Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 09:25

General

  • Target

    nell.rtf

  • Size

    513KB

  • MD5

    fb3027e4c7adc0370181f6f73c6dff33

  • SHA1

    9ded925615bd1ef1c5dd88febdd10b1bb29b83df

  • SHA256

    da7597eed278b6ebb330685e1caea6c1bc6ad9b2abff9afa05633f4cb5f7a123

  • SHA512

    70325e60251e76ef02a505d77fd2f01fbe1a67796dd2187a24533200dbdf80d4b5e352b0dc87a7c714f78edc776bac10f8625d66126e261bf69cf5eb0d8bdad4

  • SSDEEP

    6144:W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W626:ZP

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\nell.rtf"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1800
      • C:\Windows\SysWOW64\wuapp.exe
        "C:\Windows\SysWOW64\wuapp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\nell56789.scr"
          3⤵
            PID:664
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Users\Admin\AppData\Roaming\nell56789.scr
          "C:\Users\Admin\AppData\Roaming\nell56789.scr"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Users\Admin\AppData\Roaming\nell56789.scr
            "C:\Users\Admin\AppData\Roaming\nell56789.scr"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        19KB

        MD5

        65b9f865f97308a723b5b221d40e6831

        SHA1

        792e4a3e61943e82803d68fd61035c568558f518

        SHA256

        800c69a78c1a6c26cb0b29dbe8a41dfe1a2269051cb61c0e321413cc7294e4b8

        SHA512

        ec2cd4831eced173481f8d40d16489ea187123b08c7e5dc801526abd0156ae1d22630987ed96cb995a0f9eb7f62286566263b29c18c4cada3c155250d33a1cdf

      • \Users\Admin\AppData\Roaming\nell56789.scr

        Filesize

        617KB

        MD5

        bbb12cd2696ac986ad79c0116da987f4

        SHA1

        802f65e20825ee6b2b5074e6084bc284241278d8

        SHA256

        d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e

        SHA512

        318e885d898a42b2751d387ba48b6fb359d3665d18637de48f35a53ea525bccbd1d9175a1f0429051d0a714ee887900ad3577db36d31d65f89ba7fb185484911

      • memory/1200-38-0x00000000000F0000-0x00000000001F0000-memory.dmp

        Filesize

        1024KB

      • memory/1200-50-0x0000000004E00000-0x0000000004EA5000-memory.dmp

        Filesize

        660KB

      • memory/1320-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1320-2-0x000000007177D000-0x0000000071788000-memory.dmp

        Filesize

        44KB

      • memory/1320-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1320-47-0x000000007177D000-0x0000000071788000-memory.dmp

        Filesize

        44KB

      • memory/1320-0-0x000000002F5E1000-0x000000002F5E2000-memory.dmp

        Filesize

        4KB

      • memory/2632-44-0x0000000000090000-0x00000000000BF000-memory.dmp

        Filesize

        188KB

      • memory/2632-43-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

        Filesize

        44KB

      • memory/2780-32-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2780-35-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2780-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2780-30-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2844-29-0x0000000000380000-0x0000000000388000-memory.dmp

        Filesize

        32KB

      • memory/2844-28-0x0000000000550000-0x00000000005B2000-memory.dmp

        Filesize

        392KB

      • memory/2844-27-0x0000000000BA0000-0x0000000000C40000-memory.dmp

        Filesize

        640KB