Overview

overview

10

Static

static

AWB_NO_928...2.xlsx

windows7_x64

10

AWB_NO_928...2.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-05-2022 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted.xlsx

  • Size

    199KB

  • MD5

    045fef4f9dae5162449cb0dadbf82df1

  • SHA1

    6a26ce7489ad95c4fbae05df9d268ff5ceae5498

  • SHA256

    bddcd8a65e3a8a5bccf3d39865ed76e7f69e357ca0094b8324f1f3501b975c91

  • SHA512

    2d04bfbbe7036dea4e6ae2def0de54fcdecf118d2ec3bc509ecbbd13587f04f50b0a3970eedc682dc77eb1704248484d954612ac7065786e4f86c5e35ae4c222

Score
10/10
formbookfw02ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1672
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1580
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe"
          3⤵
            PID:1888
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
            C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe C:\Users\Admin\AppData\Local\Temp\cfrdmrwg
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1880
            • C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
              C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe C:\Users\Admin\AppData\Local\Temp\cfrdmrwg
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1960

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3op6m4d1vcvre
        Filesize

        184KB

        MD5

        883e3a371bba46652cef1db30d23e35b

        SHA1

        334a05dc940245cd8d846ae978e3699136cc3175

        SHA256

        94f2ee1b267281c5e118469d49a996c8d2a67df7d3e219cf0196cd8512f1834f

        SHA512

        d3518f5f2ab949c8e89cc1f4e325f1c94648afc30e97b12f048c6d906fa92c1aa575d9e5568cf88d110a02320e4ff3e884f88171e5493469c29aece412327a69

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\cfrdmrwg
        Filesize

        5KB

        MD5

        0208d602cb7743704120e763f9cdfa2b

        SHA1

        080b53e3eb750f4bc8b1cfe1bea62444b05954a4

        SHA256

        3aabc70c2694750180a2a4f7e56e389163db8d04d4dba660f8783de8905cf8ce

        SHA512

        3203adc437ccda7fd71c919e9c5ae6e3b75076441430e1325c3c9cc47ea03f9744ee5cc700185469a0db461aa844501d6e2da0940740f35e370e5883eee036e6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
        Filesize

        4KB

        MD5

        f3263d29b9c10c4e323227bd098740e8

        SHA1

        7ad4193558a06fa0d44315d6db40e620c440f1d3

        SHA256

        629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a

        SHA512

        8fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
        Filesize

        4KB

        MD5

        f3263d29b9c10c4e323227bd098740e8

        SHA1

        7ad4193558a06fa0d44315d6db40e620c440f1d3

        SHA256

        629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a

        SHA512

        8fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
        Filesize

        4KB

        MD5

        f3263d29b9c10c4e323227bd098740e8

        SHA1

        7ad4193558a06fa0d44315d6db40e620c440f1d3

        SHA256

        629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a

        SHA512

        8fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        214KB

        MD5

        3f54e149af6d9802c9a03de4157c7621

        SHA1

        8ba2e29b8ef74315f335d7ca666ec56accd80d8d

        SHA256

        cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6

        SHA512

        4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        214KB

        MD5

        3f54e149af6d9802c9a03de4157c7621

        SHA1

        8ba2e29b8ef74315f335d7ca666ec56accd80d8d

        SHA256

        cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6

        SHA512

        4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713

        Download Submit
      • \Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
        Filesize

        4KB

        MD5

        f3263d29b9c10c4e323227bd098740e8

        SHA1

        7ad4193558a06fa0d44315d6db40e620c440f1d3

        SHA256

        629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a

        SHA512

        8fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56

        Download Submit
      • \Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe
        Filesize

        4KB

        MD5

        f3263d29b9c10c4e323227bd098740e8

        SHA1

        7ad4193558a06fa0d44315d6db40e620c440f1d3

        SHA256

        629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a

        SHA512

        8fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56

        Download Submit
      • \Users\Public\vbc.exe
        Filesize

        214KB

        MD5

        3f54e149af6d9802c9a03de4157c7621

        SHA1

        8ba2e29b8ef74315f335d7ca666ec56accd80d8d

        SHA256

        cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6

        SHA512

        4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713

        Download Submit
      • \Users\Public\vbc.exe
        Filesize

        214KB

        MD5

        3f54e149af6d9802c9a03de4157c7621

        SHA1

        8ba2e29b8ef74315f335d7ca666ec56accd80d8d

        SHA256

        cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6

        SHA512

        4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713

        Download Submit
      • \Users\Public\vbc.exe
        Filesize

        214KB

        MD5

        3f54e149af6d9802c9a03de4157c7621

        SHA1

        8ba2e29b8ef74315f335d7ca666ec56accd80d8d

        SHA256

        cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6

        SHA512

        4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713

        Download Submit
      • memory/1212-96-0x000007FF15D10000-0x000007FF15D1A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1212-95-0x000007FEF6CD0000-0x000007FEF6E13000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1212-82-0x00000000062B0000-0x00000000063F8000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1212-93-0x0000000006400000-0x00000000064F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/1212-85-0x0000000004E40000-0x0000000004F13000-memory.dmp
        Filesize

        844KB

        Download
      • memory/1672-58-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1672-57-0x0000000072BFD000-0x0000000072C08000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1672-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1672-55-0x0000000071C11000-0x0000000071C13000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1672-54-0x000000002F8D1000-0x000000002F8D4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1672-94-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1700-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1880-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1884-90-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1884-86-0x0000000000000000-mapping.dmp
        Download
      • memory/1884-89-0x0000000000C10000-0x0000000000C28000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1884-91-0x0000000002030000-0x0000000002333000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1884-92-0x0000000000840000-0x00000000008D3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1888-88-0x0000000000000000-mapping.dmp
        Download
      • memory/1960-81-0x00000000002C0000-0x00000000002D4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1960-80-0x00000000006E0000-0x00000000009E3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1960-79-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1960-75-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1960-76-0x000000000041F150-mapping.dmp
        Download
      • memory/1960-84-0x0000000000310000-0x0000000000324000-memory.dmp
        Filesize

        80KB

        Download