Overview

overview

10

Static

static

1

39669a47b5...f9.rtf

windows7-x64

10

39669a47b5...f9.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2023 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39669a47b553f5d6b3ed6b730d7852f9.rtf

  • Size

    22KB

  • MD5

    39669a47b553f5d6b3ed6b730d7852f9

  • SHA1

    74b365ae0dc316eee5de6df5911019cabe512efb

  • SHA256

    8e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d

  • SHA512

    1efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b

  • SSDEEP

    384:d8eKvpZlj7bLrJU/Wx1mEIZBFhqeq/d7SZ7DPvZ5pfiZcp2k4V7qQsqG14uT+hS1:dBeZljnLrJUOx180luZfp3p2kA7q1qED

Score
10/10
formbookguloadergtt8downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtt8

Decoy

42taijijian.com

rehnimiyanales.com

cst247.shop

usdt09.tech

lennartjahn.com

aaabestcbd.com

marketing-digital-france-2.xyz

be4time.com

slotyfly.com

parimaladragonflywellness.life

phonereda.com

01076.win

thehoundlounge.info

high-vent.co.uk

14thfeb.com

onlyforks.info

joseeandtim.com

mylegoclub.com

iuser-findmy.info

uninassaupolopinheiro.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 22 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\39669a47b553f5d6b3ed6b730d7852f9.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1280
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Users\Public\clean_registry.exe
        "C:\Users\Public\clean_registry.exe"
        2⤵
        • Checks QEMU agent file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Users\Public\clean_registry.exe
          "C:\Users\Public\clean_registry.exe"
          3⤵
          • Checks QEMU agent file
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:392
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 740
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:1652

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      c7109413f0159e8ee21bec815626e681

      SHA1

      a14ea7dec30374a5ed69f09ac76d39e64eb4b34b

      SHA256

      5ef77d2a042a9c34cc2a87ebd51dc4aa9b09de91645cb20e8c3b14da91e7f9e1

      SHA512

      1dc2f5d8069835834fae1d8f48787f65ec7c2521d5395b9d8be1b2a82dff9be629d74e661122633aa9853a75fa3f058b0b25890220ceff4d1866b8a2c0c7ce43

      Download Submit
    • C:\Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • C:\Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • C:\Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • C:\Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsjA68E.tmp\System.dll
      Filesize

      11KB

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • \Users\Public\clean_registry.exe
      Filesize

      285KB

      MD5

      a413d04a39c86bd0b4ca116227d20a30

      SHA1

      0d88f2cca0aae58c31add82851c42fa1702cd4cf

      SHA256

      9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

      SHA512

      e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

      Download Submit
    • memory/392-87-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/392-88-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/392-89-0x0000000001470000-0x00000000043A8000-memory.dmp
      Filesize

      47.2MB

      Download
    • memory/392-86-0x0000000001470000-0x00000000043A8000-memory.dmp
      Filesize

      47.2MB

      Download
    • memory/392-85-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/392-94-0x0000000001470000-0x00000000043A8000-memory.dmp
      Filesize

      47.2MB

      Download
    • memory/1048-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1048-123-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1612-81-0x0000000002D20000-0x0000000005C58000-memory.dmp
      Filesize

      47.2MB

      Download
    • memory/1612-80-0x0000000002D20000-0x0000000005C58000-memory.dmp
      Filesize

      47.2MB

      Download