Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
PurchaseOrder-ProjectNo-8879_ECOFIX.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PurchaseOrder-ProjectNo-8879_ECOFIX.docx
Resource
win10v2004-20241007-en
General
-
Target
PurchaseOrder-ProjectNo-8879_ECOFIX.docx
-
Size
179KB
-
MD5
4b4dd7f09a3f3435dd6ad0c3e0ebdec5
-
SHA1
d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1
-
SHA256
c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c
-
SHA512
8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53
-
SSDEEP
3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z
Malware Config
Extracted
formbook
4.1
btrd
toulouse.gold
launchyouglobal.com
margarita-services.com
dasnail.club
casa-hilo.com
hardscapesofflorida.com
thepositivitypulse.com
kkmyanev.cfd
love6ace22.top
castorcruise.com
chch6.com
h59f07jy.cfd
saatvikteerthyatra.com
fxsecuretrading-option.com
mostbet-k1o.click
36-m.beauty
ko-or-a-news.com
eurekatextile.com
gynlkj.com
deepsouthcraftsman.com
bougiebossbabe.com
202402.xyz
thecareskin.com
zimmerli.online
bathroomconnectsupreme.com
opmk.monster
docemimocasamentos.com
mywayinist.com
healthyters.com
mozartchamberorchestra.sydney
wewillrock.club
education2jobs.com
everlastdisposal.com
valentinascrochet.com
stewartvaluation.net
blackphoenix01.xyz
omnikart.shop
jejeesclothing.com
allurepet.site
futureofaustin.com
sillylittlestory.com
inthewoodsdesigns.com
freshtraining.store
illuminati4me.com
jewishlakecounty.com
devadecoration.com
nashexshop.com
martline.website
affirmationtotebags.com
golifestyles.com
telegood.info
trygenesisx.com
bestwhitetee.com
delicatemayhem.com
redyardcom.com
solarcyborg.com
emotieloos.com
fanatics-international.com
ballonsmagiques.com
projektincognito.com
fcno30.com
horizonoutdoorservices.com
couturewrap.com
mbbwa4wp.cfd
lifeofthobes.uk
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2216-110-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2356-116-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid Process 8 556 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
ihbgfbin.exeihbgfbin.exepid Process 2988 ihbgfbin.exe 2216 ihbgfbin.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid Process 556 EQNEDT32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ihbgfbin.exeihbgfbin.exeraserver.exedescription pid Process procid_target PID 2988 set thread context of 2216 2988 ihbgfbin.exe 36 PID 2216 set thread context of 1160 2216 ihbgfbin.exe 21 PID 2356 set thread context of 1160 2356 raserver.exe 21 -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEihbgfbin.exepowershell.exeraserver.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihbgfbin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 2196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
ihbgfbin.exeihbgfbin.exepowershell.exeraserver.exepid Process 2988 ihbgfbin.exe 2988 ihbgfbin.exe 2216 ihbgfbin.exe 2216 ihbgfbin.exe 2160 powershell.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe 2356 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ihbgfbin.exeraserver.exepid Process 2216 ihbgfbin.exe 2216 ihbgfbin.exe 2216 ihbgfbin.exe 2356 raserver.exe 2356 raserver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ihbgfbin.exeihbgfbin.exepowershell.exeraserver.exedescription pid Process Token: SeDebugPrivilege 2988 ihbgfbin.exe Token: SeDebugPrivilege 2216 ihbgfbin.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2356 raserver.