Overview

overview

10

Static

static

purchaseOr...4).xls

windows7-x64

10

purchaseOr...4).xls

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchaseOrder_list_(P.O_R477304).xls

  • Size

    1.0MB

  • MD5

    1c741a897b190b202783b317d1bb61d2

  • SHA1

    a64f0312d4cd51cf061170384d2e54aa4f70e6c3

  • SHA256

    faa9c6e03a97635e6636c22e85ed3fbc128c047d25fbb6d1cd3eb599c286ad74

  • SHA512

    3c1726e895c5f0e772370403f0fcae53e500c6607d994a88335180aa4619538a07f31b24b2f9049423b3592b6761c83e7dfd56a5004c61d54fb1ad8b2f1bede0

  • SSDEEP

    24576:Jr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXzmzr5XXXXXXXXXXXXUXXXXXXXSXXXXXl:Ueg9qu

Score
10/10
formbookpgntratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\purchaseOrder_list_(P.O_R477304).xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1284
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:268

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      Filesize

      260KB

      MD5

      a77431e2d2b1d029280cf0a47b113105

      SHA1

      f87716cb580a6b5a48a8c3a9112abf070353eaf4

      SHA256

      1e76071fd87642e4070b75b2f542d65d304dcbb8482e795610bd53b34c54bcb8

      SHA512

      7c3bb123b65744851b37ec612f9c2541e1e4ee092069b1d9acd14e462251cfe35b471abb3da1c6669c1cfeb3ea677da9e708f1b37728b77e34e8a49b1f2793f8

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      260KB

      MD5

      a77431e2d2b1d029280cf0a47b113105

      SHA1

      f87716cb580a6b5a48a8c3a9112abf070353eaf4

      SHA256

      1e76071fd87642e4070b75b2f542d65d304dcbb8482e795610bd53b34c54bcb8

      SHA512

      7c3bb123b65744851b37ec612f9c2541e1e4ee092069b1d9acd14e462251cfe35b471abb3da1c6669c1cfeb3ea677da9e708f1b37728b77e34e8a49b1f2793f8

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      932KB

      MD5

      661fd92d4eaeea3740649af5a484d7c8

      SHA1

      c93f868890fee1475f8ec9e7607e26f5dce67d54

      SHA256

      58a478f0560ea22c1bc194263f07cf6f3ecfe47d0c8b534a7bba185f28a1141f

      SHA512

      1fac03c20139fde41d121e0adbd02d127261ce061509996087fc1c80baf2fe0d0f70fed6b83d38a85cfa2e07d038ff809161c7ecce31ec44ac8b89740d3db15d

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      260KB

      MD5

      a77431e2d2b1d029280cf0a47b113105

      SHA1

      f87716cb580a6b5a48a8c3a9112abf070353eaf4

      SHA256

      1e76071fd87642e4070b75b2f542d65d304dcbb8482e795610bd53b34c54bcb8

      SHA512

      7c3bb123b65744851b37ec612f9c2541e1e4ee092069b1d9acd14e462251cfe35b471abb3da1c6669c1cfeb3ea677da9e708f1b37728b77e34e8a49b1f2793f8

      Download Submit
    • memory/268-72-0x00000000004012B0-mapping.dmp
      Download
    • memory/268-71-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/268-82-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/268-83-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/268-79-0x0000000000100000-0x0000000000110000-memory.dmp
      Filesize

      64KB

      Download
    • memory/268-78-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-77-0x00000000009E0000-0x0000000000CE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/268-75-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/268-74-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/268-68-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/268-69-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/276-84-0x0000000000960000-0x000000000096D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/276-85-0x00000000000D0000-0x00000000000FD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/276-81-0x0000000000000000-mapping.dmp
      Download
    • memory/276-87-0x00000000004C0000-0x000000000054F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/276-86-0x0000000002040000-0x0000000002343000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1156-67-0x0000000000550000-0x000000000055A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1156-66-0x0000000000540000-0x0000000000546000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1156-65-0x000000013F5F0000-0x000000013F634000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1156-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-90-0x0000000006A50000-0x0000000006AE3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1380-88-0x0000000006A50000-0x0000000006AE3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1380-80-0x0000000007150000-0x00000000072DD000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1636-60-0x000000007271D000-0x0000000072728000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1636-58-0x00000000761F1000-0x00000000761F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-57-0x000000007271D000-0x0000000072728000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1636-54-0x000000002F381000-0x000000002F384000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1636-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1636-92-0x000000007271D000-0x0000000072728000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1636-55-0x0000000071731000-0x0000000071733000-memory.dmp
      Filesize

      8KB

      Download