analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://docusiqn.ml/dreal/crtwon.exe

Full analysis: https://app.any.run/tasks/9caa7661-458b-479e-9765-42d4b765cde4
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: April 25, 2019, 09:29:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
formbook
Indicators:
MD5:

CCF37C8BB53151960433CF75611B32D6

SHA1:

4406844F1C741C3BEB236769EE64C06A79C183BD

SHA256:

98B63DE7AC9F4196D967209698BF26961F3BA4737222E8BFA9CFB36CBD334474

SSDEEP:

3:N1KaKuBXAPGZ:CaHW+Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • crtwon[1].exe (PID: 2452)
      • crtwon[1].exe (PID: 3256)
      • crtwon[1].exe (PID: 2716)
    • FORMBOOK was detected

      • explorer.exe (PID: 252)
    • Connects to CnC server

      • explorer.exe (PID: 252)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 252)
    • Starts Internet Explorer

      • explorer.exe (PID: 252)
    • Application launched itself

      • crtwon[1].exe (PID: 3256)
      • crtwon[1].exe (PID: 2452)
    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 3368)
    • Executes scripts

      • explorer.exe (PID: 252)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)
    • Creates files in the user directory

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3452)
    • Application launched itself

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe crtwon[1].exe no specs crtwon[1].exe no specs crtwon[1].exe no specs cscript.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" http://docusiqn.ml/dreal/crtwon.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3256"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].exeiexplore.exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
2452"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].execrtwon[1].exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
2716"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].execrtwon[1].exe
User:
admin
Company:
bITPay
Integrity Level:
MEDIUM
Description:
cOdE LAboratories, Inc.
Exit code:
0
Version:
1.00
3368"C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.8.7600.16385
4036/c del "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\crtwon[1].exe"C:\Windows\System32\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
689
Read events
631
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
16
Unknown types
7

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF64C4143318DA9179.TMP
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@docusiqn[1].txttext
MD5:12E0FBEA08EC416E48580D715C25C9DD
SHA256:A9A1C3ED072512FEC97E0F2AA9DDD711FEF9A843CDABD6A41BFA523440FAAA54
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:69F1D1CD53089A3A7286DE58B51740D7
SHA256:18B815C59ED8B48297CEE9A859CEC153DA60BA1C47C118D7E158CCDBBAE36E31
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:CC779EFC6D7E5EB5F226BE871FA918B9
SHA256:1AB6430B8724F2E33A6032B7D7793B264774409DB4E1E296EC62CB25434D78B1
3452iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:DFB697452C87B5312004F015233DAF86
SHA256:1B0496BF48A4AB1038FD9F0F650628E5CC528A0941768A4653E2E97159FC772C
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042520190426\index.datdat
MD5:582B2EC117212E61849A64AAC5ED847C
SHA256:D346C04999057AAAC523407AD941CCD6B5F714D5126D56A53893374899445F46
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC242477D5DE368CB.TMP
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B2EAC5E3-673C-11E9-B3B3-5254004A04AF}.dat
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019042520190426\index.datdat
MD5:56C07FF0D938265EE014977B673C8A59
SHA256:A2FCFA98B1B05891DCFFA2DC0AD013E9652B03FA2E9DF471891E978B821CFC21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
301
104.27.143.228:80
http://docusiqn.ml/dreal/crtwon.exe
US
suspicious
252
explorer.exe
GET
301
69.164.196.16:80
http://www.caitlinbeanan.com/da/?0pq=xu3pfh/CIhk2+bS4WjMtuYtPJqtH663apxNu8ur9+VVrIaAfJWWsc0/tcUvmmUKDNpHVPA==&00=Kxd09P7Pz
US
html
420 b
malicious
2956
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
104.27.143.228:80
docusiqn.ml
Cloudflare Inc
US
shared
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
252
explorer.exe
69.164.196.16:80
www.caitlinbeanan.com
Linode, LLC
US
malicious
3452
iexplore.exe
104.27.143.228:443
docusiqn.ml
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
docusiqn.ml
  • 104.27.142.228
  • 104.27.143.228
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.caitlinbeanan.com
  • 69.164.196.16
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
3452
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info