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 2196 WINWORD.EXE 2196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEihbgfbin.exeExplorer.EXEraserver.exedescription pid Process procid_target PID 556 wrote to memory of 2988 556 EQNEDT32.EXE 32 PID 556 wrote to memory of 2988 556 EQNEDT32.EXE 32 PID 556 wrote to memory of 2988 556 EQNEDT32.EXE 32 PID 556 wrote to memory of 2988 556 EQNEDT32.EXE 32 PID 2196 wrote to memory of 1044 2196 WINWORD.EXE 34 PID 2196 wrote to memory of 1044 2196 WINWORD.EXE 34 PID 2196 wrote to memory of 1044 2196 WINWORD.EXE 34 PID 2196 wrote to memory of 1044 2196 WINWORD.EXE 34 PID 2988 wrote to memory of 2160 2988 ihbgfbin.exe 35 PID 2988 wrote to memory of 2160 2988 ihbgfbin.exe 35 PID 2988 wrote to memory of 2160 2988 ihbgfbin.exe 35 PID 2988 wrote to memory of 2160 2988 ihbgfbin.exe 35 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 2988 wrote to memory of 2216 2988 ihbgfbin.exe 36 PID 1160 wrote to memory of 2356 1160 Explorer.EXE 38 PID 1160 wrote to memory of 2356 1160 Explorer.EXE 38 PID 1160 wrote to memory of 2356 1160 Explorer.EXE 38 PID 1160 wrote to memory of 2356 1160 Explorer.EXE 38 PID 2356 wrote to memory of 1244 2356 raserver.exe 39 PID 2356 wrote to memory of 1244 2356 raserver.exe 39 PID 2356 wrote to memory of 1244 2356 raserver.exe 39 PID 2356 wrote to memory of 1244 2356 raserver.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder-ProjectNo-8879_ECOFIX.docx"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1044
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{977BB0D4-982D-4BFA-BDA0-7142CF038A88}.FSD
Filesize128KB
MD500179d7484cb5c5b6b74bcb8231c4a6b
SHA1f45ae7dbbac98e98ed4c373d3ee90a3f4caa3071
SHA2568ec72acfd7aa472b4c6161be335224cb4fc4c7a53f82d1a2534bafca10c057c8
SHA5120ed54c8ea7872d081e6685826668eebdaf4853e2fd2c475fc28f66acea0c826548a0557b0d594752764b7159b01c92a05a90626e286749fd9c8a8f8a9ddeb065
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD58d9bb406b5d609b21a2caaf45b3ebfe0
SHA1ac50bfd96bb846694fdc52b13fe5bbe9a861ef11
SHA256830791aaae5c75eb84026d134da16455022d4992779c488e7f4133bf28e44918
SHA512b980e7a95323ad29f489e9423b51135e931d73ddb9a0c7b97fc3098d8d447375d53e85812c3c872cdc8b92e687da9a1457909aed18f1fe032a4b7e2365435b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{25BA5D7B-E756-4175-BA27-D36E7BC17414}.FSD
Filesize128KB
MD5899644d306c84e1139af9fdd01e52dcc
SHA13d86334d5eaf1940b765f5a45f313bc285add2ff
SHA256091ca85db27313fa1c26a2547fe4e87949102ad1f72580b4ae94347e9723db0d
SHA51263cb80f39c9e05db7d8701addda80427cc56832451f7b57e793559f78690868df7cfb8785be83dddabaca2bc762865162cc8c253185d595bc91c6b8645b02e78
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\4q0pGnqqpgTTSL7[1].doc
Filesize1.1MB
MD51e6c06ed300dd4d6744f43efd6cc36a2
SHA18aaece78eaab5c434c8b9a88a1b154a09f800d16
SHA256dbde17546d423c444465c7f4bbecd593e99c4d43136269bb7f1f3be544d716eb
SHA512f6b6d4c2e51b250f1b0cc6ba68fe5d64aef88108d1273f23fbc0ec88de3802af1bba7bde66f5066c25ec0a3104148c9582032a65369747d3c0d767e070066a0c
-
Filesize
128KB
MD510d63bb595826e236b1fb6b037c3348d
SHA152d77a6d02c3c1547ebd23c5085b34f308aa5e44
SHA25627d934376dd479b6fb1b9d875f318ab53bb905d8c0e331c67b678a806748bb51
SHA512c308673733d19cb65b68489d682f4f05faac8c499795d1f9d306c18b7c685e36246a06804b31e089db2ac40c36fb1c41116d8f34ace4564efed57047da3b99fe
-
Filesize
459B
MD56974f8e54d51f76b4ed9b28585eab06a
SHA12d12e251dc7cbcb459862156120e3188438a5546
SHA256041bac88817ac1a63596c4bcbed6fa6598bd3475e763475b06e8882cfabcc253
SHA512fb7f6d78937974de97dd51142df51a3eb473fa531d8ec41a8e808e78ddb8ce92fd7c63892b0fdd3ee427fe08008d8859f59eb85e4c2a18be3fea4332eebbe322
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
635KB
MD540a96129113c4c86e920731917b5612e
SHA1e96f4f7dbb8148a92081529057dc88bbd49a2227
SHA256ad05f16347445054d7fa37dae56de95dec33932970a95d2e277cd3cc8b4fdc65
SHA5125d67ccbb6fb0856934d1fb742a41dc0ebe4a78aff3c85f4dd0806bde6534aa1191088625d3c7bc331750661e48573ffc0c4e6faea0517a125301aabf55df8130