Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 07:40

General

  • Target

    Order4500318042.xls

  • Size

    229KB

  • MD5

    ef04a12bc8c36b451d4b9da3cd9d36d6

  • SHA1

    cf13b2aedb7a44209a7d8bbe4694150834fc50e0

  • SHA256

    c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a

  • SHA512

    cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa

  • SSDEEP

    6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ht3d

Decoy

derlon.net

46gem.vip

bridal-heart-boutique.com

porarquitectura.com

durkal.online

9916k.vip

nativegarden.net

hoodjac.com

coachwunder.com

jutuowangluo.com

frankmontagna.com

jalenx.com

yhxg.net

brasserie-bro.com

whitecoatprivilege.com

sigmadriving.com

inhkipcmacau.com

freediveexperience.com

52iwin.com

aaditt.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1908
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\html.exe"
        3⤵
          PID:2856
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:2420
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Users\Admin\AppData\Roaming\html.exe
          "C:\Users\Admin\AppData\Roaming\html.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Users\Admin\AppData\Roaming\html.exe
            "C:\Users\Admin\AppData\Roaming\html.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

        Filesize

        717B

        MD5

        822467b728b7a66b081c91795373789a

        SHA1

        d8f2f02e1eef62485a9feffd59ce837511749865

        SHA256

        af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

        SHA512

        bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

        Filesize

        299B

        MD5

        5ae8478af8dd6eec7ad4edf162dd3df1

        SHA1

        55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

        SHA256

        fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

        SHA512

        a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

        Filesize

        192B

        MD5

        01393e3a5065febc53d08bf9f2f6d8bd

        SHA1

        16a598640c1229ffc376baf4d23af537af68d47a

        SHA256

        b3ce38100a47ef0bf745749bb96bbe442e7e5d04ad3858f0d37ebac3de5ab01c

        SHA512

        cf3c726d02b52277aabd52008385765830f42c80f5f6802b2613ed3f364bee949d8601c700f17da6a49447967b30991e2dfa7818fc4b29a368ece68e83fb39a6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

        Filesize

        192B

        MD5

        c33946a195628684ca42d8f21ad7e48d

        SHA1

        4a7a3a761bc68370a56c598f8114cfc4d36cdc82

        SHA256

        359e108184810e910511bd51ea6d0e9bbfad2d13358f86a6fe1b269c2c5a87a5

        SHA512

        75766dd5416edc91b797ddb1ef010f2cf41a59fe6674503bb7a54f399081ad30d852f400093672c81d3ab1e63c83ab3e261a6b95550cee07b19de469a0a52c60

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        432e5e1b0b0ff9830c353957cf043243

        SHA1

        19035214e95249f666154954ebda6df4863b47cb

        SHA256

        586357a014d3f4b4cab59b16bae6878cc8d2e7a1922e11a73cc7c9bdb0f4a6a0

        SHA512

        d1be53229cec31dfbf4696a33f9fad4dacfa0801abbc8ef2a07497326d480ab9cdb5f7938749e42a3a40c23b7a8b920929b839c96c809ce98e3379c2c1f9cb4f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        76e0de3ea725b6a55b3f5955dba56e4b

        SHA1

        d1b55c52afdfe15d0c11482692ed3d3a41596030

        SHA256

        6f1fa083ff081b039848c090883f7d909c83372e734c59251ba142de75adbb24

        SHA512

        311602e273ec6e80f6b774a80c679991f9a7739e9616e8e201d9d866046526396b735fc76a044a897dd1f0c2e1dfc13efbfaeafe15b331eb795066f2390343d3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        2a05c01414bc71534b5946c428b383be

        SHA1

        2d80f028c873aea25c00c5223383a8b3006995a1

        SHA256

        8e50e74d018f4bb689588365e55175af742fd7447ee5890591f134d8391c3e3a

        SHA512

        e8e77e6a0b37b87f8b9416dfe3080a06b440ca4a5398c6203990a30a6a1f3ded10930e53c424d0c10fc047734d27f13e808de2b08da0d0e18cff15889fb566b8

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{37E9D860-2852-4C68-B67D-D974F4E1D82D}.FSD

        Filesize

        128KB

        MD5

        a3f726cf239a87baed925a0bcba0a35a

        SHA1

        c02b903214097dbcd0272e90fd853381b7a21856

        SHA256

        fa547f2d12ef25eb2286743c3a7345d6e752e64e1421e76795b9db50610a3fa2

        SHA512

        e376a58fde10cfd4f03e35643ed1b5f2fadda7fc4f12c566944f436bb11b9dd2b9d7eb99fb5814b91a686655dd9e8661deb956331d19be52d5e9b5aeec01eee3

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        2098b30f165478f7083d8bd73f75c5f4

        SHA1

        def66b95072d3f7f28bfde58efac901f7f280212

        SHA256

        79ea74483501ab43cc268837443775da213cd709fb49e3dae9f779753d78c8c7

        SHA512

        36cfd00a665ebd9a490db552ce2e46269bda3be3c969efd3b1f9a9d1c25d2ece0bad28101bb543d7a6fa041c16f032ff7545ad706d837286be48d1b12a66c034

