Overview

overview

10

Static

static

RFQ-SANOS-...01.rtf

windows7-x64

10

RFQ-SANOS-...01.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2022 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ-SANOS-TENDER DOCUMENT_specifications001.rtf

  • Size

    9KB

  • MD5

    8f7574acf0737fc12d5019b19df45ff5

  • SHA1

    12be20df9be6591cd53003cc4c9e7388a672e41c

  • SHA256

    d8a5da9f780854652a37a5a4fdd812a99af1b26236adf4deac2ca38415224a8d

  • SHA512

    fe935974b8de54c093a7c355db5558f10ce3d7b156bd8b835ded53dee1afe650566ac88be6ea0c9d933f1d8db287787f08e71db93b3ee56d7afb24ea38511859

  • SSDEEP

    192:Xnu6W2UOd8LhywLTPG6Pw24rCKdDrAKVw3AsQ6aR3ijPWFqMw5OCjMaM:3f/UOd8Fyw3+kwr+KdrAUwwsQRR3ijp8

Score
10/10
formbookwh23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 3 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ-SANOS-TENDER DOCUMENT_specifications001.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:788
      • C:\Windows\SysWOW64\NETSTAT.EXE
        "C:\Windows\SysWOW64\NETSTAT.EXE"
        2⤵
        • Suspicious use of SetThreadContext
        • Gathers network information
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
          3⤵
            PID:1536
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Users\Admin\AppData\Roaming\wget.exe
          "C:\Users\Admin\AppData\Roaming\wget.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
            "C:\Users\Admin\AppData\Local\Temp\myxwn.exe" C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:752
            • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
              "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\eilfol.tsc
        Filesize

        185KB

        MD5

        663d2953e8beddc4a08aca27a1145112

        SHA1

        3293e912d9661b2736ca8d403250590eb2d5164d

        SHA256

        2aa0a26b9a38b19c34c10e53834ec199fc87cbfea15e8babee582a3df331b9cb

        SHA512

        30581e1321f0165abcfcc908e15877f080dad2bf7bbedb24fa8e8baee3176097d7f43c5e59076f095c3929438b4e5740e1871ab3716c338e765c4d3d011a630a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
        Filesize

        6KB

        MD5

        e6d82eb1bea9bca087062e488dfd575e

        SHA1

        5ec22cec8805d965d6dac1719976bef32867b595

        SHA256

        ad495d0d0e35a6ab15c042e900e0dfc20197ef36153e15559e0fdaef4c541230

        SHA512

        6ef986b00509140137d51f114ecdf7b92c1008c3fae513579634ed202f1fc4e34ba904db48cbf092cf8d12c0a5e84cc5b2a0d61e95c03f4006eca3f190f80fd2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • C:\Users\Admin\AppData\Roaming\wget.exe
        Filesize

        530KB

        MD5

        e17b0be6e0c42a0c39c5da63523af8d8

        SHA1

        c374934cf78e71069fc628de57b3ea15fff4c36c

        SHA256

        7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

        SHA512

        1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089

        Download Submit
      • C:\Users\Admin\AppData\Roaming\wget.exe
        Filesize

        530KB

        MD5

        e17b0be6e0c42a0c39c5da63523af8d8

        SHA1

        c374934cf78e71069fc628de57b3ea15fff4c36c

        SHA256

        7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

        SHA512

        1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089

        Download Submit
      • \Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • \Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • \Users\Admin\AppData\Local\Temp\myxwn.exe
        Filesize

        276KB

        MD5

        2afdd35f6df6b6cbf8f3500822625d70

        SHA1

        2efd81cdd798b38908b63a7a8ae88806e5234a1d

        SHA256

        393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

        SHA512

        b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

        Download Submit
      • \Users\Admin\AppData\Roaming\wget.exe
        Filesize

        530KB

        MD5

        e17b0be6e0c42a0c39c5da63523af8d8

        SHA1

        c374934cf78e71069fc628de57b3ea15fff4c36c

        SHA256

        7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

        SHA512

        1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089

        Download Submit
      • memory/464-77-0x0000000000360000-0x0000000000374000-memory.dmp
        Filesize

        80KB

        Download
      • memory/464-81-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/464-76-0x00000000008C0000-0x0000000000BC3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/464-75-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/464-73-0x000000000041F110-mapping.dmp
        Download
      • memory/752-67-0x0000000000000000-mapping.dmp
        Download
      • memory/776-61-0x0000000000000000-mapping.dmp
        Download
      • memory/788-86-0x0000000000000000-mapping.dmp
        Download
      • memory/788-87-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1224-89-0x00000000081F0000-0x000000000833C000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1224-90-0x00000000081F0000-0x000000000833C000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1224-78-0x0000000007550000-0x00000000076FE000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1404-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1404-58-0x0000000070EAD000-0x0000000070EB8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1404-79-0x0000000070EAD000-0x0000000070EB8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1404-92-0x0000000070EAD000-0x0000000070EB8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1404-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1404-54-0x0000000072441000-0x0000000072444000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1404-57-0x0000000074F01000-0x0000000074F03000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1404-55-0x000000006FEC1000-0x000000006FEC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1440-88-0x0000000001ED0000-0x0000000001F63000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1440-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1440-84-0x00000000020F0000-0x00000000023F3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1440-83-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1440-82-0x00000000007A0000-0x00000000007A9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1536-85-0x0000000000000000-mapping.dmp
        Download