Overview

overview

10

Static

static

Energypac ...td.rtf

windows7_x64

10

Energypac ...td.rtf

windows10-2004_x64

1

Analysis

  • max time kernel
    166s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    02-02-2022 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Energypac Pty. Ltd.rtf

  • Size

    11KB

  • MD5

    d3fe6624b0f044affcbd0ef54f646ec8

  • SHA1

    2df87a6549c40d6492548e91180c417849557b8d

  • SHA256

    fe17e03a00c4aee4bb8daa8507c1b9bc88a28f3f7c53f10f064a8dbbe7b3dc96

  • SHA512

    5697394a1c40866fcfef79591f31247997f867942ee63553d892ad23f5928a429e133d2490f774acbd9580391071f53933f5833955a8dccf2a98a20462196b04

Score
10/10
formbookcw22ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cw22

Decoy

betvoy206.com

nftstoners.com

tirupatibuilder.com

gulldesigns.com

shemhq.com

boricosmetic.com

bitcoinbillionaireboy.com

theflypaperplanes.com

retrocartours.com

yangzhie326.com

cheepchain.com

sentryr.com

luckirentalhomes.com

pointssquashers.com

dianasarabiantreasures.com

calendarsilo.com

sublike21.xyz

gajubg0up.xyz

lousfoodreviews.com

fades.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1396
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Energypac Pty. Ltd.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1960
      • C:\Windows\SysWOW64\wininit.exe
        "C:\Windows\SysWOW64\wininit.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\mannqigh461.exe"
          3⤵
            PID:1428
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Users\Admin\AppData\Roaming\mannqigh461.exe
          "C:\Users\Admin\AppData\Roaming\mannqigh461.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Users\Admin\AppData\Roaming\mannqigh461.exe
            "C:\Users\Admin\AppData\Roaming\mannqigh461.exe"
            3⤵
            • Executes dropped EXE
            PID:1332

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\mannqigh461.exe
        MD5

        08d0123dafcf77fe7c7e989aa66c45cb

        SHA1

        b19e2065990e1850973e424ea8145e4ebca1e99e

        SHA256

        710c54870ea0ff9f9af19f69741a3e4199ca4d441cb3cc9e27d2020cb2ee2ae3

        SHA512

        6446495ab2ddebfd5f7dc59ae83a744ec4882e31604dadbee994ed0c31f6609156ff69d7a6c005aef04cc068019fab2563a3a447cc8c9ac1f9a6c0e132880fb7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\mannqigh461.exe
        MD5

        08d0123dafcf77fe7c7e989aa66c45cb

        SHA1

        b19e2065990e1850973e424ea8145e4ebca1e99e

        SHA256

        710c54870ea0ff9f9af19f69741a3e4199ca4d441cb3cc9e27d2020cb2ee2ae3

        SHA512

        6446495ab2ddebfd5f7dc59ae83a744ec4882e31604dadbee994ed0c31f6609156ff69d7a6c005aef04cc068019fab2563a3a447cc8c9ac1f9a6c0e132880fb7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\mannqigh461.exe
        MD5

        08d0123dafcf77fe7c7e989aa66c45cb

        SHA1

        b19e2065990e1850973e424ea8145e4ebca1e99e

        SHA256

        710c54870ea0ff9f9af19f69741a3e4199ca4d441cb3cc9e27d2020cb2ee2ae3

        SHA512

        6446495ab2ddebfd5f7dc59ae83a744ec4882e31604dadbee994ed0c31f6609156ff69d7a6c005aef04cc068019fab2563a3a447cc8c9ac1f9a6c0e132880fb7

        Download Submit
      • \Users\Admin\AppData\Roaming\mannqigh461.exe
        MD5

        08d0123dafcf77fe7c7e989aa66c45cb

        SHA1

        b19e2065990e1850973e424ea8145e4ebca1e99e

        SHA256

        710c54870ea0ff9f9af19f69741a3e4199ca4d441cb3cc9e27d2020cb2ee2ae3

        SHA512

        6446495ab2ddebfd5f7dc59ae83a744ec4882e31604dadbee994ed0c31f6609156ff69d7a6c005aef04cc068019fab2563a3a447cc8c9ac1f9a6c0e132880fb7

        Download Submit
      • memory/1272-73-0x00000000007E0000-0x0000000000873000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1272-72-0x0000000001FF0000-0x00000000022F3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1332-68-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1332-69-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1332-70-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1396-74-0x00000000069E0000-0x0000000006AB8000-memory.dmp
        Filesize

        864KB

        Download
      • memory/1684-54-0x0000000072601000-0x0000000072604000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1684-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1684-55-0x0000000070081000-0x0000000070083000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1684-57-0x0000000076421000-0x0000000076423000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1684-75-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1896-62-0x0000000000E70000-0x0000000000EEA000-memory.dmp
        Filesize

        488KB

        Download
      • memory/1896-67-0x0000000005200000-0x0000000005266000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1896-65-0x00000000008A0000-0x00000000008B4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1896-64-0x0000000004840000-0x0000000004841000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1960-66-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
        Filesize

        8KB

        Download