File name: | INQUIRY.xlsx |
Full analysis: | https://app.any.run/tasks/eeafd156-a9f2-40ad-b3a9-c5535eb34fd3 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | July 18, 2019, 04:18:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 7560F795E299DF5979265612739C901E |
SHA1: | 5AEBD69B131339FAE39A9FBC7AB30917D7F71672 |
SHA256: | 4A980701F0FE7CCDF9F5B0E6BF33F969B0268DFAA4F2A36F24375D687264D9D6 |
SSDEEP: | 1536:NnCAEGVU100V6gF/XoSAcp+M4UDS3leud:BCjGVw02F/YSoMIlX |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3860 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1456 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2480 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
3640 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2500 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3596 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1340 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2544 | "C:\Windows\System32\lsass.exe" | C:\Windows\System32\lsass.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Local Security Authority Process Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3320 | /c del "C:\Users\Public\vbc.exe" | C:\Windows\System32\cmd.exe | — | lsass.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3924 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3860 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF472.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2544 | lsass.exe | C:\Users\admin\AppData\Roaming\77M3PD5E\77Mlogrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
1456 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:3746F192F65E8E557F8D089FDBD0F49E | SHA256:793B2CBD9E75DA7C2141E9ECC5AC1949CA36CBC2491DF2F09DC5528757595A3A | |||
1456 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jhn[1].exe | executable | |
MD5:3746F192F65E8E557F8D089FDBD0F49E | SHA256:793B2CBD9E75DA7C2141E9ECC5AC1949CA36CBC2491DF2F09DC5528757595A3A | |||
2544 | lsass.exe | C:\Users\admin\AppData\Roaming\77M3PD5E\77Mlogim.jpeg | image | |
MD5:DE9959F76827F0C876297DAA3823F052 | SHA256:099E003FE8C802705DBAF44C7EB9F4ECFCC4703BD902DE5A97B3B731F0A0F49E | |||
2544 | lsass.exe | C:\Users\admin\AppData\Roaming\77M3PD5E\77Mlogri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
3856 | Firefox.exe | C:\Users\admin\AppData\Roaming\77M3PD5E\77Mlogrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A | |||
2544 | lsass.exe | C:\Users\admin\AppData\Roaming\77M3PD5E\77Mlogrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
292 | explorer.exe | GET | — | 50.63.202.40:80 | http://www.nitincreationsphotography.com/jo/?GzyLF=OEX4fKCCXmBLkssY7FHX9KNR5fIgU3FomDIGpaWwPqpCUif3LlnDOO6uF5tMQERiXaGVpQ==&Ann=oJIttXspZ | US | — | — | malicious |
2024 | WerFault.exe | GET | — | 52.158.209.219:80 | http://watson.microsoft.com/StageOne/vbc_exe/0_0_0_0/5d2e31f6/StackHash_0a9e/0_0_0_0/00000000/c0000005/001100be.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
292 | explorer.exe | POST | — | 198.204.237.165:80 | http://www.emilymayphotography.com/jo/ | US | — | — | malicious |
292 | explorer.exe | POST | — | 195.201.179.80:80 | http://www.getstudynews.com/jo/ | RU | — | — | malicious |
292 | explorer.exe | POST | — | 195.201.179.80:80 | http://www.getstudynews.com/jo/ | RU | — | — | malicious |
292 | explorer.exe | GET | 404 | 195.201.179.80:80 | http://www.getstudynews.com/jo/?GzyLF=w7C3kWilSUfdx85OmTrKHiGMqQwst4j23ZEVXfnSdJ6+X+VczIYY94sxmTzsf6V8JjAwxw==&Ann=oJIttXspZ&sql=1 | RU | html | 287 b | malicious |
1456 | EQNEDT32.EXE | GET | 200 | 23.249.165.218:80 | http://zerodayv3startedexploitpcwithexcelgreat.duckdns.org/bartn/jhn.exe | US | executable | 1.29 Mb | malicious |
292 | explorer.exe | POST | — | 198.204.237.165:80 | http://www.emilymayphotography.com/jo/ | US | — | — | malicious |
292 | explorer.exe | POST | — | 195.201.179.80:80 | http://www.getstudynews.com/jo/ | RU | — | — | malicious |
292 | explorer.exe | POST | — | 217.160.0.193:80 | http://www.getmetoibiza.com/jo/ | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
292 | explorer.exe | 50.63.202.40:80 | www.nitincreationsphotography.com | GoDaddy.com, LLC | US | malicious |
2024 | WerFault.exe | 52.158.209.219:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
1456 | EQNEDT32.EXE | 23.249.165.218:80 | zerodayv3startedexploitpcwithexcelgreat.duckdns.org | ColoCrossing | US | malicious |
292 | explorer.exe | 195.201.179.80:80 | www.getstudynews.com | Awanti Ltd. | RU | malicious |
292 | explorer.exe | 217.160.0.193:80 | www.getmetoibiza.com | 1&1 Internet SE | DE | malicious |
292 | explorer.exe | 162.241.252.101:80 | www.supplychainrisk-management.com | CyrusOne LLC | US | malicious |
292 | explorer.exe | 198.204.237.165:80 | www.emilymayphotography.com | DataShack, LC | US | malicious |
292 | explorer.exe | 198.187.30.241:80 | www.boxcay.com | Namecheap, Inc. | US | malicious |
292 | explorer.exe | 13.115.27.140:80 | www.qian73.com | Amazon.com, Inc. | JP | malicious |
— | — | 50.63.202.57:80 | www.untamedprovisions.us | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
zerodayv3startedexploitpcwithexcelgreat.duckdns.org |
| malicious |
www.salliorecentralle-amazon.com |
| unknown |
watson.microsoft.com |
| whitelisted |
www.nitincreationsphotography.com |
| malicious |
www.getstudynews.com |
| malicious |
www.emilymayphotography.com |
| malicious |
www.getmetoibiza.com |
| malicious |
www.xn--xhq44jgvd3c878f.net |
| unknown |
www.supplychainrisk-management.com |
| malicious |
www.qian73.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1456 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
1456 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2024 | WerFault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
2024 | WerFault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
292 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
292 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
292 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
292 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
292 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |