Analysis
-
max time kernel
56s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 21:26
Static task
static1
Behavioral task
behavioral1
Sample
96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx
Resource
win10v2004-20241007-en
General
-
Target
96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx
-
Size
1.5MB
-
MD5
49fc6a2dbdacfc87cff4054eb2cc1e9f
-
SHA1
5d83448795fbd6ca2f8db612647b9588632e8ed0
-
SHA256
96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d
-
SHA512
cdd17b36c59a2e5ec1c5296c60933044bcaa2edafe13a91bb8675dd986680bb3e0c1fc12800529bbbcd0c3832f9c826d220cd4cfa08290b52a2c616fa7016196
-
SSDEEP
24576:n8uIjUZpSdmP705YyIV9K298758nckXj2DnnL/h79KIEs0HGuEarisvas/pq/X2I:nrIjULSu05VIrt6758ncij2fJQIX0mH9
Malware Config
Extracted
formbook
4.1
hwu6
lf758.vip
locerin-hair.shop
vytech.net
pet-insurance-intl-7990489.live
thepolithat.buzz
d66dr114gl.bond
suv-deals-49508.bond
job-offer-53922.bond
drstone1.click
lebahsemesta57.click
olmanihousel.shop
piedmontcsb.info
trisula888x.top
66sodovna.net
dental-implants-83810.bond
imxtld.club
frozenpines.net
ffgzgbl.xyz
tlc7z.rest
alexismuller.design
6vay.boats
moocatinght.top
hafwje.bond
edmaker.online
simo1simo001.click
vbsdconsultant.click
ux-design-courses-53497.bond
victory88-pay.xyz
suarahati7.xyz
otzen.info
hair-transplantation-65829.bond
gequiltdesins.shop
inefity.cloud
jeeinsight.online
86339.xyz
stairr-lift-find.today
wdgb20.top
91uvq.pro
energyecosystem.app
8e5lr5i9zu.buzz
migraine-treatment-36101.bond
eternityzon.shop
43mjqdyetv.sbs
healthcare-software-74448.bond
bethlark.top
dangdut4dselalu.pro
04506.club
rider.vision
health-insurance-cake.world
apoppynote.com
11817e.com
hiefmotelkeokuk.top
sugatoken.xyz
aragamand.business
alifewithoutlimits.info
vibrantsoul.xyz
olarpanels-outlet.info
ozzd86fih4.online
skbdicat.xyz
cloggedpipes.net
ilsgroup.net
ptcnl.info
backstretch.store
maheshg.xyz
7b5846.online
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2776-31-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2776-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1984-38-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2396 EQNEDT32.EXE 6 2396 EQNEDT32.EXE 8 2396 EQNEDT32.EXE 10 2396 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2920 word.exe -
Loads dropped DLL 1 IoCs
pid Process 2396 EQNEDT32.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000019263-20.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2920 set thread context of 2776 2920 word.exe 34 PID 2776 set thread context of 1144 2776 svchost.exe 20 PID 2776 set thread context of 1144 2776 svchost.exe 20 PID 1984 set thread context of 1144 1984 cmd.exe 20 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2396 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2128 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe 1984 cmd.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2920 word.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 1984 cmd.exe 1984 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2776 svchost.exe Token: SeDebugPrivilege 1984 cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2920 word.exe 2920 word.exe 1144 Explorer.EXE 1144 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2920 word.exe 2920 word.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2128 EXCEL.EXE 2128 EXCEL.EXE 2128 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2920 2396 EQNEDT32.EXE 33 PID 2396 wrote to memory of 2920 2396 EQNEDT32.EXE 33 PID 2396 wrote to memory of 2920 2396 EQNEDT32.EXE 33 PID 2396 wrote to memory of 2920 2396 EQNEDT32.EXE 33 PID 2920 wrote to memory of 2776 2920 word.exe 34 PID 2920 wrote to memory of 2776 2920 word.exe 34 PID 2920 wrote to memory of 2776 2920 word.exe 34 PID 2920 wrote to memory of 2776 2920 word.exe 34 PID 2920 wrote to memory of 2776 2920 word.exe 34 PID 1144 wrote to memory of 1984 1144 Explorer.EXE 35 PID 1144 wrote to memory of 1984 1144 Explorer.EXE 35 PID 1144 wrote to memory of 1984 1144 Explorer.EXE 35 PID 1144 wrote to memory of 1984 1144 Explorer.EXE 35 PID 1984 wrote to memory of 836 1984 cmd.exe 36 PID 1984 wrote to memory of 836 1984 cmd.exe 36 PID 1984 wrote to memory of 836 1984 cmd.exe 36 PID 1984 wrote to memory of 836 1984 cmd.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx2⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:836
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\svchost.exeC:\Users\Admin\AppData\Roaming\word.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5223a5b3c7dd0e582a6bb3fd6b94573d3
SHA166af74cc3a606e2a3b9a80b095399628fd9e6331
SHA256a0b9b59b88b2e2d4e208a5166664a07a58f42efcd43f13e79fda779f4cb443bc
SHA512ce6d2e8ed1d427b05c60f21b9c63cdf30cf9af248d9355519e6bec454a630b4e2e0cc4896b3cda507897213f311e389dc68c6dd7e97034fe26ba22cbb74178f3