Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2023, 10:26

General

  • Target

    Quotation_Oct23.rtf

  • Size

    83KB

  • MD5

    4aa6ea3405f9bd2c4d2009e262c2d46c

  • SHA1

    f43269a6c58648f43ca489f55b9e4f05e198d6cc

  • SHA256

    976314b7a78022730e95f94ec9bde2c2336be574eccdc364ac26757fc7c1e267

  • SHA512

    a30ce23cfa9364f7a447a90f6a1fcb5e285df373aa717afcdf650e02acd0344714bd4774d10f3b8b304627c98a6f9dd770610020393118904e0dea8f81cffbce

  • SSDEEP

    768:RwAbZSibMX9gRWjSdFm1pgWxNvwJ7vyWE:RwAlRK/gWxNq7va

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o5gu

Decoy

jonathanvuportfolio.website

moneyboost.net

imikecutyou.com

toollessassembling.com

keoinfra.com

mackenziejamesphoto.com

zenovaa.com

ngmnetwork.com

odropoficial.com

huyangli.company

ganjajuice.info

promptmechanic.xyz

crispyjoy.com

dinevintageshirts.com

heyxop.online

hopefinancialmarketingph.com

weeklyvolcano.app

consultoriopmn.com

seetheratequote.com

ftds77.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotation_Oct23.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2020
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Roaming\owen49674.exe
        "C:\Users\Admin\AppData\Roaming\owen49674.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Users\Admin\AppData\Roaming\owen49674.exe
          "C:\Users\Admin\AppData\Roaming\owen49674.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 36
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:1052

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            871bdeeaa0e0ca01ea7e83fc44c3d866

            SHA1

            e4695954d144a468916910f756633ce67f06be70

            SHA256

            cbc77d4628643555977db145b581ff9ef2926d181926b4c61ca8b15e46277e41

            SHA512

            cdda68f2cd5d024657b4bafd1380e8e016bc0d56ff54b891b42231b6a52adcee2b967390a4d71f8e6ed996af56cc14b3c89f1d4344dc16d836fcba62260a2b3b

          • C:\Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • C:\Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • C:\Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • C:\Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • \Users\Admin\AppData\Roaming\owen49674.exe

            Filesize

            656KB

            MD5

            fe3629f841657d1ae164d8350eef1009

            SHA1

            a9026e2e80aaa7393a7e4dd2a39acc64d19ead0a

            SHA256

            2fd50e5697f2d8aa6f9bea9d946b1fbf6145aedd6cca90ee4032cbbae229e934

            SHA512

            b5f85e540c21bfbd363be902a4c9cf4662181534d855b497bfd9d1af1671d0f0f981661e1e71fa93c7177071048affc69ae86f16fe45fbdbc0fbc13a4f0cc738

          • memory/1748-35-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/1748-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1748-32-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/1748-30-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/2112-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

            Filesize

            4KB

          • memory/2112-24-0x00000000710CD000-0x00000000710D8000-memory.dmp

            Filesize

            44KB

          • memory/2112-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2112-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2112-63-0x00000000710CD000-0x00000000710D8000-memory.dmp

            Filesize

            44KB

          • memory/2112-2-0x00000000710CD000-0x00000000710D8000-memory.dmp

            Filesize

            44KB

          • memory/2776-16-0x000000006AB50000-0x000000006B23E000-memory.dmp

            Filesize

            6.9MB

          • memory/2776-43-0x000000006AB50000-0x000000006B23E000-memory.dmp

            Filesize

            6.9MB

          • memory/2776-29-0x000000000A5C0000-0x000000000A62E000-memory.dmp

            Filesize

            440KB

          • memory/2776-28-0x0000000000380000-0x0000000000390000-memory.dmp

            Filesize

            64KB

          • memory/2776-26-0x0000000004D40000-0x0000000004D80000-memory.dmp

            Filesize

            256KB

          • memory/2776-25-0x000000006AB50000-0x000000006B23E000-memory.dmp

            Filesize

            6.9MB

          • memory/2776-23-0x0000000000350000-0x000000000035C000-memory.dmp

            Filesize

            48KB

          • memory/2776-22-0x00000000003D0000-0x00000000003EC000-memory.dmp

            Filesize

            112KB

          • memory/2776-21-0x0000000004D40000-0x0000000004D80000-memory.dmp

            Filesize

            256KB

          • memory/2776-15-0x00000000012B0000-0x000000000135A000-memory.dmp

            Filesize

            680KB