analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sw.xlsx

Full analysis: https://app.any.run/tasks/88480d1f-f4e2-466a-9508-b6f138e4c8db
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: October 14, 2019, 06:45:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
formbook
stealer
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

061A247CD99FA7ADBAE2A112D4C9FBD4

SHA1:

B7836BF1F6E9283653FAC821CF28463C59AFA859

SHA256:

A299A1B24EC7E9A09D0D14E87C335725668580EE515171A6B1BB0104265E7F59

SSDEEP:

24576:p0bcdCmfypoX1IOoUYb1t8FQ5IYtDDfnzrDqCQMEDusL4fmHEXxVlcHaaaxA:WQdCm6qKpHQ8I23fzHK1DusL+W6aay

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3128)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3128)
    • Application was dropped or rewritten from another process

      • avast.exe (PID: 3356)
      • 1b8ppj.exe (PID: 2264)
    • Changes the autorun value in the registry

      • control.exe (PID: 1044)
    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • control.exe (PID: 1044)
      • Firefox.exe (PID: 3268)
    • Connects to CnC server

      • explorer.exe (PID: 352)
    • Actions looks like stealing of personal data

      • control.exe (PID: 1044)
    • Stealing of credential data

      • control.exe (PID: 1044)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3128)
      • DllHost.exe (PID: 3828)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3128)
      • control.exe (PID: 1044)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3128)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 3828)
    • Starts CMD.EXE for commands execution

      • control.exe (PID: 1044)
    • Loads DLL from Mozilla Firefox

      • control.exe (PID: 1044)
    • Creates files in the program directory

      • DllHost.exe (PID: 3828)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2576)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)
    • Manual execution by user

      • control.exe (PID: 1044)
      • autoconv.exe (PID: 2200)
    • Reads the hosts file

      • control.exe (PID: 1044)
    • Creates files in the user directory

      • Firefox.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:10:13 16:11:04
ZipCRC: 0xea720091
ZipCompressedSize: 396
ZipUncompressedSize: 1630
ZipFileName: [Content_Types].xml

