File name: | INVOICE OF PAYMENT.xlsx |
Full analysis: | https://app.any.run/tasks/eddb0a5f-6e59-412d-bbd9-3d77277104f6 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | May 20, 2022, 19:56:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 4AED8D2A71C1585584991748A730FFDD |
SHA1: | 46B0BB540EA6AE963286CF70D2DA73CEB84BF1D7 |
SHA256: | F4159825F4DB2E144AE356E67C360949C6ABD85B910726425DDF68CBAE1D72B3 |
SSDEEP: | 3072:Ly0siJsnDTBPzpmbnPpFpVX26lBUbiPCF/IL/osy65KckTM1A2KJ//NahzVLzS:PsnD9PzpmbxFpE6jJUwpK+e13N8pLG |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
3284 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
2160 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: TFlow Exit code: 0 Version: 2.3.0.0 Modules
| |||||||||||||||
3572 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CXOsgJb" /XML "C:\Users\admin\AppData\Local\Temp\tmp85A.tmp" | C:\Windows\System32\schtasks.exe | — | vbc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1640 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | vbc.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: TFlow Exit code: 0 Version: 2.3.0.0 Modules
| |||||||||||||||
4060 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1080 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1080) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000B91A5CFE21651644B5C160471AAA3AD90000000002000000000010660000000100002000000071978CB7E4013186E1C348F785B8B7BAA1A00A16CBA6302DAF500FCC4FF674D6000000000E80000000020000200000003B133CFC8F44D1DEB47BFD864210515C27D41853C7F0527453B5E6FEB9F1BEE5300000000C9733B68D8CEC8D8A89BD1EEAB919A92078B3AF61BAE787F860DD2B916EB2CE97C7727DCB88416623803C534FDD16E440000000FE457DB17683F50FA0DB328058AB9D1A5D2B196954D7D47BA1338C5ACEE52BF1A50D8E9D939B08ECBBF26F8F51E9E1C51FFB4DADFF540830F07B8A77CB35A6CB | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | zs; |
Value: 7A733B00200B0000010000000000000000000000 | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2848) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4F5A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2160 | vbc.exe | C:\Users\admin\AppData\Roaming\CXOsgJb.exe | executable | |
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7 | SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3 | |||
3284 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7 | SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3 | |||
2160 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp85A.tmp | xml | |
MD5:6ED0AFD3946A159E98A79A9A63E21FF0 | SHA256:670D5E6A901C8BA253B36A84A5E39D616EDC9617AF7D30590D2828A7DB7E727B | |||
2848 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77E9B80B.emf | emf | |
MD5:894A796F9211E1080192AC72B6D54A9D | SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A | |||
3284 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vbc[1].exe | executable | |
MD5:B3A25F8FA62494CA8B99B28C4B4BB9B7 | SHA256:E793DAC4E4C4C8553C02CBE177B1DE4759BF777D150ECA151C53E9C58F6B23D3 | |||
2848 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92DE0FB2.emf | emf | |
MD5:8E3A74F7AA420B02D34C69E625969C0A | SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1080 | Explorer.EXE | GET | — | 198.54.117.215:80 | http://www.duniacuan.online/n6g4/?Ul9L_=H+B+k+qiGMMG4FOx+jp/ozBWPUXFvqdW8k3ooRnseHQkdgyscNG4g4LgJodfOBvpqNfyGQ==&5j=zl3D | US | — | — | malicious |
3284 | EQNEDT32.EXE | GET | 200 | 192.210.240.45:80 | http://192.210.240.45/700/vbc.exe | US | executable | 648 Kb | malicious |
1080 | Explorer.EXE | GET | 302 | 64.190.63.111:80 | http://www.plentyhearty.com/n6g4/?Ul9L_=1h7R1arRz3E4gdW1XBwvnn1v8eav0kfRFFnMvagqBjAJ+ZAKeNeFVzORKknqGRAQXs0xug==&5j=zl3D | US | — | — | malicious |
1080 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.cliffpassphotographyllc.com/n6g4/?Ul9L_=RmKugVRP3DLdlbmOkqENJP8vqqTPjhikGwoqkD2t4Fv9KQzc/VBT6S/fqc4wjql3xXkRcA==&5j=zl3D | US | html | 291 b | malicious |
1080 | Explorer.EXE | GET | 403 | 185.53.179.171:80 | http://www.employeebnsf.com/n6g4/?Ul9L_=/8Ga1vKGW5MV/13rB/c9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8G59FtakXMZzjYgQ==&5j=zl3D | DE | html | 146 b | malicious |
1080 | Explorer.EXE | GET | 403 | 34.102.136.180:80 | http://www.luxurybathshowers.com/n6g4/?Ul9L_=wNT20nlCD+z1zl9ZjWVvlajHS1qEluo7RFpjBdU4pvAsmgfvk7OHprW1dCu0p5f0sWsQfw==&5j=zl3D | US | html | 291 b | malicious |
1080 | Explorer.EXE | GET | 301 | 52.222.236.87:80 | http://www.o-taguro.com/n6g4/?Ul9L_=uuG58PPwf9dwWu3rI3FUVGJ5XjmQTEmzvQuy5/6xJ84IguGgWMhlXvrQaldP9h3flxPK/A==&5j=zl3D | US | html | 183 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1080 | Explorer.EXE | 34.102.136.180:80 | www.cliffpassphotographyllc.com | — | US | whitelisted |
3284 | EQNEDT32.EXE | 192.210.240.45:80 | — | ColoCrossing | US | malicious |
1080 | Explorer.EXE | 185.53.179.171:80 | www.employeebnsf.com | Team Internet AG | DE | malicious |
1080 | Explorer.EXE | 198.54.117.215:80 | www.duniacuan.online | Namecheap, Inc. | US | malicious |
1080 | Explorer.EXE | 64.190.63.111:80 | www.plentyhearty.com | — | US | malicious |
1080 | Explorer.EXE | 52.222.236.87:80 | www.o-taguro.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.plentyhearty.com |
| malicious |
www.cliffpassphotographyllc.com |
| malicious |
www.o-taguro.com |
| malicious |
www.duniacuan.online |
| malicious |
www.luxurybathshowers.com |
| malicious |
www.employeebnsf.com |
| malicious |
www.linymar.xyz |
| unknown |
www.jumpn-giveaway.online |
| malicious |
www.admincost.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3284 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3284 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN MSIL/GenKryptik.FQRH Download Request |
3284 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3284 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3284 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3284 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3284 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1080 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1080 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1080 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |