92731f69fbd3e5af185a623321b3d98760f9c0287f92950e762c300af498d9ab5f47d01adc76b2c3ced2634f94ddfeb9c385d2c37

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          4d1b51fe258be32d346b3507abeddcb3

          SHA1

          977a34967b0b42a19969dd1106ef74439d306dce

          SHA256

          0c6d57557120decedc9a102794ea95bcaf64529eb1f18058e4df62c34b724988

          SHA512

          27330f64606cfebbe834e2d419e5f34207c1bfbbae22da52763c8fe8e48a001d52e2c5ab1b93ee9cfd2e5b4df02c09628f82be2cd5d340ca0711c004aed1ec12

          Download Submit
        • memory/564-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1204-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1252-73-0x00000000072B0000-0x0000000007435000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1252-80-0x0000000007FD0000-0x0000000008147000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1320-58-0x00000000754A1000-0x00000000754A3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1600-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1600-81-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1600-56-0x00000000713D1000-0x00000000713D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1600-55-0x000000002FD81000-0x000000002FD84000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1764-68-0x000000000041F130-mapping.dmp
          Download
        • memory/1764-71-0x0000000000770000-0x0000000000A73000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1764-72-0x00000000003E0000-0x00000000003F4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1764-67-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1924-74-0x0000000000000000-mapping.dmp
          Download
        • memory/1924-76-0x0000000000850000-0x000000000085D000-memory.dmp
          Filesize

          52KB

          Download
        • memory/1924-77-0x0000000000080000-0x00000000000AF000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1924-78-0x00000000020C0000-0x00000000023C3000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1924-79-0x0000000001DF0000-0x0000000001E83000-memory.dmp
          Filesize

          588KB

          Download