Overview

overview

10

Static

static

LTL20I_order.xlsx

windows7_x64

10

LTL20I_order.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LTL20I_order.xlsx

  • Size

    255KB

  • MD5

    bc64945d52b06b5a7f2259652722b4e6

  • SHA1

    3e67f1d30e44c5f4b916165fb17944a168790b3b

  • SHA256

    37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2

  • SHA512

    bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2

Score
10/10
formbookneshtas3s3persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s3s3

Decoy

tvielotus.com

teesta.xyz

talentrecruitor.com

pamaungipb.com

xn--90ahkh6a6b8b.site

910carolina.com

toyotaecoyouth-dev.com

invetnables.com

gdexc.com

ssw168.com

householdmould.com

mqttradar.xyz

t333c.com

thepausestudio.com

evershedsutherlands.com

asbdataplus.com

preddylilthingz.com

jepwu.com

tvlido.com

artovus.com

Signatures

  • Detect Neshta Payload 7 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Formbook Payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\LTL20I_order.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1320
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1012
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1832
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1432
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:836
            • C:\Windows\SysWOW64\cmstp.exe
              "C:\Windows\SysWOW64\cmstp.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:560
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
                3⤵
                  PID:1444
            • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              1⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Launches Equation Editor
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Users\Public\vbc.exe
                "C:\Users\Public\vbc.exe"
                2⤵
                • Modifies system executable filetype association
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
                  "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:572
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
                    4⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1920

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scripting

            1
            T1064

            Exploitation for Client Execution

            1
            T1203

            Persistence

            Change Default File Association

            1
            T1042

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Scripting

            1
            T1064

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            System Information Discovery

            2
            T1082

            Query Registry

            1
            T1012

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0O8D7KIM\NEW_1_~1.EXE
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
              Filesize

              257KB

              MD5

              c26f62be6304e0e2c12dba146a372c21

              SHA1

              2497d5377572816d9490f074949efde8e65f49f4

              SHA256

              45b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094

              SHA512

              365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
              Filesize

              257KB

              MD5

              c26f62be6304e0e2c12dba146a372c21

              SHA1

              2497d5377572816d9490f074949efde8e65f49f4

              SHA256

              45b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094

              SHA512

              365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718

              Download Submit
            • C:\Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • C:\Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
              Filesize

              252KB

              MD5

              9e2b9928c89a9d0da1d3e8f4bd96afa7

              SHA1

              ec66cda99f44b62470c6930e5afda061579cde35

              SHA256

              8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

              SHA512

              2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              Download Submit
            • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
              Filesize

              257KB

              MD5

              c26f62be6304e0e2c12dba146a372c21

              SHA1

              2497d5377572816d9490f074949efde8e65f49f4

              SHA256

              45b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094

              SHA512

              365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718

              Download Submit
            • \Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • \Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • \Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • \Users\Public\vbc.exe
              Filesize

              298KB

              MD5

              e29af60c4ef79bee0553d2fb6e5e45bf

              SHA1

              621afdcdfdba54a39c17ff294879dcfdb944593e

              SHA256

              7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

              SHA512

              6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

              Download Submit
            • memory/560-90-0x0000000000830000-0x0000000000848000-memory.dmp
              Filesize

              96KB

              Download
            • memory/560-94-0x00000000000F0000-0x000000000011F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-93-0x0000000001D50000-0x0000000001DE3000-memory.dmp
              Filesize

              588KB

              Download
            • memory/560-92-0x0000000001F20000-0x0000000002223000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/560-91-0x00000000000F0000-0x000000000011F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-86-0x0000000000000000-mapping.dmp
              Download
            • memory/572-72-0x0000000000230000-0x0000000000270000-memory.dmp
              Filesize

              256KB

              Download
            • memory/572-73-0x0000000000330000-0x000000000036A000-memory.dmp
              Filesize

              232KB

              Download
            • memory/572-69-0x0000000000000000-mapping.dmp
              Download
            • memory/1064-64-0x0000000000000000-mapping.dmp
              Download
            • memory/1280-85-0x0000000007300000-0x000000000749E000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/1280-96-0x0000000006D70000-0x0000000006E85000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1280-95-0x0000000006D70000-0x0000000006E85000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1320-75-0x000000007263D000-0x0000000072648000-memory.dmp
              Filesize

              44KB

              Download
            • memory/1320-55-0x0000000071651000-0x0000000071653000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1320-98-0x000000007263D000-0x0000000072648000-memory.dmp
              Filesize

              44KB

              Download
            • memory/1320-54-0x000000002FAC1000-0x000000002FAC4000-memory.dmp
              Filesize

              12KB

              Download
            • memory/1320-57-0x000000007263D000-0x0000000072648000-memory.dmp
              Filesize

              44KB

              Download
            • memory/1320-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1320-97-0x000000005FFF0000-0x0000000060000000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1320-58-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1444-89-0x0000000000000000-mapping.dmp
              Download
            • memory/1920-77-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/1920-83-0x00000000008F0000-0x0000000000BF3000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/1920-81-0x000000000041F110-mapping.dmp
              Download
            • memory/1920-87-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/1920-80-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/1920-78-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/1920-84-0x0000000000280000-0x0000000000294000-memory.dmp
              Filesize

              80KB

              Download