Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2023, 16:31

General

  • Target

    NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls

  • Size

    1.5MB

  • MD5

    71368866925c23e35d340705fae95002

  • SHA1

    8b2e76a61f33f053eb4fc2f2bc3600917e7d1d09

  • SHA256

    1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757c

  • SHA512

    6bddbc8a6824bf2d7137042b762da78d8c02e6756f488003a8d142cc7b111720710f4f31034e8d9c1dca33847ac822a9ed81d2e97f647d0708ddb5db271461f6

  • SSDEEP

    24576:cWQmmav30xrmZy3w6VA3bVNRFZyVw6VC3bVG4nvsLtbtecTQ5WWkK3q/0wkex:xQmmQ309wP6VA3bVDN6VC3bV25tBTTKg

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3024
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
        3⤵
          PID:1720
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
          "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
            "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2644

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55C1D863.emf

            Filesize

            1.4MB

            MD5

            a01b9617553432807b9b58025b338d97

            SHA1

            439bdcc450408b9735b2428c2d53d2e6977fa58c

            SHA256

            7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

            SHA512

            312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

          • C:\Users\Admin\AppData\Local\Temp\iomgmdsgtbq.p

            Filesize

            205KB

            MD5

            60d116c175aabe2c06bdd949a101127c

            SHA1

            63bb316383b4706d43f7882ee545031c4cac2505

            SHA256

            ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76

            SHA512

            d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9

          • C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

            Filesize

            361KB

            MD5

            9e519a78d2ee0e4fa641187866bc9703

            SHA1

            549dc42c936b4bc2612c20c668f94b37bb5163cc

            SHA256

            c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

            SHA512

            a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

          • C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

            Filesize

            361KB

            MD5

            9e519a78d2ee0e4fa641187866bc9703

            SHA1

            549dc42c936b4bc2612c20c668f94b37bb5163cc

            SHA256

            c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

            SHA512

            a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

          • C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

            Filesize

            361KB

            MD5

            9e519a78d2ee0e4fa641187866bc9703

            SHA1

            549dc42c936b4bc2612c20c668f94b37bb5163cc

            SHA256

            c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

            SHA512

            a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

          • C:\Users\Admin\AppData\Roaming\audiodgse.exe

            Filesize

            426KB

            MD5

            df247bbfaf91dbe0da4d79a04cfb5ca3

            SHA1

            0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

            SHA256

            354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

            SHA512

            ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

          • C:\Users\Admin\AppData\Roaming\audiodgse.exe

            Filesize

            426KB

            MD5

            df247bbfaf91dbe0da4d79a04cfb5ca3

            SHA1

            0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

            SHA256

            354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

            SHA512

            ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

          • C:\Users\Admin\AppData\Roaming\audiodgse.exe

            Filesize

            426KB

            MD5

            df247bbfaf91dbe0da4d79a04cfb5ca3

            SHA1

            0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

            SHA256

            354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

            SHA512

            ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

          • \Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

            Filesize

            361KB

            MD5

            9e519a78d2ee0e4fa641187866bc9703

            SHA1

            549dc42c936b4bc2612c20c668f94b37bb5163cc

            SHA256

            c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

            SHA512

            a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

          • \Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

            Filesize

            361KB

            MD5

            9e519a78d2ee0e4fa641187866bc9703

            SHA1

            549dc42c936b4bc2612c20c668f94b37bb5163cc

            SHA256

            c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

            SHA512

            a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

          • \Users\Admin\AppData\Roaming\audiodgse.exe

            Filesize

            426KB

            MD5

            df247bbfaf91dbe0da4d79a04cfb5ca3

            SHA1

            0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

            SHA256

            354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

            SHA512

            ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

          • memory/868-48-0x0000000001D30000-0x0000000001DC3000-memory.dmp

            Filesize

            588KB

          • memory/868-45-0x0000000000080000-0x00000000000AF000-memory.dmp

            Filesize

            188KB

          • memory/868-40-0x00000000001B0000-0x00000000001CA000-memory.dmp

            Filesize

            104KB

          • memory/868-44-0x0000000001E50000-0x0000000002153000-memory.dmp

            Filesize

            3.0MB

          • memory/868-43-0x0000000000080000-0x00000000000AF000-memory.dmp

            Filesize

            188KB

          • memory/868-42-0x00000000001B0000-0x00000000001CA000-memory.dmp

            Filesize

            104KB

          • memory/1300-36-0x0000000000230000-0x0000000000330000-memory.dmp

            Filesize

            1024KB

          • memory/1300-37-0x0000000006CB0000-0x0000000006D9E000-memory.dmp

            Filesize

            952KB

          • memory/1300-53-0x0000000007020000-0x00000000070D0000-memory.dmp

            Filesize

            704KB

          • memory/1300-52-0x0000000007020000-0x00000000070D0000-memory.dmp

            Filesize

            704KB

          • memory/1300-50-0x0000000007020000-0x00000000070D0000-memory.dmp

            Filesize

            704KB

          • memory/1300-46-0x0000000006CB0000-0x0000000006D9E000-memory.dmp

            Filesize

            952KB

          • memory/2628-26-0x00000000002D0000-0x00000000002D2000-memory.dmp

            Filesize

            8KB

          • memory/2644-30-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/2644-32-0x0000000000700000-0x0000000000A03000-memory.dmp

            Filesize

            3.0MB

          • memory/2644-34-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/2644-35-0x0000000000480000-0x0000000000494000-memory.dmp

            Filesize

            80KB

          • memory/3024-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/3024-38-0x000000007251D000-0x0000000072528000-memory.dmp

            Filesize

            44KB

          • memory/3024-1-0x000000007251D000-0x0000000072528000-memory.dmp

            Filesize

            44KB

          • memory/3024-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/3024-84-0x000000007251D000-0x0000000072528000-memory.dmp

            Filesize

            44KB