Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/08/2023, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
order #393405.xls
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
order #393405.xls
Resource
win10v2004-20230703-en
General
-
Target
order #393405.xls
-
Size
1.3MB
-
MD5
a913096f787c53f96a34dfff28a68ac1
-
SHA1
43ea14976d150ca3146c0fde2f44947df9e2f4af
-
SHA256
da1f2444a6a87363c210ff73a4111ccea458b1d35b2cbe7c1c54fa471c8f752f
-
SHA512
ec32f7db5917cfb7162d32386c3dd38cc1373a6635668c3ffe158130e8d4d1eeadb69ca0a6ee6fb9d09168b83e24f1b9ee923d96a7f668b2a9d09f0e3a32d81f
-
SSDEEP
24576:UaZy0w6VgjKaWlEzp7aUZydw6VzjKaWlEzp7azzd6f/b7QAUQp5E/zwwx:UE86VgjKjOzRJ6VzjKjOzEdU7/UX/zf
Malware Config
Extracted
formbook
4.1
sy22
vinteligencia.com
displayfridges.fun
completetip.com
giallozafferrano.com
jizihao1.com
mysticheightstrail.com
fourseasonslb.com
kjnala.shop
mosiacwall.com
vandistreet.com
gracefullytouchedartistry.com
hbiwhwr.shop
mfmz.net
hrmbrillianz.com
funwarsztat.com
polewithcandy.com
ourrajasthan.com
wilhouettteamerica.com
johnnystintshop.com
asgnelwin.com
alcmcyu.com
thwmlohr.click
gypseascuba.com
mysonisgaythemovie.com
sunriseautostorellc.com
fuhouse.link
motorcycleglassesshop.com
vaskaworldairways.com
qixservice.online
b2b-scaling.com
03ss.vip
trishpintar.com
gk84.com
omclaval.com
emeeycarwash.com
wb7mnp.com
kimgj.com
278809.com
summitstracecolumbus.com
dryadai.com
vistcreative.com
weoliveorder.com
kwamitikki.com
cjk66.online
travisline.pro
mercardosupltda.shop
sunspotplumbing.com
podplugca.com
leontellez.com
fzturf.com
docomo-mobileconsulting.com
apneabirmingham.info
rollesgraciejiujitsu.com
sx15k.com
kebobcapital.com
91967.net
claudiaduverglas.com
zhperviepixie.com
oliwas.xyz
flowersinspace.tech
uadmxqby.click
greatbaitusa.com
drpenawaraircondhargarahmah.com
sofbks.top
sarthaksrishticreation.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2448-88-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2448-93-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2684-99-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/2684-101-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1440 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2068 dasHost.exe 2448 dasHost.exe -
Loads dropped DLL 3 IoCs
pid Process 1440 EQNEDT32.EXE 1440 EQNEDT32.EXE 2068 dasHost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2068 set thread context of 2448 2068 dasHost.exe 34 PID 2448 set thread context of 1368 2448 dasHost.exe 16 PID 2684 set thread context of 1368 2684 wuapp.exe 16 -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1440 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2676 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2448 dasHost.exe 2448 dasHost.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe 2684 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1368 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2448 dasHost.exe 2448 dasHost.exe 2448 dasHost.exe 2684 wuapp.exe 2684 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2448 dasHost.exe Token: SeDebugPrivilege 2684 wuapp.exe Token: SeShutdownPrivilege 1368 Explorer.EXE Token: SeShutdownPrivilege 1368 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2676 EXCEL.EXE 2676 EXCEL.EXE 2676 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2068 1440 EQNEDT32.EXE 30 PID 1440 wrote to memory of 2068 1440 EQNEDT32.EXE 30 PID 1440 wrote to memory of 2068 1440 EQNEDT32.EXE 30 PID 1440 wrote to memory of 2068 1440 EQNEDT32.EXE 30 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 2068 wrote to memory of 2448 2068 dasHost.exe 34 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 1368 wrote to memory of 2684 1368 Explorer.EXE 35 PID 2684 wrote to memory of 1920 2684 wuapp.exe 36 PID 2684 wrote to memory of 1920 2684 wuapp.exe 36 PID 2684 wrote to memory of 1920 2684 wuapp.exe 36 PID 2684 wrote to memory of 1920 2684 wuapp.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\order #393405.xls"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dasHost.exe"3⤵PID:1920
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\dasHost.exe"C:\Users\Admin\AppData\Local\Temp\dasHost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\dasHost.exe"C:\Users\Admin\AppData\Local\Temp\dasHost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a01b9617553432807b9b58025b338d97
SHA1439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA2567a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f
-
Filesize
537KB
MD5d145e45a54f7ad9c25620e97fb545734
SHA14a6a4de62f44c29f3008de7436f7fa4f44814dd3
SHA256edb6d1a583895269b9b3d58b7acdb1a8590a2289529f9c9e937a33fed180add6
SHA512a00d9dbff3cd5a6c3e4efdf349b3ae65d948a3b2a651e75325bce9aa5896959bb93b9f90a27b44e1e2d24ac17b4164bb2a7e8812086540d7b2a862c3e9fe4b9f