Overview

overview

10

Static

static

1

2.rtf

windows7-x64

10

2.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.rtf

  • Size

    202KB

  • MD5

    96699d7c92183547a08b317df6f39695

  • SHA1

    bdb797743b66daaa681041ef258ea964b834442a

  • SHA256

    2bea70091eb6858272f4fb047c47b8accb79886682cc744f2455561923a72ca6

  • SHA512

    27884bb6b04eabaf9faaff4fc5876f464ab3f75ba8a009453ddcfaffd041a663324188b63f57a970740f4bfd5975cefd2563bbcbdfe2be2db8919ca044124388

  • SSDEEP

    6144:QuZpe2ClhlgNs8joPzbqKTcWkepI77WqCh:Qf

Score
10/10
formbookbtrddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2.rtf"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2096
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1952
        • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          1⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Launches Equation Editor
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Users\Admin\AppData\Roaming\odsxbin20309.exe
            "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2032
            • C:\Users\Admin\AppData\Roaming\odsxbin20309.exe
              "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\SysWOW64\cmmon32.exe
                "C:\Windows\SysWOW64\cmmon32.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1012
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\odsxbin20309.exe
          Filesize

          651KB

          MD5

          5670fc04099860bc61fbca6c054d7ffd

          SHA1

          b35b270f85846d39c3eaafcf445ea0e7f25112a0

          SHA256

          7eeedd91e430f1e9c8545e40ca7eb073e4d76104f907734f92aa4110e3ef2b9f

          SHA512

          d07055e70a7f126c718b16aac950cbf0a09289acb5288492250b50d95a4dc91759ff8f63ab03174d20210651e85ea4d3675ff2599838a3c264cf06d779729023

          Download Submit

        • memory/1012-32-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1012-31-0x0000000000640000-0x000000000064D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1252-28-0x0000000000340000-0x0000000000440000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1252-30-0x0000000006B90000-0x0000000006CAC000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1364-2-0x0000000073D6D000-0x0000000073D78000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1364-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1364-16-0x0000000073D6D000-0x0000000073D78000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1364-0-0x000000002F1C1000-0x000000002F1C2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2116-18-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2116-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2116-20-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2116-23-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2116-29-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2732-17-0x00000000059F0000-0x0000000005A66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2732-15-0x0000000000470000-0x000000000048E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2732-14-0x0000000001000000-0x00000000010AA000-memory.dmp

          Filesize

          680KB

          Download