Overview

overview

10

Static

static

1

apl.rtf

windows7-x64

10

apl.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    300s
  • max time network
    289s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    apl.rtf

  • Size

    202KB

  • MD5

    96699d7c92183547a08b317df6f39695

  • SHA1

    bdb797743b66daaa681041ef258ea964b834442a

  • SHA256

    2bea70091eb6858272f4fb047c47b8accb79886682cc744f2455561923a72ca6

  • SHA512

    27884bb6b04eabaf9faaff4fc5876f464ab3f75ba8a009453ddcfaffd041a663324188b63f57a970740f4bfd5975cefd2563bbcbdfe2be2db8919ca044124388

  • SSDEEP

    6144:QuZpe2ClhlgNs8joPzbqKTcWkepI77WqCh:Qf

Score
10/10
formbookbtrddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\apl.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2932
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:796
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Users\Admin\AppData\Roaming\odsxbin20309.exe
        "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
        • C:\Users\Admin\AppData\Roaming\odsxbin20309.exe
          "C:\Users\Admin\AppData\Roaming\odsxbin20309.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2724
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      PID:2616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\odsxbin20309.exe
      Filesize

      651KB

      MD5

      5670fc04099860bc61fbca6c054d7ffd

      SHA1

      b35b270f85846d39c3eaafcf445ea0e7f25112a0

      SHA256

      7eeedd91e430f1e9c8545e40ca7eb073e4d76104f907734f92aa4110e3ef2b9f

      SHA512

      d07055e70a7f126c718b16aac950cbf0a09289acb5288492250b50d95a4dc91759ff8f63ab03174d20210651e85ea4d3675ff2599838a3c264cf06d779729023

      Download Submit

    • memory/1188-38-0x0000000004070000-0x0000000004131000-memory.dmp

      Filesize

      772KB

      Download

    • memory/1188-32-0x0000000000010000-0x0000000000020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1328-0-0x000000002F251000-0x000000002F252000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1328-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1328-2-0x000000007118D000-0x0000000071198000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1328-20-0x000000007118D000-0x0000000071198000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2724-27-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2724-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2724-24-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2724-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2812-21-0x0000000000570000-0x00000000005E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2812-15-0x0000000000660000-0x000000000067E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2812-14-0x0000000000AB0000-0x0000000000B5A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2968-34-0x0000000000630000-0x0000000000635000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2968-35-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download