Overview

overview

10

Static

static

Oferty CZ1...6U.xls

windows7-x64

10

Oferty CZ1...6U.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    178s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2022 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oferty CZ1083377236U.xls

  • Size

    848KB

  • MD5

    af617f50e862c8e33e60f89e0af666b2

  • SHA1

    50774a2bb661085ecd9df7e2c8fff87391998bc4

  • SHA256

    53f1625cb7085fb0659fbf76e8f60d3a9233d8c1bd074daf0a725c149d036f20

  • SHA512

    8e80a34f4bf6fe0d7dff3b7dc098f3aa64a290887eb50c909f7f92f40f957af234e4976010c49449f64b14d09dc0f4268fbd247bda9f3233d4fcb7bcaa7cbcb5

  • SSDEEP

    24576:Hr5XXXXXXXXXXXXUXXXXXXXrXXXXXXXXYzmDr5XXXXXXXXXXXXUXXXXXXXrXXXXL:fQBNe

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Oferty CZ1083377236U.xls"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1728
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1716
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
          "C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
            "C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ncqoft.eol
      Filesize

      5KB

      MD5

      872dea5a3ca22c3d6fbc5eaa4e2558e0

      SHA1

      eb40667be3e42a9da334f20a4b72e6ba021e2445

      SHA256

      7f0349c9b3ad573965322a7e8102fb0682d33cd1f98d73f204fd547098c014d2

      SHA512

      847ecd49c1888a31953e98576d1b4c0d3bd2a44d35504310ed479c034205640022c869978e6be7ad8934720aa44100300d215cc0ed412fd385e7fc486ed1476b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qjvkrwgt.e
      Filesize

      185KB

      MD5

      5609a56cc339285224848fc96a673fdc

      SHA1

      9cc33599cca2093e330ab52ea2d4bae081682c55

      SHA256

      cedfd0094c9116d779e665c7292eb57abe50ac11a84be080578c40fa19ae0f60

      SHA512

      712f0837d24b01c74a5ef7a9c3fff227b5e3401575f0f0a3055465d3489fc57c109fc63555a73675f42a3e0b9debc4aac0518548931e2c10ab364882693d38ae

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      387KB

      MD5

      420f3718285fef98dcbb490383c40efd

      SHA1

      58b55c7c809e3e126c0985fd67fe1053f790924d

      SHA256

      89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6

      SHA512

      0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      387KB

      MD5

      420f3718285fef98dcbb490383c40efd

      SHA1

      58b55c7c809e3e126c0985fd67fe1053f790924d

      SHA256

      89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6

      SHA512

      0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ggcgid.exe
      Filesize

      350KB

      MD5

      ac700d916265036af0976854897e21b1

      SHA1

      1da70425178a920c28bf75a16a368b03ea15619e

      SHA256

      07e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0

      SHA512

      fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      910KB

      MD5

      d79258c5189103d69502eac786addb04

      SHA1

      f34b33681cfe8ce649218173a7f58b237821c1ef

      SHA256

      57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

      SHA512

      da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      387KB

      MD5

      420f3718285fef98dcbb490383c40efd

      SHA1

      58b55c7c809e3e126c0985fd67fe1053f790924d

      SHA256

      89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6

      SHA512

      0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382

      Download Submit
    • memory/280-75-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/280-73-0x00000000004012B0-mapping.dmp
      Download
    • memory/280-82-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/280-76-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/280-77-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/280-79-0x00000000000F0000-0x0000000000100000-memory.dmp
      Filesize

      64KB

      Download
    • memory/280-83-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1104-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-80-0x0000000004F80000-0x0000000005041000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1312-90-0x0000000006C30000-0x0000000006D18000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1312-89-0x0000000006C30000-0x0000000006D18000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1628-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-87-0x0000000000610000-0x000000000069F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1636-86-0x0000000002120000-0x0000000002423000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1636-88-0x0000000000080000-0x00000000000AD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1636-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-84-0x0000000000210000-0x000000000022A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1636-85-0x0000000000080000-0x00000000000AD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1728-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1728-54-0x000000002F071000-0x000000002F074000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1728-78-0x00000000722ED000-0x00000000722F8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1728-57-0x00000000722ED000-0x00000000722F8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1728-58-0x0000000075591000-0x0000000075593000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1728-55-0x0000000071301000-0x0000000071303000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1728-93-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1728-94-0x00000000722ED000-0x00000000722F8000-memory.dmp
      Filesize

      44KB

      Download