Overview

overview

10

Static

static

1

3abfcd5069...fd.rtf

windows7-x64

10

3abfcd5069...fd.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2023 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3abfcd50698f63ec13889697874b0dfd.rtf

  • Size

    23KB

  • MD5

    3abfcd50698f63ec13889697874b0dfd

  • SHA1

    10934d356d6bf22b54fea6249d80f749ad746c8a

  • SHA256

    f287d933ff17b3591ddd689172c4d8964644bf3740ac8d9418365b3b97c51c2b

  • SHA512

    e8cad2f9364852d1ef74437a99d2d77808a825504a804f6fe50733493459214d3613bcbe56defa04e2b1d18d3ec0ee10656c1f5c0a51ded6949923650867c441

  • SSDEEP

    384:PL8yqfpijwB6fPIsKTT9gNUXDVfcwBbCvdHHWvhdCT7TuEUiVW0+T2J11ArdNWAn:j8yqfpiJnZKTT9gNQDVfcwBbqdH2vhdv

Score
10/10
formbookxchuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 10 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3abfcd50698f63ec13889697874b0dfd.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1900
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\cleanmgr_.exe"
          3⤵
            PID:1732
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Users\Public\cleanmgr_.exe
          "C:\Users\Public\cleanmgr_.exe"
          2⤵
          • Checks QEMU agent file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:984
          • C:\Users\Public\cleanmgr_.exe
            "C:\Users\Public\cleanmgr_.exe"
            3⤵
            • Checks QEMU agent file
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1740

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        5cf8803e054fdae43a5f93c39315fa3e

        SHA1

        8ce71fe8de6a7bdcf486d66c3be2c1c848d94cb2

        SHA256

        875246ef4080fc2ea79eba3809ae4c0158a7ffe296d90cfa4bcdf71211e45697

        SHA512

        f07f487ad3df213e53b6b0a714c74c70d130583aa2adfa0a558a7407d921675ca87c046e9e6a37810cdfc419bd032ec04bd086c0c61e904e90f3f9dbfef19647

        Download Submit
      • C:\Users\Public\cleanmgr_.exe
        Filesize

        1.2MB

        MD5

        e95742503cd258666b61c5dde8a9003a

        SHA1

        cee3b32cbbcec87c7393a066012e6a2479867d4f

        SHA256

        f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679

        SHA512

        d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd

        Download Submit
      • C:\Users\Public\cleanmgr_.exe
        Filesize

        1.2MB

        MD5

        e95742503cd258666b61c5dde8a9003a

        SHA1

        cee3b32cbbcec87c7393a066012e6a2479867d4f

        SHA256

        f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679

        SHA512

        d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd

        Download Submit
      • C:\Users\Public\cleanmgr_.exe
        Filesize

        1.2MB

        MD5

        e95742503cd258666b61c5dde8a9003a

        SHA1

        cee3b32cbbcec87c7393a066012e6a2479867d4f

        SHA256

        f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679

        SHA512

        d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd

        Download Submit
      • C:\Users\Public\cleanmgr_.exe
        Filesize

        1.2MB

        MD5

        e95742503cd258666b61c5dde8a9003a

        SHA1

        cee3b32cbbcec87c7393a066012e6a2479867d4f

        SHA256

        f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679

        SHA512

        d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst8D82.tmp\System.dll
        Filesize

        11KB

        MD5

        fbe295e5a1acfbd0a6271898f885fe6a

        SHA1

        d6d205922e61635472efb13c2bb92c9ac6cb96da

        SHA256

        a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

        SHA512

        2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

        Download Submit
      • \Users\Public\cleanmgr_.exe
        Filesize

        1.2MB

        MD5

        e95742503cd258666b61c5dde8a9003a

        SHA1

        cee3b32cbbcec87c7393a066012e6a2479867d4f

        SHA256

        f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679

        SHA512

        d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd

        Download Submit
      • memory/704-122-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/704-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1200-89-0x00000000068E0000-0x0000000006A8D000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1200-127-0x0000000003FF0000-0x00000000040A2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/1200-125-0x0000000003FF0000-0x00000000040A2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/1200-123-0x0000000003FF0000-0x00000000040A2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/1452-100-0x0000000002220000-0x0000000002523000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1452-99-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1452-104-0x0000000000680000-0x0000000000713000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1452-92-0x0000000000670000-0x000000000067E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1452-94-0x0000000000670000-0x000000000067E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1452-102-0x0000000000090000-0x00000000000BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1452-98-0x0000000000670000-0x000000000067E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1740-88-0x00000000000B0000-0x00000000000C4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1740-87-0x0000000035D60000-0x0000000036063000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1740-93-0x0000000001470000-0x0000000005ADF000-memory.dmp
        Filesize

        70.4MB

        Download
      • memory/1740-90-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1740-86-0x0000000001470000-0x0000000005ADF000-memory.dmp
        Filesize

        70.4MB

        Download
      • memory/1740-85-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1740-83-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1740-82-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1740-81-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

        Download