Overview

overview

10

Static

static

1

1 payment ...it.rtf

windows7-x64

10

1 payment ...it.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1 payment cash Deposit.rtf

  • Size

    1.8MB

  • MD5

    eda174e3f27c80dcd19abfb5400c50d9

  • SHA1

    14002d710bb0fc29a8103d3909c542e680020f63

  • SHA256

    d6f3694d7c009f73f53fa28d77a65eafd3ae19c9d219982a71f150c514a86584

  • SHA512

    9f6f9d61bc3de47b155d3d3aeed8044fe1b2951ea4ac89402e2dcf3decf991888ed28afb72e79c41abbc584ea51be98c08bc520aadb6531bb63ed77283e058e4

  • SSDEEP

    24576:oyNh+vkSpIGa2e761oZziemHIYQGohgxg3je6H3qPwHDaw/oKmDJ9QZEpJqiLq38:y

Score
10/10
formbookbn26ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bn26

Decoy

juweipai.com

assurance-mon-espace-sante.com

robqq.com

ablindear.com

socialmonkeys.co.uk

learningworldtech.com

imprese-it.com

themoodcollectives.africa

lutonmethodists.org.uk

castawaycovebnb.com

caronthemove.com

carolinacastro.uk

dcfashionweekintl.com

branchbasicsa.com

drpatrickakinsanya.africa

inventourownfuture.com

applege.top

whatamitiredof.com

daphan.pics

gardenstatevinyl.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1184
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1 payment cash Deposit.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1660
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Roaming\word.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
          "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe" C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
            "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:888
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\SysWOW64\rundll32.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1576
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"
                6⤵
                  PID:1976

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\potdzpp.y
        Filesize

        205KB

        MD5

        57e7a6532f1ee86992e7b4fa6580cb19

        SHA1

        3d8ea00a0b9d9f167e0433afea928b68de50980f

        SHA256

        7b96a34af9cd31c98ddc997366b3576174a392071ab344ac8f6a072d53c42547

        SHA512

        e25a318bc187ff13f50a6bdafd7ced1a141297895600b750aaf52831c38aa229a9fc964fd5eaf8abee7fc803ac8d872d2a88883f07b7a4f4df8de7849c28aa25

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv
        Filesize

        5KB

        MD5

        2756cf827356d936638f325fc53574a1

        SHA1

        1d05b474adb777cb85ecd0ad2f06ff9fca1ee2ab

        SHA256

        efae399d371cd9d2132b7c4143469da0c72f4aa559dadfcd03011e4f06cec9e7

        SHA512

        fb635c25243ea0bc0d74bce2e203ce7a12a7b5fad3e4603c1fde7dbe16415be12578d804f911d1d07cb80be6ee6230ee6848ab9130f9bfb8e784f05ec05a7ad6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        dad11ce5502474b0c20f992f902eba04

        SHA1

        9e178e150d1d369f72ac0c62f91f4f68f4e43e71

        SHA256

        2738654bd848245dadbc2e83fe0801ed743e6f08c8706e5eb93ece37d1938a7c

        SHA512

        4ad5125026226c4f04cfd4879a31bb045eb98780a3aeda7109b9793551d76912264637b2de356c4632b71188dc05faac5bd80efac1a47471b96608fa508ca910

        Download Submit
      • C:\Users\Admin\AppData\Roaming\word.exe
        Filesize

        286KB

        MD5

        78a95a8cb18e37d6565520be5e8013c4

        SHA1

        36557486465d9d133f2ea5aceaec9731f0663f91

        SHA256

        85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510

        SHA512

        7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44

        Download Submit
      • C:\Users\Admin\AppData\Roaming\word.exe
        Filesize

        286KB

        MD5

        78a95a8cb18e37d6565520be5e8013c4

        SHA1

        36557486465d9d133f2ea5aceaec9731f0663f91

        SHA256

        85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510

        SHA512

        7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44

        Download Submit
      • C:\Users\Admin\AppData\Roaming\word.exe
        Filesize

        286KB

        MD5

        78a95a8cb18e37d6565520be5e8013c4

        SHA1

        36557486465d9d133f2ea5aceaec9731f0663f91

        SHA256

        85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510

        SHA512

        7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44

        Download Submit
      • \Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • \Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • \Users\Admin\AppData\Local\Temp\jswyhdinmg.exe
        Filesize

        54KB

        MD5

        7b3f0fa0f8b825f576c98b25aab2507e

        SHA1

        2b206f89862e0dbecf2bb7c6f4be20b57fd6c26d

        SHA256

        d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646

        SHA512

        06692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0

        Download Submit
      • \Users\Admin\AppData\Roaming\word.exe
        Filesize

        286KB

        MD5

        78a95a8cb18e37d6565520be5e8013c4

        SHA1

        36557486465d9d133f2ea5aceaec9731f0663f91

        SHA256

        85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510

        SHA512

        7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44

        Download Submit
      • memory/880-77-0x00000000001D0000-0x00000000001D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/888-92-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/888-96-0x0000000000380000-0x0000000000395000-memory.dmp
        Filesize

        84KB

        Download
      • memory/888-91-0x0000000000910000-0x0000000000C13000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/888-81-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/888-93-0x0000000000340000-0x0000000000355000-memory.dmp
        Filesize

        84KB

        Download
      • memory/888-98-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1184-115-0x00000000069F0000-0x0000000006AF1000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1184-86-0x00000000038D0000-0x00000000039D0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1184-94-0x0000000006340000-0x00000000064B3000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1184-118-0x00000000069F0000-0x0000000006AF1000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1184-97-0x0000000007730000-0x00000000078B8000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1184-116-0x00000000069F0000-0x0000000006AF1000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1576-102-0x00000000009B0000-0x00000000009BE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1576-104-0x00000000009B0000-0x00000000009BE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1576-107-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1576-110-0x0000000001DC0000-0x0000000001E54000-memory.dmp
        Filesize

        592KB

        Download
      • memory/1576-106-0x0000000002090000-0x0000000002393000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1576-105-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1576-100-0x00000000009B0000-0x00000000009BE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1948-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1948-138-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download