Overview

overview

10

Static

static

1

e230816a29...62.rtf

windows7-x64

10

e230816a29...62.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2023 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e230816a29bb8af0b5f24adfbe5eff62.rtf

  • Size

    25KB

  • MD5

    e230816a29bb8af0b5f24adfbe5eff62

  • SHA1

    841fb495cc824fb043d1be3f033326294745dfff

  • SHA256

    061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3

  • SHA512

    8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7

  • SSDEEP

    768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0

Score
10/10
formbookguloaderxchudownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 16 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e230816a29bb8af0b5f24adfbe5eff62.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1752
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\registry_clean.exe"
          3⤵
            PID:1108
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Users\Public\registry_clean.exe
          "C:\Users\Public\registry_clean.exe"
          2⤵
          • Checks QEMU agent file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Users\Public\registry_clean.exe
            "C:\Users\Public\registry_clean.exe"
            3⤵
            • Checks QEMU agent file
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1256

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        181bdc4b6cce3d69083ccb4c7a9c80e4

        SHA1

        cc546ec2fd8d23308b077242c2310532a54b89f5

        SHA256

        6ac79053493a9e899e6293d0d990c400e6f68fdf3bc54d608b76c030d5a51fe0

        SHA512

        e89fa9415ab2039104f34436e4b898885d44d56c8c37fcfcdb0a18ee46d33c392459c03a83f8ac12e3503c4ced2367fc587c5e58e6917f2bf5238eedaa735463

        Download Submit
      • C:\Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • C:\Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • C:\Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • C:\Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nsy3BF9.tmp\System.dll
        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

        Download Submit
      • \Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • \Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • \Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • \Users\Public\registry_clean.exe
        Filesize

        371KB

        MD5

        bb82589608f2312e9bf9d0c63c8a3d68

        SHA1

        c66d15184ef9a38a7423f1a6fbc60c94132051f9

        SHA256

        3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f

        SHA512

        c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a

        Download Submit
      • memory/668-84-0x0000000002E40000-0x000000000605F000-memory.dmp
        Filesize

        50.1MB

        Download
      • memory/668-89-0x0000000002E40000-0x000000000605F000-memory.dmp
        Filesize

        50.1MB

        Download
      • memory/1216-98-0x00000000001B0000-0x00000000002B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1216-117-0x0000000004CE0000-0x0000000004D7C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1216-114-0x0000000004CE0000-0x0000000004D7C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1216-113-0x0000000004CE0000-0x0000000004D7C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1216-101-0x0000000006C80000-0x0000000006D65000-memory.dmp
        Filesize

        916KB

        Download
      • memory/1256-97-0x0000000001470000-0x000000000468F000-memory.dmp
        Filesize

        50.1MB

        Download
      • memory/1256-96-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1256-100-0x0000000034450000-0x0000000034464000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1256-99-0x00000000348C0000-0x0000000034BC3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1256-102-0x0000000001470000-0x000000000468F000-memory.dmp
        Filesize

        50.1MB

        Download
      • memory/1256-105-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1256-91-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1256-92-0x0000000001470000-0x000000000468F000-memory.dmp
        Filesize

        50.1MB

        Download
      • memory/1256-94-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1696-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1696-136-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2032-104-0x0000000000940000-0x000000000095F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/2032-112-0x0000000001D60000-0x0000000001DF3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2032-109-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2032-107-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2032-108-0x0000000001EF0000-0x00000000021F3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2032-103-0x0000000000940000-0x000000000095F000-memory.dmp
        Filesize

        124KB

        Download