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        fb29a9df04088ee3cf11d142b3c1c4d2

        SHA1

        5afda4c8458820b550180243d4b314b40d15e28c

        SHA256

        428e9cfaa1b94fcc9f52ce645c61617e5a9cb559e7302ec9cd8016a521e1de8d

        SHA512

        cbfff5897c20a6a057084355282fe315881b24922635f89db69fb6767cbcf16479c5dac4ab145b485343d81ae667996d3a611c19666160e74909f9227c7deb1a

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3CDA3D5C-B43A-478F-9727-499E84230D46}.FSD

        Filesize

        128KB

        MD5

        ed210c74b005356bdd898e1232b0902e

        SHA1

        16c4b85773282a13d7a02994bc467303c60ba7b6

        SHA256

        20df3493023d7938cc40448c4a0a42713539514dd3e929b7b4bbd72c37309d75

        SHA512

        55f2a585a55d19dae089a2e4c810945eef4132998598e4b15ece973c984439fa0fb38080ec7d2d1df3f0e3607780471d251b31a0599e3fff801099b5288c7b65

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BEAUBQH5\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc

        Filesize

        81KB

        MD5

        1aa76ce00f01882d5cd3d712b8052bc2

        SHA1

        b0cb1b9a8ada2812a013469ff5cf736b0f8da933

        SHA256

        9ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029

        SHA512

        ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb

      • C:\Users\Admin\AppData\Local\Temp\Tar16D1.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\{24AA23B1-EA25-4DD9-88B7-7FBADEF6636D}

        Filesize

        128KB

        MD5

        064121ac7f1ced40bdc12ce8b3becb98

        SHA1

        92ad07a09b406ef0172c113fc8fc61e231666cdd

        SHA256

        0e81fac49148755898e00714ba8d4c489607a81a2d2978deb59460a71cf741bf

        SHA512

        c5790a122393f166669a50d41088c9f4d5b2ef0be3186d37039fe1f18926ec674ddfd061dc32e45d19e197359121d4b717f6adb328151d6bace523639478c21a

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EQ94T9H3.txt

        Filesize

        69B

        MD5

        eb4acdb99428f60a5ab235ba7f2dabb8

        SHA1

        2581b4882dd12e31f883e61f23effd934557f336

        SHA256

        6cecc67f413e145f82577b6b82a828202d880010ee1a10b3fb85b2978d9fe956

        SHA512

        46dfb190d3d0154620687dace7736c6701480c1a75b442ae0c37cbac233976f9afeb29d9627516d7a29876c0868c7ce3e2ad28653bf1a6fb8866f1cd42e95236

      • C:\Users\Admin\AppData\Roaming\html.exe

        Filesize

        658KB

        MD5

        cef1565654989742eaffa2cbc59947eb

        SHA1

        afef46a08dc6a2e1b3c8a9c6b58627677403f7b5

        SHA256

        f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9

        SHA512

        53b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97

      • memory/1260-270-0x0000000000310000-0x0000000000410000-memory.dmp

        Filesize

        1024KB

      • memory/1260-277-0x00000000075A0000-0x0000000007702000-memory.dmp

        Filesize

        1.4MB

      • memory/1908-115-0x00000000024F0000-0x00000000024F2000-memory.dmp

        Filesize

        8KB

      • memory/1908-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1908-1-0x0000000071D4D000-0x0000000071D58000-memory.dmp

        Filesize

        44KB

      • memory/1908-271-0x0000000071D4D000-0x0000000071D58000-memory.dmp

        Filesize

        44KB

      • memory/2540-267-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2540-264-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2540-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2540-263-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2668-273-0x00000000000C0000-0x00000000000EF000-memory.dmp

        Filesize

        188KB

      • memory/2668-272-0x00000000004F0000-0x00000000004F7000-memory.dmp

        Filesize

        28KB

      • memory/2820-110-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

        Filesize

        4KB

      • memory/2820-114-0x0000000003610000-0x0000000003612000-memory.dmp

        Filesize

        8KB

      • memory/2820-274-0x0000000071D4D000-0x0000000071D58000-memory.dmp

        Filesize

        44KB

      • memory/2820-112-0x0000000071D4D000-0x0000000071D58000-memory.dmp

        Filesize

        44KB

      • memory/2988-261-0x0000000004770000-0x00000000047E6000-memory.dmp

        Filesize

        472KB

      • memory/2988-260-0x0000000000470000-0x0000000000486000-memory.dmp

        Filesize

        88KB

      • memory/2988-259-0x0000000000420000-0x000000000042E000-memory.dmp

        Filesize

        56KB

      • memory/2988-258-0x00000000003F0000-0x000000000040C000-memory.dmp

        Filesize

        112KB

      • memory/2988-256-0x0000000001260000-0x000000000130A000-memory.dmp

        Filesize

        680KB