Overview

overview

10

Static

static

6b69aa9ccb...9.xlsx

windows7_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    06-12-2021 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b69aa9ccb11ee883edf10da3f6114cc37f37fc9.xlsx

  • Size

    815KB

  • MD5

    d1e4e57c50f3f7917df39d4c241db7d6

  • SHA1

    6b69aa9ccb11ee883edf10da3f6114cc37f37fc9

  • SHA256

    6b876eb9b7f8e0a5a2c136c0557e8f7180cf1c0213a8f816b7625a629bd6f613

  • SHA512

    9e4465e2f743f10a4aab4867fa45dc8dd073e087a222fa5a464966676dc6d4182d3dc29a9081b375a674b884aba19f76be2fa11091a9cca1a41840d2c3c05a7b

Score
10/10
formbookjy0bratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6b69aa9ccb11ee883edf10da3f6114cc37f37fc9.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1088
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\index.exe"
        3⤵
          PID:1896
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Users\Admin\AppData\Roaming\index.exe
        C:\Users\Admin\AppData\Roaming\index.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Users\Admin\AppData\Roaming\index.exe
          C:\Users\Admin\AppData\Roaming\index.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1980

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\index.exe
      MD5

      e9de6480e0583d57cbb969c7781a7aa1

      SHA1

      bc8659373ff3a907e7e8ff22b08230a70ef20541

      SHA256

      ad94693e6550491b7d00000042ecad4a74d8a4af46bdd47c79245b0e321836ad

      SHA512

      876ee20f12cfce5be62353d87accd6fb6c9777dd55d34a2b28eac08a7ee00d6feb94e80177f99a4bcb511ed4b210f45db28c7bb978ea5ce6223c43025515d3e5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\index.exe
      MD5

      e9de6480e0583d57cbb969c7781a7aa1

      SHA1

      bc8659373ff3a907e7e8ff22b08230a70ef20541

      SHA256

      ad94693e6550491b7d00000042ecad4a74d8a4af46bdd47c79245b0e321836ad

      SHA512

      876ee20f12cfce5be62353d87accd6fb6c9777dd55d34a2b28eac08a7ee00d6feb94e80177f99a4bcb511ed4b210f45db28c7bb978ea5ce6223c43025515d3e5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\index.exe
      MD5

      e9de6480e0583d57cbb969c7781a7aa1

      SHA1

      bc8659373ff3a907e7e8ff22b08230a70ef20541

      SHA256

      ad94693e6550491b7d00000042ecad4a74d8a4af46bdd47c79245b0e321836ad

      SHA512

      876ee20f12cfce5be62353d87accd6fb6c9777dd55d34a2b28eac08a7ee00d6feb94e80177f99a4bcb511ed4b210f45db28c7bb978ea5ce6223c43025515d3e5

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsi3959.tmp\xgrpvavvrtk.dll
      MD5

      31ce7f27deba4a241a253cace1be878c

      SHA1

      b01c7d08e05b9af2f456fc1c7bb1b7b7e6ccfb6b

      SHA256

      4dfd10a70eea2c77cd5de3116d8d59fe3fff8792b87d62a53595128563c78b33

      SHA512

      11067c2bb016c02f8db7a2833541b6bc9e93345209fa1cf891c70bb394332689e590aa1238ecc44d120ba4403c605b6a1f849a2268de520e3f8f86e52949f2de

      Download Submit
    • \Users\Admin\AppData\Roaming\index.exe
      MD5

      e9de6480e0583d57cbb969c7781a7aa1

      SHA1

      bc8659373ff3a907e7e8ff22b08230a70ef20541

      SHA256

      ad94693e6550491b7d00000042ecad4a74d8a4af46bdd47c79245b0e321836ad

      SHA512

      876ee20f12cfce5be62353d87accd6fb6c9777dd55d34a2b28eac08a7ee00d6feb94e80177f99a4bcb511ed4b210f45db28c7bb978ea5ce6223c43025515d3e5

      Download Submit
    • memory/1064-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1064-76-0x0000000001F30000-0x0000000002233000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1064-77-0x0000000000970000-0x0000000000A03000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1064-75-0x0000000000070000-0x000000000009F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1064-74-0x0000000000B00000-0x0000000000B26000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1088-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1088-56-0x0000000071A81000-0x0000000071A83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1088-55-0x000000002F0D1000-0x000000002F0D4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1352-78-0x0000000006D30000-0x0000000006E43000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1352-71-0x0000000005010000-0x00000000050FA000-memory.dmp
      Filesize

      936KB

      Download
    • memory/1820-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1852-58-0x0000000075D31000-0x0000000075D33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1896-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1980-66-0x000000000041F150-mapping.dmp
      Download
    • memory/1980-69-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1980-70-0x0000000000690000-0x00000000006A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1980-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download