File name: | cd.doc |
Full analysis: | https://app.any.run/tasks/4fa60f83-4e8d-4ce1-9180-3b5e131e097f |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 19, 2018, 04:31:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 550814CA4B9C3C4982EB8B6CF96D6D32 |
SHA1: | C9140C710735BCE20F43ED942A915CBEEF9F231E |
SHA256: | 01759673B06D831750C8F4B92690BF252344E64702220DCF3425B84E013C4BA3 |
SSDEEP: | 12288:LZ6WO/LYDIIrPJcZMY5a8iSb0jmZVrxpwLi5C1etVGPLuKIv7w+t7+gSd:LMWMYDRCSYRomZVlGOC8ULuREwEd |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cd.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2272 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2740 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3032 | C:\Windows\system32\cmd.exe /K itnqknf5.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3536 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4080 | cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs" | C:\Windows\system32\cscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2744 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3556 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2192 | TASkKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (236) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000B565F6B699A72142B34A423D67ADEB4000000000020000000000106600000001000020000000B27796CAE837387EF052DE02365DA38D41F8CA5C18713725B31672BD33CE0BD5000000000E8000000002000020000000A44D09587B1F9D9E2D708DDCF285B19C3D7FAEF89EFB4F02EA836AF3D729D6583000000067B4B06C5E3F3D3F212672F44A51325BF2D07B529CD9F82194B7537F15D1FA0D6488079E9024CA5E8F96C15C629E973140000000D67EDC05D35CD75C31930E0AFCB55DBF9C03727F724D9A35B205F2332C8709B68A4F88AF905488CC4B9C4E30E09B59D5E8A45D03183951FB63DCA4866CE07924 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | w=? |
Value: 773D3F00740B0000010000000000000000000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1301479447 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1301479568 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1301479569 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 740B000042019BB55397D40100000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 1?? |
Value: 313F3F00740B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 1?? |
Value: 313F3F00740B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA5F7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A66FA7B6C40259F53F2967B38084B660 | SHA256:9584370CB64A093AB4759892A75A1755D4AF838969C7A7F926E0D8ED0695F1F2 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\itnqknf5.cmd | text | |
MD5:809008091D1A97923ADCFD8188489CA4 | SHA256:7AEAF0C3AE303BC6796EF769AB685E4BB4A6867DA6201201AE108632D47C06E0 | |||
3032 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:43EBD0B1B7EB3DAC3B11A58FFE168C4D | SHA256:4717A8E0BE23EA0E0FF8766D2A945B32B4BFB61ED0980176E658C36D8611DA53 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1.zip | compressed | |
MD5:B2657FEE7033DA1FD5590263E08B7E2A | SHA256:C81798B094A9A51ACAC32D6025FCD4908E508DCDDC62A2B213C351582D833DE2 | |||
4080 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | document | |
MD5:6D646154A16C0B67E529FAEF7024D13A | SHA256:A653641F1B7AF9CFD8CF0E8066DB3553B21BF302A218A006E32FC18CE3C7F5FA | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uffm.cmd | text | |
MD5:58B5A34200DD575397F8841E9D452933 | SHA256:F6CAD562846E00E1615E76E82A1F16409C2B5C99BF781FB8363FC38F230FC3F9 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a.ScT | xml | |
MD5:EB9FF44721B8DD4713C5F2DB0D968A79 | SHA256:2D4F0C2212697F95BB79D33BD56C32A44CACBC900B385FD0D4C651D93BEA614F | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9A30C51E-90C9-4243-A7DB-E4C7D234F757}.tmp | binary | |
MD5:E28EA641AC312FB81EB57E61775EE97C | SHA256:82441DB1E7C5E3BBDA68BBAE176AC0E5C77D56175600E08E6CE8304B34A8D850 | |||
4080 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:57D5DA1A6B88ED93D8A9D63EED04BA21 | SHA256:21932129B357ACFF8419F351DA51A622F415534125E12E1DC559129478B59C7A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
236 | explorer.exe | GET | — | 198.54.117.211:80 | http://www.bolavita.download/we/?_8yL2v_=BrqvsvuRj6U73QtwHd9yVlRmBSa+ONb6iZQ1cEuVGE8mL7Bn1yffz/LEymz+bSlCV37Wrw==&mfqxz=U6Ql | US | — | — | malicious |
236 | explorer.exe | POST | — | 198.13.123.182:80 | http://www.alphacomplexextremee.com/we/ | US | — | — | malicious |
236 | explorer.exe | GET | — | 104.24.120.221:80 | http://www.dw591.com/we/?_8yL2v_=F39vZ10doz5Og+6Zx+4d25j+TNc/tqxEbEjJTlC0g0/5CzAZi470N+XaJvtTLXW5x+LjNA==&mfqxz=U6Ql | US | — | — | malicious |
236 | explorer.exe | POST | — | 192.64.114.224:80 | http://www.cravlop.com/we/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 104.24.120.221:80 | http://www.dw591.com/we/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 104.24.120.221:80 | http://www.dw591.com/we/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 104.24.120.221:80 | http://www.dw591.com/we/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 198.13.123.182:80 | http://www.alphacomplexextremee.com/we/ | US | — | — | malicious |
236 | explorer.exe | POST | — | 198.13.123.182:80 | http://www.alphacomplexextremee.com/we/ | US | — | — | malicious |
236 | explorer.exe | GET | 200 | 192.64.114.224:80 | http://www.cravlop.com/we/?_8yL2v_=wTmcjo91+zBok5inC8oUfxpssPSx6OXgLNMKUqegHYAO5/ocGOpXO1mFVoGHqgoJ1vwSdg==&mfqxz=U6Ql&sql=1 | US | binary | 323 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
236 | explorer.exe | 104.24.120.221:80 | www.dw591.com | Cloudflare Inc | US | shared |
236 | explorer.exe | 192.64.114.224:80 | www.cravlop.com | Namecheap, Inc. | US | malicious |
236 | explorer.exe | 198.13.123.182:80 | www.alphacomplexextremee.com | Psychz Networks | US | malicious |
236 | explorer.exe | 23.20.239.12:80 | www.blockdossier.com | Amazon.com, Inc. | US | shared |
236 | explorer.exe | 198.54.117.211:80 | www.bolavita.download | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bolavita.download |
| malicious |
www.alphacomplexextremee.com |
| malicious |
www.cravlop.com |
| malicious |
www.ul0higuwn6.com |
| unknown |
www.dw591.com |
| malicious |
www.blockdossier.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
236 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |