File name: | cd.doc |
Full analysis: | https://app.any.run/tasks/016d6c7a-e4ea-4f65-8abe-2e0e0d4e56e2 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 19, 2018, 04:36:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 550814CA4B9C3C4982EB8B6CF96D6D32 |
SHA1: | C9140C710735BCE20F43ED942A915CBEEF9F231E |
SHA256: | 01759673B06D831750C8F4B92690BF252344E64702220DCF3425B84E013C4BA3 |
SSDEEP: | 12288:LZ6WO/LYDIIrPJcZMY5a8iSb0jmZVrxpwLi5C1etVGPLuKIv7w+t7+gSd:LMWMYDRCSYRomZVlGOC8ULuREwEd |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cd.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2276 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2740 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3012 | C:\Windows\system32\cmd.exe /K itnqknf5.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3512 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4072 | cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs" | C:\Windows\system32\cscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2968 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3732 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2264 | TASkKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2392 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 48$ |
Value: 34382400200B0000010000000000000000000000 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1301479454 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1301479568 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1301479569 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 200B000076072E795497D40100000000 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | <:$ |
Value: 3C3A2400200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | <:$ |
Value: 3C3A2400200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2848) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR94B4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:43EBD0B1B7EB3DAC3B11A58FFE168C4D | SHA256:4717A8E0BE23EA0E0FF8766D2A945B32B4BFB61ED0980176E658C36D8611DA53 | |||
4072 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:57D5DA1A6B88ED93D8A9D63EED04BA21 | SHA256:21932129B357ACFF8419F351DA51A622F415534125E12E1DC559129478B59C7A | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\itnqknf5.cmd | text | |
MD5:809008091D1A97923ADCFD8188489CA4 | SHA256:7AEAF0C3AE303BC6796EF769AB685E4BB4A6867DA6201201AE108632D47C06E0 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:82B9FF266C32B59B1FC2A0C40B975FBD | SHA256:5B4F3EFCCDF4F09343E6C01FABC4E51BD7D8CE4EDC5D7F72D6626890903C04AC | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$cd.doc.rtf | pgc | |
MD5:60CCCF8BDADE90C48F999776027D63F6 | SHA256:B59D317DE87C4358B7015B665F0715E8B31A7A37FFFC3E9B40129B4640AA83D8 | |||
4072 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | document | |
MD5:6D646154A16C0B67E529FAEF7024D13A | SHA256:A653641F1B7AF9CFD8CF0E8066DB3553B21BF302A218A006E32FC18CE3C7F5FA | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E01AAB1-1ADC-47F5-92E6-AAD077A32D9B}.tmp | binary | |
MD5:E28EA641AC312FB81EB57E61775EE97C | SHA256:82441DB1E7C5E3BBDA68BBAE176AC0E5C77D56175600E08E6CE8304B34A8D850 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a.ScT | xml | |
MD5:EB9FF44721B8DD4713C5F2DB0D968A79 | SHA256:2D4F0C2212697F95BB79D33BD56C32A44CACBC900B385FD0D4C651D93BEA614F | |||
2688 | saver.scr | C:\Users\admin\AppData\Local\Temp\OneNoteSplashLogo.scale-125.png | image | |
MD5:129BFC9FEB1BEE216B11B78416071DCA | SHA256:F1A20720DF222AFA388AB8FC6BC35005FB34306DC829905FEC74BA8A58ECAB33 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 301 | 185.230.62.177:80 | http://www.blendboxstudio.com/we/?GzvH-=hOlERaQLxawhalKXXyHwSJ/xFFireJaCBhjNTnWIHNDPnDnvaH97/ALRgnGsicf35EDmYA==&Ann=oJd0DhCpQ&sql=1 | unknown | — | — | malicious |
116 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.rumorifuoriscena.com/we/?GzvH-=dGDvuN42HXwGX2WfRCmCjzQ2facEWj4R6u3602g2eEhqaAPES4+WplH/VYuWN9S0vgo1CQ==&Ann=oJd0DhCpQ&sql=1 | US | html | 192 b | shared |
116 | explorer.exe | POST | — | 185.230.62.177:80 | http://www.blendboxstudio.com/we/ | unknown | — | — | malicious |
116 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.rumorifuoriscena.com/we/ | US | — | — | shared |
116 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.rumorifuoriscena.com/we/ | US | — | — | shared |
116 | explorer.exe | POST | — | 185.230.62.177:80 | http://www.blendboxstudio.com/we/ | unknown | — | — | malicious |
116 | explorer.exe | POST | — | 185.230.62.177:80 | http://www.blendboxstudio.com/we/ | unknown | — | — | malicious |
116 | explorer.exe | POST | — | 23.20.239.12:80 | http://www.rumorifuoriscena.com/we/ | US | — | — | shared |
116 | explorer.exe | GET | 404 | 192.64.114.224:80 | http://www.cravlop.com/we/?GzvH-=wTmcjo91+zBok5inC8oUfxpssPSx6OXgLNMKUqegHYAO5/ocGOpXO1mFVoGHqgoJ1vwSdg==&Ann=oJd0DhCpQ | US | html | 326 b | malicious |
116 | explorer.exe | GET | 301 | 139.219.4.4:80 | http://www.xsjrwang.com/we/?GzvH-=cG9i7O39eAxPhzHnxqh7VOCTm6FwoUgyZ1tjZXNfyCGNSlFo8PUkxF5zejwHzLNWfTpx8A==&Ann=oJd0DhCpQ&sql=1 | CN | html | 258 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 185.230.62.177:80 | www.blendboxstudio.com | — | — | malicious |
116 | explorer.exe | 192.64.114.224:80 | www.cravlop.com | Namecheap, Inc. | US | malicious |
116 | explorer.exe | 23.20.239.12:80 | www.rumorifuoriscena.com | Amazon.com, Inc. | US | shared |
116 | explorer.exe | 139.219.4.4:80 | www.xsjrwang.com | Microsoft (China) Co., Ltd. | CN | malicious |
116 | explorer.exe | 194.58.112.174:80 | www.mgok.online | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
www.cravlop.com |
| malicious |
www.blendboxstudio.com |
| malicious |
www.angbaiwai.com |
| unknown |
www.rumorifuoriscena.com |
| shared |
www.msmaids.com |
| unknown |
www.whatsexpo.com |
| unknown |
www.mgok.online |
| malicious |
www.xsjrwang.com |
| malicious |
www.nehainc.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |