File name: | 67356785362.doc |
Full analysis: | https://app.any.run/tasks/f6ea64ad-b8dc-4b2f-9d64-a64f0487ef14 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 08, 2018, 11:19:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | D81C711DCAE9FF7AB705F348BB764200 |
SHA1: | 995AF42C3A2A30D4B002A37B45F93EE486253FA5 |
SHA256: | 4512E0216E7A5B7802240F8AEB7D4420BE488C650EE2654AE249B3ADEA20CF6A |
SSDEEP: | 6144:2mlLp/SnhYgMD7RSCD/QIWtYUqQADldpa625O+5Vi1iNubhUv14j:b8nhW7fVSQTEOSk1zbe8 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 15 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 21 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 19 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal |
ModifyDate: | 2018:11:07 06:26:00Z |
CreateDate: | 2018:11:07 06:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | CHUCKS |
Keywords: | - |
Description: | - |
---|---|
Creator: | CHUCKS |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1460 |
ZipCompressedSize: | 373 |
ZipCRC: | 0x24886c04 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4068 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\67356785362.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3232 | "C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | WINWORD.EXE |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 | ||||
1716 | "C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | WINWORD.EXE |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 | ||||
2524 | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | _output61F5490.exe |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 | ||||
3508 | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | _output61F5490.exe |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 | ||||
3088 | "C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | WINWORD.EXE |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 | ||||
3736 | "C:\Windows\System32\NETSTAT.EXE" | C:\Windows\System32\NETSTAT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3984 | /c del "C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Windows\System32\cmd.exe | — | NETSTAT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1224 | "C:\Windows\System32\msiexec.exe" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3804 | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe" | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | — | _output61F5490.exe |
User: admin Company: dyola Integrity Level: MEDIUM Description: TEETHLIKE8 Exit code: 0 Version: 5.04 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4068 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR91EB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4068 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42AAFDE4.emf | emf | |
MD5:C66C80BC0026283404BE0AC8FA28330E | SHA256:261E2D3AD7B6CC0F31C301C180AEA7E1D0871F89EEEBD11BF630E20653497EEF | |||
4068 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\_output61F5490.exe | executable | |
MD5:2CA62AF33DA0D4C7D30485E7E7F3F1F7 | SHA256:B60BC931328779F8B83AEE918E542321636203B372C459D94D430A4A1FCB91B9 | |||
3088 | _output61F5490.exe | C:\Users\admin\AppData\Local\Temp\~DF18B3F16F757CD863.TMP | binary | |
MD5:89890FC905802A2FEC1449F6E727C368 | SHA256:5AA6A4B636167606CD8F1EF8AA373C6FC2B2E3BBD6EBA4BA8D2847F09AC1A47D | |||
3232 | _output61F5490.exe | C:\Users\admin\AppData\Local\Temp\~DF6531FCC34CECA3A2.TMP | binary | |
MD5:89890FC905802A2FEC1449F6E727C368 | SHA256:5AA6A4B636167606CD8F1EF8AA373C6FC2B2E3BBD6EBA4BA8D2847F09AC1A47D | |||
4068 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F12123BE3FC217E2B306FA7D3C1EF718 | SHA256:3C767FE8FEA3E2CCF71ADDB57BE518569265124015C279DC07A0A438B8E20F32 | |||
1716 | _output61F5490.exe | C:\Users\admin\AppData\Local\Temp\~DF1BD6C50EA6506B73.TMP | binary | |
MD5:89890FC905802A2FEC1449F6E727C368 | SHA256:5AA6A4B636167606CD8F1EF8AA373C6FC2B2E3BBD6EBA4BA8D2847F09AC1A47D | |||
3736 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logrc.ini | binary | |
MD5:146180A97851159BE1EE1025BEC0140A | SHA256:F9EF3FC8F0AE1AB18B426DC8674875CA257E7D14B57236519ABF9858A48BF629 | |||
4068 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$356785362.doc | pgc | |
MD5:4422EFC6A13707352BD6F8B1B554BCDA | SHA256:316BAF5A5AA9417DDB864F48FAFEEBC22B1840E44B22C5C7404088E4368D7238 | |||
3736 | NETSTAT.EXE | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logim.jpeg | image | |
MD5:297D0F38B4AB8028CEC006DAB01E552C | SHA256:EF7923D67AACDDC14CCFD21DA68D4CB35F5775685CC15D8B5F4856AAE8B01BAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1604 | explorer.exe | GET | 302 | 52.22.89.169:80 | http://www.hdvui.com/ma/?GX=Mby7zqqOqpiySRsYdK1F14gUgtOqtUA5y50cYSpyilixPcI2pNk1Vv4s6bpsy253sgG+mw==&uFO4=XPxDeFaPj | US | html | 181 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1604 | explorer.exe | 52.22.89.169:80 | www.hdvui.com | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.rubychocolate.store |
| unknown |
www.jobincline.com |
| unknown |
www.takereflect.com |
| unknown |
www.servicedapartments.online |
| unknown |
www.hdvui.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1604 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |