Overview

overview

10

Static

static

Order details.xlsx

windows7_x64

10

Order details.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order details.xlsx

  • Size

    176KB

  • MD5

    36e3875fa058105bc9eedb62543d3816

  • SHA1

    ee1efdb171829d12f3f2eb43a4e3321121b58397

  • SHA256

    54addec2aa97b3938c4ff81ee36cb37d4d3597b3c7b81f3e8106ba35e1bcbd0b

  • SHA512

    18678a33e3b3320f2e0b57484871a06cfc3a2ce2e6e4a9ab6c01c1c57664eb2e42c224cfc1f7ad78fde503699edf879156fecc1fdf63895e61e4387706ac0d53

Score
10/10
formbooks3s3ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s3s3

Decoy

tvielotus.com

teesta.xyz

talentrecruitor.com

pamaungipb.com

xn--90ahkh6a6b8b.site

910carolina.com

toyotaecoyouth-dev.com

invetnables.com

gdexc.com

ssw168.com

householdmould.com

mqttradar.xyz

t333c.com

thepausestudio.com

evershedsutherlands.com

asbdataplus.com

preddylilthingz.com

jepwu.com

tvlido.com

artovus.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Formbook Payload 6 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order details.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1092
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:364
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Users\Public\vbc.exe
          C:\Users\Public\vbc.exe
          3⤵
          • Executes dropped EXE
          PID:1508
        • C:\Users\Public\vbc.exe
          C:\Users\Public\vbc.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1716

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      75KB

      MD5

      4504b6bca11f1bb8cd7ee7f9695ae149

      SHA1

      b4db331aff8b3f0af7bb85c62eee8cbf94a01242

      SHA256

      bf694c0a4856be7c6e88f8d018a2d3223b740f060e9c0f8da51df710c895860a

      SHA512

      f8edc6b9a704d7c2921c151e0057c0054cfdfbeee5f2a70553016dea89c2918825131d54d930d6594832484f7b8b5fc80416745de2a357b69f3abc2f4fcf5504

      Download Submit
    • memory/364-91-0x0000000000000000-mapping.dmp
      Download
    • memory/1092-97-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1092-54-0x000000002FD51000-0x000000002FD54000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1092-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1092-83-0x000000007272D000-0x0000000072738000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1092-58-0x0000000075F61000-0x0000000075F63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-98-0x000000007272D000-0x0000000072738000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1092-55-0x0000000071741000-0x0000000071743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-57-0x000000007272D000-0x0000000072738000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1276-94-0x0000000006CF0000-0x0000000006E4E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1276-86-0x0000000006610000-0x00000000066E5000-memory.dmp
      Filesize

      852KB

      Download
    • memory/1276-82-0x00000000049A0000-0x0000000004A74000-memory.dmp
      Filesize

      848KB

      Download
    • memory/1276-96-0x0000000006CF0000-0x0000000006E4E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1716-72-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1716-73-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1716-76-0x000000000041F110-mapping.dmp
      Download
    • memory/1716-81-0x0000000000110000-0x0000000000124000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1716-80-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1716-85-0x0000000000580000-0x0000000000594000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1716-75-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1716-88-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1716-79-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1756-90-0x0000000000120000-0x000000000014F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1756-89-0x0000000000270000-0x0000000000278000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1756-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1756-92-0x0000000000880000-0x0000000000B83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1756-93-0x00000000004E0000-0x0000000000573000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1756-95-0x0000000000120000-0x000000000014F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2032-70-0x0000000000B40000-0x0000000000B8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2032-69-0x0000000004E70000-0x0000000004F16000-memory.dmp
      Filesize

      664KB

      Download
    • memory/2032-67-0x0000000001150000-0x0000000001168000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2032-64-0x0000000000000000-mapping.dmp
      Download