Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 10:23

General

  • Target

    PurchaseOrder-ProjectNo-8879_ECOFIX.docx

  • Size

    179KB

  • MD5

    4b4dd7f09a3f3435dd6ad0c3e0ebdec5

  • SHA1

    d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1

  • SHA256

    c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c

  • SHA512

    8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53

  • SSDEEP

    3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

toulouse.gold

launchyouglobal.com

margarita-services.com

dasnail.club

casa-hilo.com

hardscapesofflorida.com

thepositivitypulse.com

kkmyanev.cfd

love6ace22.top

castorcruise.com

chch6.com

h59f07jy.cfd

saatvikteerthyatra.com

fxsecuretrading-option.com

mostbet-k1o.click

36-m.beauty

ko-or-a-news.com

eurekatextile.com

gynlkj.com

deepsouthcraftsman.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder-ProjectNo-8879_ECOFIX.docx"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1044
      • C:\Windows\SysWOW64\raserver.exe
        "C:\Windows\SysWOW64\raserver.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1244
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Roaming\ihbgfbin.exe
        "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
        • C:\Users\Admin\AppData\Roaming\ihbgfbin.exe
          "C:\Users\Admin\AppData\Roaming\ihbgfbin.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{977BB0D4-982D-4BFA-BDA0-7142CF038A88}.FSD

      Filesize

      128KB

      MD5

      00179d7484cb5c5b6b74bcb8231c4a6b

      SHA1

      f45ae7dbbac98e98ed4c373d3ee90a3f4caa3071

      SHA256

      8ec72acfd7aa472b4c6161be335224cb4fc4c7a53f82d1a2534bafca10c057c8

      SHA512

      0ed54c8ea7872d081e6685826668eebdaf4853e2fd2c475fc28f66acea0c826548a0557b0d594752764b7159b01c92a05a90626e286749fd9c8a8f8a9ddeb065

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      8d9bb406b5d609b21a2caaf45b3ebfe0

      SHA1

      ac50bfd96bb846694fdc52b13fe5bbe9a861ef11

      SHA256

      830791aaae5c75eb84026d134da16455022d4992779c488e7f4133bf28e44918

      SHA512

      b980e7a95323ad29f489e9423b51135e931d73ddb9a0c7b97fc3098d8d447375d53e85812c3c872cdc8b92e687da9a1457909aed18f1fe032a4b7e2365435b4d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{25BA5D7B-E756-4175-BA27-D36E7BC17414}.FSD

      Filesize

      128KB

      MD5

      899644d306c84e1139af9fdd01e52dcc

      SHA1

      3d86334d5eaf1940b765f5a45f313bc285add2ff

      SHA256

      091ca85db27313fa1c26a2547fe4e87949102ad1f72580b4ae94347e9723db0d

      SHA512

      63cb80f39c9e05db7d8701addda80427cc56832451f7b57e793559f78690868df7cfb8785be83dddabaca2bc762865162cc8c253185d595bc91c6b8645b02e78

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\4q0pGnqqpgTTSL7[1].doc

      Filesize

      1.1MB

      MD5

      1e6c06ed300dd4d6744f43efd6cc36a2

      SHA1

      8aaece78eaab5c434c8b9a88a1b154a09f800d16

      SHA256

      dbde17546d423c444465c7f4bbecd593e99c4d43136269bb7f1f3be544d716eb

      SHA512

      f6b6d4c2e51b250f1b0cc6ba68fe5d64aef88108d1273f23fbc0ec88de3802af1bba7bde66f5066c25ec0a3104148c9582032a65369747d3c0d767e070066a0c

    • C:\Users\Admin\AppData\Local\Temp\{6C5058F7-4865-4AB1-BB53-F91BEF1C7BCF}

      Filesize

      128KB

      MD5

      10d63bb595826e236b1fb6b037c3348d

      SHA1

      52d77a6d02c3c1547ebd23c5085b34f308aa5e44

      SHA256

      27d934376dd479b6fb1b9d875f318ab53bb905d8c0e331c67b678a806748bb51

      SHA512

      c308673733d19cb65b68489d682f4f05faac8c499795d1f9d306c18b7c685e36246a06804b31e089db2ac40c36fb1c41116d8f34ace4564efed57047da3b99fe

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      459B

      MD5

      6974f8e54d51f76b4ed9b28585eab06a

      SHA1

      2d12e251dc7cbcb459862156120e3188438a5546

      SHA256

      041bac88817ac1a63596c4bcbed6fa6598bd3475e763475b06e8882cfabcc253

      SHA512

      fb7f6d78937974de97dd51142df51a3eb473fa531d8ec41a8e808e78ddb8ce92fd7c63892b0fdd3ee427fe08008d8859f59eb85e4c2a18be3fea4332eebbe322

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\ihbgfbin.exe

      Filesize

      635KB

      MD5

      40a96129113c4c86e920731917b5612e

      SHA1

      e96f4f7dbb8148a92081529057dc88bbd49a2227

      SHA256

      ad05f16347445054d7fa37dae56de95dec33932970a95d2e277cd3cc8b4fdc65

      SHA512

      5d67ccbb6fb0856934d1fb742a41dc0ebe4a78aff3c85f4dd0806bde6534aa1191088625d3c7bc331750661e48573ffc0c4e6faea0517a125301aabf55df8130

    • memory/1160-119-0x0000000007410000-0x00000000074E5000-memory.dmp

      Filesize

      852KB

    • memory/1160-117-0x0000000003ED0000-0x00000000040D0000-memory.dmp

      Filesize

      2.0MB

    • memory/2196-0-0x000000002F231000-0x000000002F232000-memory.dmp

      Filesize

      4KB

    • memory/2196-2-0x000000007127D000-0x0000000071288000-memory.dmp

      Filesize

      44KB

    • memory/2196-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2196-96-0x000000007127D000-0x0000000071288000-memory.dmp

      Filesize

      44KB

    • memory/2216-110-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2216-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2216-107-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2216-105-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2356-115-0x0000000000F90000-0x0000000000FAC000-memory.dmp

      Filesize

      112KB

    • memory/2356-116-0x00000000000D0000-0x00000000000FF000-memory.dmp

      Filesize

      188KB

    • memory/2988-104-0x0000000000370000-0x00000000003E6000-memory.dmp

      Filesize

      472KB

    • memory/2988-97-0x00000000009A0000-0x00000000009BE000-memory.dmp

      Filesize

      120KB

    • memory/2988-94-0x0000000000D40000-0x0000000000DE4000-memory.dmp

      Filesize

      656KB