Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
05/10/2023, 08:47
General
-
Target
Purchase Order 4502726800.xls
-
Size
1.3MB
-
MD5
11183eb7b983bfb2186430f24434d772
-
SHA1
bcbe97b20a3c8cd38f92c86c299e5f8ae8717f91
-
SHA256
7913fa8f88bcf743352767b91881a163ac31b56a30c09fe87a3547690e481430
-
SHA512
85fff7017fac0c77c7cb8e0e5f162a430e3f20bc13c90061106cc349c12d54a473298be21a184bd20d0b0859be1edc884dab73b907eb4f3859e8cd969af4f4bf
-
SSDEEP
24576:KWQmmav30xuToZyow6VbAXZSCWZyXw6VoAXZSGmwVJzfJbW0YfEhVivUziH/wrxU:vQmmQ30ps6VIEp76V3EqVW7f6ZzifE
Malware Config
Extracted
formbook
4.1
sy22
vinteligencia.com
displayfridges.fun
completetip.com
giallozafferrano.com
jizihao1.com
mysticheightstrail.com
fourseasonslb.com
kjnala.shop
mosiacwall.com
vandistreet.com
gracefullytouchedartistry.com
hbiwhwr.shop
mfmz.net
hrmbrillianz.com
funwarsztat.com
polewithcandy.com
ourrajasthan.com
wilhouettteamerica.com
johnnystintshop.com
asgnelwin.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order 4502726800.xls"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"3⤵
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\audiodgse.exe"C:\Users\Admin\AppData\Roaming\audiodgse.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a01b9617553432807b9b58025b338d97
SHA1439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA2567a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee
-
Filesize
526KB
MD5b1276fb00ff154303ae1184c774799b4
SHA138dae5f6f42d12e6b4103d89876a08ff339630b7
SHA2569db01b64ecbffc09592278d4c0961eb5c30fcaa2f59d9ff04d494f8363247e81
SHA5126697d66e93f8a53a990672cfc047a0a3e50b12fe2009b4e7b5ae09e99146ca015d084ad0ca91cffb8124fbabec832086bd5874fe3f0d87890a36d024a11e0065
-
Filesize
170KB
MD588d81ef2c5fd6d8cab7eb5dc58a599f7
SHA1fac7f3b2161a243326be0763d829bc1c98ced09c
SHA25664d2ad9da5974261c43b578308f0df16851c3061aa5dc46e69ef888244befaa1
SHA51209b193a1fcaad40e13c35473993d9b2e242e75eeb3596ea8648b8cbef74775562fb521461287379f6525a178798730e3e0d2293799180aa89d0c8ac833bbe7f6
-
Filesize
170KB
MD588d81ef2c5fd6d8cab7eb5dc58a599f7
SHA1fac7f3b2161a243326be0763d829bc1c98ced09c
SHA25664d2ad9da5974261c43b578308f0df16851c3061aa5dc46e69ef888244befaa1
SHA51209b193a1fcaad40e13c35473993d9b2e242e75eeb3596ea8648b8cbef74775562fb521461287379f6525a178798730e3e0d2293799180aa89d0c8ac833bbe7f6
-
Filesize
170KB
MD588d81ef2c5fd6d8cab7eb5dc58a599f7
SHA1fac7f3b2161a243326be0763d829bc1c98ced09c
SHA25664d2ad9da5974261c43b578308f0df16851c3061aa5dc46e69ef888244befaa1
SHA51209b193a1fcaad40e13c35473993d9b2e242e75eeb3596ea8648b8cbef74775562fb521461287379f6525a178798730e3e0d2293799180aa89d0c8ac833bbe7f6
-
Filesize
205KB
MD50a54451a83a117deb8a67a2e2266049d
SHA1d62c81856b8a7d3d8a3768eb0bb3f120797f815e
SHA256e670092e63e22b3fc3dd215cd8c9fba73b7885a32a76447152e15528bf905817
SHA51247711228e53da2322ca9c56422fa6ee0ed18ec737017697790a599e57117b016098ad89b791458712ae60b2f6a19c720c26122d187f2b56fed83d61f719106af
-
Filesize
324KB
MD5fc22fadc862dd0a5b07210a9255025b0
SHA1bd32c5e6fc87066973379fc7c36309987c961870
SHA25692a11969793b832918bec3384ffadd4c626a7888d97454f4790529566d462022
SHA512672497fe32e4d05ab115211660c8456c3b6b89e61f17cfe4bdce573a428ab9cd8ce7c78a809c5c3a7d47e2e432bed58ab0e1ea11e6a3e94cb590aa3c9b4194ff
-
Filesize
324KB
MD5fc22fadc862dd0a5b07210a9255025b0
SHA1bd32c5e6fc87066973379fc7c36309987c961870
SHA25692a11969793b832918bec3384ffadd4c626a7888d97454f4790529566d462022
SHA512672497fe32e4d05ab115211660c8456c3b6b89e61f17cfe4bdce573a428ab9cd8ce7c78a809c5c3a7d47e2e432bed58ab0e1ea11e6a3e94cb590aa3c9b4194ff
-
Filesize
324KB
MD5fc22fadc862dd0a5b07210a9255025b0
SHA1bd32c5e6fc87066973379fc7c36309987c961870
SHA25692a11969793b832918bec3384ffadd4c626a7888d97454f4790529566d462022
SHA512672497fe32e4d05ab115211660c8456c3b6b89e61f17cfe4bdce573a428ab9cd8ce7c78a809c5c3a7d47e2e432bed58ab0e1ea11e6a3e94cb590aa3c9b4194ff
-
Filesize
170KB
MD588d81ef2c5fd6d8cab7eb5dc58a599f7
SHA1fac7f3b2161a243326be0763d829bc1c98ced09c
SHA25664d2ad9da5974261c43b578308f0df16851c3061aa5dc46e69ef888244befaa1
SHA51209b193a1fcaad40e13c35473993d9b2e242e75eeb3596ea8648b8cbef74775562fb521461287379f6525a178798730e3e0d2293799180aa89d0c8ac833bbe7f6
-
Filesize
170KB
MD588d81ef2c5fd6d8cab7eb5dc58a599f7
SHA1fac7f3b2161a243326be0763d829bc1c98ced09c
SHA25664d2ad9da5974261c43b578308f0df16851c3061aa5dc46e69ef888244befaa1
SHA51209b193a1fcaad40e13c35473993d9b2e242e75eeb3596ea8648b8cbef74775562fb521461287379f6525a178798730e3e0d2293799180aa89d0c8ac833bbe7f6
-
Filesize
324KB
MD5fc22fadc862dd0a5b07210a9255025b0
SHA1bd32c5e6fc87066973379fc7c36309987c961870
SHA25692a11969793b832918bec3384ffadd4c626a7888d97454f4790529566d462022
SHA512672497fe32e4d05ab115211660c8456c3b6b89e61f17cfe4bdce573a428ab9cd8ce7c78a809c5c3a7d47e2e432bed58ab0e1ea11e6a3e94cb590aa3c9b4194ff
-
Filesize
1024KB
-
Filesize
712KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
712KB
-
Filesize
892KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
188KB
-
Filesize
3.0MB
-
Filesize
188KB
-
Filesize
588KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
188KB
-
Filesize
3.0MB
-
Filesize
188KB