Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2023 05:30

General

  • Target

    8f6f20b9800cc3739e08c986979fe886.rtf

  • Size

    27KB

  • MD5

    8f6f20b9800cc3739e08c986979fe886

  • SHA1

    945fc5d51604afd6e92c84fac68e336680d37abc

  • SHA256

    4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b

  • SHA512

    e5a31cf4eb09b45990de61527c98a3bb5726ce52bd9b103535bb347d18e60943b1d12d73f7aec23a6b214abb0cad952aec560ccb71064b131254018ecf646b71

  • SSDEEP

    768:DHe6wuA/+TFngTG1tl2qGOQP0u2kPdU8S7C5G3fljgBQ/sp:DHOuA/+TFngC1u2kl7wm7p

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 12 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8f6f20b9800cc3739e08c986979fe886.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1440
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\clean_registry.exe"
          3⤵
            PID:692
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Users\Public\clean_registry.exe
          "C:\Users\Public\clean_registry.exe"
          2⤵
          • Checks QEMU agent file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Public\clean_registry.exe
            "C:\Users\Public\clean_registry.exe"
            3⤵
            • Checks QEMU agent file
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1140

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Exploitation for Client Execution

      1
      T1203

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        5e0884726fdc8b5cb9dfe2341f76f265

        SHA1

        138ea225f9cdb855fcbcb78cf4b04f8d2e7a4563

        SHA256

        a23eb3890288f6f6d68c23214f2d8221007a4134fc62ba74a7e1ce02581b52e8

        SHA512

        fb07e23ba0976452b6cccbfe3fd0df54e88ca06dc834b85d30be89ec20d9fbde3c21ec52daf92b3363c81a6aada4767042ab7a9868d02e9fc0ce17256c0d551f

      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • C:\Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • \Users\Admin\AppData\Local\Temp\nsd538E.tmp\System.dll
        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      • \Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • \Users\Public\clean_registry.exe
        Filesize

        280KB

        MD5

        c6d2ae33edf3d67a0c2abe42836c2874

        SHA1

        c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3

        SHA256

        4e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2

        SHA512

        444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c

      • memory/884-101-0x00000000009C0000-0x0000000000CC3000-memory.dmp
        Filesize

        3.0MB

      • memory/884-95-0x00000000006D0000-0x00000000006D6000-memory.dmp
        Filesize

        24KB

      • memory/884-122-0x0000000000320000-0x00000000003B3000-memory.dmp
        Filesize

        588KB

      • memory/884-103-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

      • memory/884-98-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

      • memory/884-97-0x00000000006D0000-0x00000000006D6000-memory.dmp
        Filesize

        24KB

      • memory/1140-91-0x0000000036890000-0x00000000368A4000-memory.dmp
        Filesize

        80KB

      • memory/1140-93-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

      • memory/1140-84-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

      • memory/1140-89-0x0000000036BE0000-0x0000000036EE3000-memory.dmp
        Filesize

        3.0MB

      • memory/1140-88-0x0000000001470000-0x00000000068D4000-memory.dmp
        Filesize

        84.4MB

      • memory/1140-96-0x0000000001470000-0x00000000068D4000-memory.dmp
        Filesize

        84.4MB

      • memory/1140-87-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

      • memory/1140-83-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

      • memory/1140-85-0x0000000000400000-0x0000000001462000-memory.dmp
        Filesize

        16.4MB

      • memory/1208-124-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

      • memory/1208-92-0x0000000003D50000-0x0000000003E14000-memory.dmp
        Filesize

        784KB

      • memory/1208-127-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

      • memory/1208-123-0x0000000004AB0000-0x0000000004B52000-memory.dmp
        Filesize

        648KB

      • memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

      • memory/2024-121-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB