Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 21:29

General

  • Target

    96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx

  • Size

    1.5MB

  • MD5

    49fc6a2dbdacfc87cff4054eb2cc1e9f

  • SHA1

    5d83448795fbd6ca2f8db612647b9588632e8ed0

  • SHA256

    96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d

  • SHA512

    cdd17b36c59a2e5ec1c5296c60933044bcaa2edafe13a91bb8675dd986680bb3e0c1fc12800529bbbcd0c3832f9c826d220cd4cfa08290b52a2c616fa7016196

  • SSDEEP

    24576:n8uIjUZpSdmP705YyIV9K298758nckXj2DnnL/h79KIEs0HGuEarisvas/pq/X2I:nrIjULSu05VIrt6758ncij2fJQIX0mH9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\96e5517bfccfcb53750d9283cbbfe31f427281b5f6a0e61809a68952920c3d0d.xlsx
      2⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1292
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2652
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\word.exe
      C:\Users\Admin\AppData\Roaming\word.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\svchost.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\word.exe

    Filesize

    1.1MB

    MD5

    223a5b3c7dd0e582a6bb3fd6b94573d3

    SHA1

    66af74cc3a606e2a3b9a80b095399628fd9e6331

    SHA256

    a0b9b59b88b2e2d4e208a5166664a07a58f42efcd43f13e79fda779f4cb443bc

    SHA512

    ce6d2e8ed1d427b05c60f21b9c63cdf30cf9af248d9355519e6bec454a630b4e2e0cc4896b3cda507897213f311e389dc68c6dd7e97034fe26ba22cbb74178f3

  • memory/1184-39-0x00000000064E0000-0x000000000658A000-memory.dmp

    Filesize

    680KB

  • memory/1292-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1292-1-0x00000000721AD000-0x00000000721B8000-memory.dmp

    Filesize

    44KB

  • memory/1292-33-0x00000000721AD000-0x00000000721B8000-memory.dmp

    Filesize

    44KB

  • memory/2524-34-0x0000000000690000-0x00000000006A6000-memory.dmp

    Filesize

    88KB

  • memory/2524-35-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

  • memory/2708-31-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB