Overview

overview

10

Static

static

1

Items Required.pdf

windows7-x64

10

Items Required.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Items Required.pdf

  • Size

    3.1MB

  • MD5

    7bce6abaafcc35245df3d74e76855558

  • SHA1

    678f93c6d46c3194a4440e9e7856e21efd84c198

  • SHA256

    752d06bd8ff5e075fb69e52626f9983bcfeb51e5eed191ebbf7ca453bc524d1d

  • SHA512

    c6ebfa6f8a4e7aee8e74127bf714e7a6918d03daa52ea1abaa3e653baf91e6bf3ce42a7130460b98b0034c694e42705a6d4ccd3a269845640b7b5ccdfc513358

  • SSDEEP

    98304:T4R97CScENc/i//clqkMRScE1416sXHWiLLVKG:/ScENc/i//clqkMRScE1413nnkG

Score
10/10
formbookbk08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bk08

Decoy

chloie.net

fastingersecure.monster

foundersterrace.online

ytorly.xyz

kiralayolla.com

corporacionalpi.com

planfortheworld.com

disciplinecoaching.co.uk

rubi33.com

digitlabmedia.com

ky20033.com

h4q7.com

91ye260.xyz

coconceptevents.com

ukusizas.africa

utainnovative.africa

ted-clean.co.uk

haus-huelsche.com

ca-refund.website

football.salon

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Items Required.pdf"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:748
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:784
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:912
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc
        Filesize

        64KB

        MD5

        b75d52e13a2f179e53e8395e88163408

        SHA1

        7d32e5b88cb6a4e784642943b135a481da67fc0c

        SHA256

        545c24055623e2e35f544fb5d861cacfb4c5ba5391165245fe671704d7597a97

        SHA512

        3f7cb56037665f7cdd466702b29eca7f3ce9738cd1a5eb8ec0478dc9a24b54684aa4477fdcc267838c1c5cab29e5491b493c667035c6bc566dfdd401f0786b00

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\A9RFCB.tmp\has been verified. However IMG, PDF, doc, .xls
        Filesize

        1.1MB

        MD5

        bccdc13184e15d08b6d4f53a25d639b7

        SHA1

        b58c790be201b8a19e541044805e543976630806

        SHA256

        eb0f19666baf7af710240250c811b225881e5afc78dbbf7967ed1079c92aff8a

        SHA512

        fd180b4367a3f10fe07b566fffa13168a11d65f38bb4b1f544c690fe7ddce043f0f57ebade64f80fc57d898e7e6af7b44ff5563cccaf4c3131096d09b4351360

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • C:\Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • \Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • \Users\Public\vbc.exe
        Filesize

        929KB

        MD5

        a2b6815c9698017685973d659c6fa3ba

        SHA1

        711825fd9865c9b1ca177df8301058a96bf7968d

        SHA256

        bcb2ba08e3ef1e2650c2276989c6d12e2277015deee0e4731f7099be07e63788

        SHA512

        3f943ead12ce94547e336ae9ac16b74f37a2f37c1b44180a606c0155faae0b664ec8bfca1a622309ffa3bf202a7bfd81abfd3b06babc6d02efa10f449837d79c

        Download Submit
      • memory/296-121-0x0000000002E20000-0x0000000002E22000-memory.dmp
        Filesize

        8KB

        Download
      • memory/748-120-0x0000000004B20000-0x0000000004B22000-memory.dmp
        Filesize

        8KB

        Download
      • memory/748-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-139-0x0000000000820000-0x0000000000B23000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/912-141-0x0000000000310000-0x0000000000325000-memory.dmp
        Filesize

        84KB

        Download
      • memory/912-140-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/912-132-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/912-133-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/912-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/912-135-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1220-142-0x00000000061D0000-0x00000000062F9000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1220-151-0x0000000002DA0000-0x0000000002EA0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1220-138-0x00000000001D0000-0x00000000002D0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1344-82-0x0000000004910000-0x0000000004950000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1344-131-0x0000000000C40000-0x0000000000C78000-memory.dmp
        Filesize

        224KB

        Download
      • memory/1344-130-0x00000000060F0000-0x000000000619E000-memory.dmp
        Filesize

        696KB

        Download
      • memory/1344-129-0x0000000000360000-0x000000000036C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1344-128-0x0000000004910000-0x0000000004950000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1344-83-0x0000000000300000-0x0000000000312000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1344-81-0x0000000001080000-0x000000000116E000-memory.dmp
        Filesize

        952KB

        Download
      • memory/1740-144-0x00000000005D0000-0x00000000005E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1740-146-0x00000000005D0000-0x00000000005E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1740-147-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1740-148-0x0000000002170000-0x0000000002473000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1740-149-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1740-143-0x00000000005D0000-0x00000000005E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1740-152-0x0000000002030000-0x00000000020C4000-memory.dmp
        Filesize

        592KB

        Download