XML

Application: WPS 表格
HeadingPairs:
  • 工作表
  • 1
TitlesOfParts: stmt (3)
CreateDate: 2019:06:02 21:01:48Z
ModifyDate: 2019:06:02 21:04:29Z
KSOProductBuildVer: 2052-1.1.0.1454
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe avast.exe no specs autoconv.exe no specs #FORMBOOK control.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object 1b8ppj.exe no specs autofmt.exe no specs autofmt.exe no specs services.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3128"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3356C:\Users\admin\AppData\Roaming\avast.exeC:\Users\admin\AppData\Roaming\avast.exeEQNEDT32.EXE
User:
admin
Company:
IDM Computer Solutions, Inc.
Integrity Level:
MEDIUM
Description:
Msnews Dialup Scheduler Extra Usman Horizontal
Exit code:
0
Version:
3.7.1.7
2200"C:\Windows\System32\autoconv.exe"C:\Windows\System32\autoconv.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1044"C:\Windows\System32\control.exe"C:\Windows\System32\control.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1820/c del "C:\Users\admin\AppData\Roaming\avast.exe"C:\Windows\System32\cmd.execontrol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3268"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
control.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
3828C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2264"C:\Program Files\Cnv1dcv_\1b8ppj.exe"C:\Program Files\Cnv1dcv_\1b8ppj.exeexplorer.exe
User:
admin
Company:
IDM Computer Solutions, Inc.
Integrity Level:
MEDIUM
Description:
Msnews Dialup Scheduler Extra Usman Horizontal
Exit code:
0
Version:
3.7.1.7
Total events
755
Read events
649
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
79
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2576EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB4C4.tmp.cvr
MD5:
SHA256:
2576EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$sw.xlsx
MD5:
SHA256:
2576EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE819.tmp
MD5:
SHA256:
3356avast.exeC:\Users\admin\AppData\Local\Temp\EECF.tmp
MD5:
SHA256:
2576EXCEL.EXEC:\Users\admin\AppData\Local\Temp\error025760_01.xmlxml
MD5:1B74637ECC50196F43A0C062401F3A00
SHA256:0A12FC13D58CD4301C716EF0691BB22CC12E92F96BF1148C658E96BDCFB587E2
3128EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\papx5[1].exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
3128EQNEDT32.EXEC:\Users\admin\AppData\Roaming\avast.exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
1044control.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logrc.inibinary
MD5:E03F207A7B9CFC4D877ED2EC64BE028E
SHA256:B17183098B6E349844A3151456EDF62C8E41B2348D2445A610C0FF1E29963067
3268Firefox.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
1044control.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logim.jpegimage
MD5:31ACB232EB89FDA84183A13B0048A0A4
SHA256:88E90D8D0A4EAF897A541502227365C6D448E99D67ADC8BDFE82BE8F1841BBE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
14
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
50.63.202.49:80
http://www.bamcis.net/zu3/?q4N=O1xnt7cREnvDNcfCE/t7kiEsno+5j5OxCtX262q+XoZ9wJZvBnb2pDVpov8hQGInTHpPKQ==&rTXd=MLrHw
US
malicious
352
explorer.exe
POST
216.58.207.83:80
http://www.apmhearn.com/zu3/
US
malicious
352
explorer.exe
GET
302
216.58.207.83:80
http://www.apmhearn.com/zu3/?q4N=CE7pEA8+ABGmwExDMjDpM19cMOI360/RY5o/yU/SgW44CbFPU3RtHLpt1C0PgLJj69kxLg==&rTXd=MLrHw&sql=1
US
html
222 b
malicious
352
explorer.exe
GET
208.88.110.53:80
http://www.crystalconstructioninc.com/zu3/?q4N=X7W/SrXIDPlTcAPMv+i/ilNq7bB7M2Zk0fCIr6JuciOnWcc1OndeqlTgNYJ5B85uIdUvfA==&rTXd=MLrHw&sql=1
CA
malicious
352
explorer.exe
POST
216.58.207.83:80
http://www.apmhearn.com/zu3/
US
malicious
352
explorer.exe
POST
80.237.133.145:80
http://www.undercover-trainer.com/zu3/
DE
malicious
352
explorer.exe
GET
404
80.237.133.145:80
http://www.undercover-trainer.com/zu3/?q4N=SLQyPbHhUjAxryS/t+yAH+VSXSvKgg521Y5cP6AUipcy+oMO148WKXxvw0hQogWiC7Xb1g==&rTXd=MLrHw&sql=1
DE
xml
1000 b
malicious
352
explorer.exe
POST
80.237.133.145:80
http://www.undercover-trainer.com/zu3/
DE
malicious
352
explorer.exe
POST
80.237.133.145:80
http://www.undercover-trainer.com/zu3/
DE
malicious
352
explorer.exe
POST
208.88.110.53:80
http://www.crystalconstructioninc.com/zu3/
CA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
EQNEDT32.EXE
5.101.174.39:443
turacoenterprises.com
UK Dedicated Servers Limited
GB
malicious
352
explorer.exe
216.58.207.83:80
www.apmhearn.com
Google Inc.
US
whitelisted
352
explorer.exe
50.63.202.49:80
www.bamcis.net
GoDaddy.com, LLC
US
malicious
352
explorer.exe
208.88.110.53:80
www.crystalconstructioninc.com
Fibrenoire Inc.
CA
malicious
352
explorer.exe
80.237.133.145:80
www.undercover-trainer.com
Host Europe GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
turacoenterprises.com
  • 5.101.174.39
unknown
www.practicalefflux.com
unknown
www.polynold.com
unknown
www.bamcis.net
  • 50.63.202.49
malicious
www.apmhearn.com
  • 216.58.207.83
malicious
www.crystalconstructioninc.com
  • 208.88.110.53
malicious
www.yumingrenzheng.com
unknown
www.realgearstore.com
unknown
www.zzaeltd.com
unknown
www.qtcqh4.link
unknown

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
10 ETPRO signatures available at the full report
No debug info