File name: | Transport Plan Changes.xlsx |
Full analysis: | https://app.any.run/tasks/88ee3746-5ba1-4e33-bab1-8dc48eaa4176 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 30, 2020, 15:12:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 6222DDCA4E38E9D468484E19E8B91CF5 |
SHA1: | 2684091597C692A5DD5E4D5A7A146AFF42825EB9 |
SHA256: | 74EB485547633DA2DA2556DD5245DE3803D8291FC01A20A67D95944741F21E8B |
SSDEEP: | 12288:xk9M9mriiTDYVYXe0JRgJqWYOFMx9T3b+UbaAW1WRabxHdQ79p7QuNnLR9k:69M98iin6GgMWYO6H7TbaBK2Q79pkag |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1740 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3320 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3536 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2756 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | vbc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2556 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
944 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" 2 2556 10969578 | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2576 | "C:\Windows\System32\audiodg.exe" | C:\Windows\System32\audiodg.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
588 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | chlz.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1900 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2368 | "C:\Users\admin\AppData\Roaming\chlz\chlz.exe" 2 1900 10973375 | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | — | chlz.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
(PID) Process: | (372) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | ao0 |
Value: 616F3000CC060000010000000000000000000000 | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (1740) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
1740 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6BE1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3536 | vbc.exe | C:\Users\admin\AppData\Roaming\chlz\chlz.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
2756 | chlz.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chlz.vbs | text | |
MD5:5F07C5B74700DE27858EA4FE05C0250F | SHA256:24021C752D3133AC1B8DE902CE2172F9D600F08EF154884F6E8219C842C3D73F | |||
588 | chlz.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chlz.vbs | text | |
MD5:5F07C5B74700DE27858EA4FE05C0250F | SHA256:24021C752D3133AC1B8DE902CE2172F9D600F08EF154884F6E8219C842C3D73F | |||
2576 | audiodg.exe | C:\Users\admin\AppData\Roaming\149MTU1F\149logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3320 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\bk[1].exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 | |||
3320 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\vbc.exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 | |||
3536 | vbc.exe | C:\Users\admin\AppData\Roaming\chlz\chlz.exe | executable | |
MD5:427BA00AC8E9E75DC8B898AFE698F945 | SHA256:C2E81BAD5CF16472E3D169E7F25B935E63C12736CB0EA8E6A678A246CB4DCA66 | |||
1740 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4518BAFE.emf | emf | |
MD5:9DBC4E90F367DF7508C707F6806E8DCA | SHA256:78C2466C6539C3C9AECC57DD4B2EA6303724EEAEF9925FC568C6DA8FC6EFDE19 | |||
2908 | chlz.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chlz.vbs | text | |
MD5:5F07C5B74700DE27858EA4FE05C0250F | SHA256:24021C752D3133AC1B8DE902CE2172F9D600F08EF154884F6E8219C842C3D73F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
372 | explorer.exe | GET | — | 184.168.221.89:80 | http://www.onfixers.com/c9c/?OrpDKZ=s5J4Wo0IvCsp6jUlkCBGk3XaD1guE8xPDBaa+bYehpNnnGb6xPBo7weUyohWNponuXPxwg==&8p=chUxZlTP2 | US | — | — | malicious |
372 | explorer.exe | POST | — | 198.54.112.48:80 | http://www.nyoxibwer.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | GET | — | 198.54.112.48:80 | http://www.nyoxibwer.com/c9c/?OrpDKZ=9+GzjCWfCB5OpbaIwLLG+DEC9yR+Eby9VR1o4uz+w/wIAPI0zrxt1y/akEMo4wphdJlLMw==&8p=chUxZlTP2 | US | — | — | malicious |
372 | explorer.exe | POST | — | 198.54.112.48:80 | http://www.nyoxibwer.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | GET | — | 23.235.208.12:80 | http://www.islandsurfandsoul.com/c9c/?OrpDKZ=n2qqqtzDMFwDHxzkcMqRye7YUmivStKBg0nqnA8l1JQyCXH8WU+RLmDaBtolSJy7yesGwA==&8p=chUxZlTP2 | US | — | — | malicious |
372 | explorer.exe | POST | — | 184.168.221.89:80 | http://www.onfixers.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 23.235.208.12:80 | http://www.islandsurfandsoul.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 23.235.208.12:80 | http://www.islandsurfandsoul.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 23.235.208.12:80 | http://www.islandsurfandsoul.com/c9c/ | US | — | — | malicious |
372 | explorer.exe | POST | — | 184.168.221.89:80 | http://www.onfixers.com/c9c/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
372 | explorer.exe | 35.242.251.130:80 | www.carolinachildrensmuseum.com | — | US | malicious |
3320 | EQNEDT32.EXE | 109.169.89.118:80 | easydatatransfercleansystemprofessional.duckdns.org | iomart Cloud Services Limited. | GB | malicious |
372 | explorer.exe | 198.54.112.48:80 | www.nyoxibwer.com | Namecheap, Inc. | US | malicious |
372 | explorer.exe | 23.235.208.12:80 | www.islandsurfandsoul.com | InMotion Hosting, Inc. | US | malicious |
372 | explorer.exe | 184.168.221.89:80 | www.onfixers.com | GoDaddy.com, LLC | US | malicious |
372 | explorer.exe | 154.205.128.231:80 | www.kk2400.com | MacroLAN | ZA | malicious |
Domain | IP | Reputation |
---|---|---|
easydatatransfercleansystemprofessional.duckdns.org |
| malicious |
www.carolinachildrensmuseum.com |
| malicious |
www.nyoxibwer.com |
| malicious |
dns.msftncsi.com |
| shared |
www.wwwbola168.com |
| unknown |
www.islandsurfandsoul.com |
| malicious |
www.vpp-services.com |
| unknown |
www.onfixers.com |
| malicious |
www.kk2400.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3320 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | A Network Trojan was detected | SPYWARE [PTsecurity] FormBook |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYN resend different seq on SYN recv |
372 | explorer.exe | Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYNACK resend with different ack |