File name: | PO.doc |
Full analysis: | https://app.any.run/tasks/e817288f-ff2a-4e9b-841d-c3cf28a9ed60 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 15, 2019, 05:25:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | ABE6ACE7BF6B6F7A0570782A5F647734 |
SHA1: | 35F159C46F759DC31A4B9AE9EDC53B5B058F3399 |
SHA256: | 533C90C649422E49F4CB9A5A7FBB44D8DBBEBA78BB4C9E62AC83529701EF5ADD |
SSDEEP: | 96:3Ne89+Ex0aJ4P/5SW8C/emPCQG2SN4/WtR:9I1aJ4PBSW8+ZCjRN4/6R |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2256 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2796 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3524 | "C:\Users\admin\AppData\Roaming\jew.exe" | C:\Users\admin\AppData\Roaming\jew.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
296 | "C:\Users\admin\AppData\Roaming\jew.exe" | C:\Users\admin\AppData\Roaming\jew.exe | — | jew.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3420 | "C:\Windows\System32\colorcpl.exe" | C:\Windows\System32\colorcpl.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Color Control Panel Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3816 | /c del "C:\Users\admin\AppData\Roaming\jew.exe" | C:\Windows\System32\cmd.exe | — | colorcpl.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2044 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8CF4B99D86AD2C91E25F7D921404AF08 | SHA256:C71FCB563A60568ED4A3CC029F6FC631E9786D0AACFDB401A8DB9FE46803F35F | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$PO.doc | pgc | |
MD5:38B5D4BFA6BC2B84E5718F9F56EF105C | SHA256:024E566CBE48FEAFC7E07C18E22BECD1D7EC8340A453935DC36EFD56D3990C0D | |||
2796 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dj[1].exe | executable | |
MD5:E45EF777532A5D0A6476B3E0A116F873 | SHA256:CE377D2B727C2747294B27B5D53B0FC1522AB67488A5FCC156789C8AC1C8CE05 | |||
2796 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\jew.exe | executable | |
MD5:E45EF777532A5D0A6476B3E0A116F873 | SHA256:CE377D2B727C2747294B27B5D53B0FC1522AB67488A5FCC156789C8AC1C8CE05 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2044 | explorer.exe | GET | — | 75.98.175.108:80 | http://www.worcesterculturalcoalition.com/li/?Ib8H=ubjWjPTPCh5hUdXWmlTS6DlvHyYLokkuQ7y7TgJBcZggeikADeMh6WNvmx+Vlik5iqjbaQ==&vZ=5jTptXw0VZcluLb0 | US | — | — | suspicious |
2796 | EQNEDT32.EXE | GET | 200 | 174.141.228.13:80 | http://light.naturamunch.com/dj.exe | US | executable | 773 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2796 | EQNEDT32.EXE | 174.141.228.13:80 | light.naturamunch.com | iWeb Technologies Inc. | US | suspicious |
2044 | explorer.exe | 75.98.175.108:80 | www.worcesterculturalcoalition.com | A2 Hosting, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
light.naturamunch.com |
| suspicious |
www.worcesterculturalcoalition.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2796 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2796 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |