Loading ...

Play interactive tourEdit tour

Analysis Report 7PO#6017060628.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:163029
Start date:14.08.2019
Start time:06:02:07
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 15s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:7PO#6017060628.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@16/3@1/2
EGA Information:
  • Successful, ratio: 83.3%
HDC Information:
  • Successful, ratio: 44.4% (good quality ratio 29.1%)
  • Quality average: 50.8%
  • Quality standard deviation: 43.3%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 93.184.221.240
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, s-0001.s-msedge.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, e-0009.e-msedge.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com, wu.azureedge.net
  • Execution Graph export aborted for target Word.exe, PID 3244 because there are no executed function
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing21Credential Dumping1System Time Discovery1Remote File Copy11Screen Capture1Data Encrypted1Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Port MonitorsProcess Injection111Deobfuscate/Decode Files or Information1Credentials in Files2Account Discovery1Remote ServicesInput Capture111Exfiltration Over Other Network MediumRemote File Copy11
Drive-by CompromiseCommand-Line Interface1Accessibility FeaturesPath InterceptionScripting1Input Capture111Security Software Discovery211Windows Remote ManagementClipboard Data2Automated ExfiltrationStandard Cryptographic Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedRemote Access Tools1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery11Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection111Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol111
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionSystem Owner/User Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Word.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 7PO#6017060628.exeJoe Sandbox ML: detected
Multi AV Scanner detection for domain / URLShow sources
Source: qbi.ddns.netvirustotal: Detection: 8%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 8.0.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 6.0.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 9.0.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.2.7PO#6017060628.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 7.0.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.7PO#6017060628.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 8.2.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 6.2.Word.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 2.0.7PO#6017060628.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$ch
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_t
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$bas
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basi
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDAB
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49718 -> 98.143.144.233:8877
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: qbi.ddns.net
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040221C ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: qbi.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Esc]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Enter]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Tab]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Down]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Right]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Up]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Left]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [End]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [F2]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [F1]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Del]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: [Del]
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040D71E CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,StretchBlt,GetObjectA,LocalAlloc,GlobalAlloc,GetDIBits,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$cha
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Word.exe, 00000008.00000002.17400288051.00000000006F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 7PO#6017060628.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D0B98 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00590B98 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A80B98 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C0B98 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D0B98 NtProtectVirtualMemory,
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basi
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Word.exeMutant created: \Sessions\1\BaseNamedObjects\YUDTIGUTKRCVVIYL
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_00401108
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D32D1
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005932D1
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A832D1
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C32D1
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D32D1
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: String function: 0040FC1A appears 54 times
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: String function: 0040FCBA appears 34 times
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\Word.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Word.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 7PO#6017060628.exe, 00000000.00000002.17333173594.00000000004A5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGoldentrueadonitol.exe vs 7PO#6017060628.exe
Source: 7PO#6017060628.exe, 00000002.00000002.17344555030.00000000000C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 7PO#6017060628.exe
Source: 7PO#6017060628.exe, 00000002.00000000.17331216578.00000000004A5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGoldentrueadonitol.exe vs 7PO#6017060628.exe
Source: 7PO#6017060628.exe, 00000002.00000002.17344741274.0000000000120000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 7PO#6017060628.exe
Source: 7PO#6017060628.exe, 00000002.00000002.17344741274.0000000000120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 7PO#6017060628.exe
Source: 7PO#6017060628.exeBinary or memory string: OriginalFilenameGoldentrueadonitol.exe vs 7PO#6017060628.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeFile read: C:\Users\user\Desktop\7PO#6017060628.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeSection loaded: wow64log.dll
Source: C:\Users\user\Desktop\7PO#6017060628.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: wow64log.dll
Yara signature matchShow sources
Source: 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.17346376010.0000000004D56000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000002.00000002.17349065164.00000000029E6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000007.00000002.17737403419.0000000000410000.00000004.00020000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000002.00000002.17344909271.0000000000410000.00000004.00020000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000009.00000002.17412356602.0000000002AC6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 2.2.7PO#6017060628.exe.29e6000.2.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 2.2.7PO#6017060628.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.Word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 7.2.Word.exe.2a96000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 2.2.7PO#6017060628.exe.29e6000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 7.2.Word.exe.2a96000.1.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 7.2.Word.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.Word.exe.2ac6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.Word.exe.2ac6000.1.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/3@1/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040CA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004081B7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00408150 FindResourceA,LoadResource,LockResource,SizeofResource,
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeFile created: C:\Users\user\AppData\Roaming\Word.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeFile created: C:\Users\user~1\AppData\Local\Temp\install.batJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\install.bat' '
PE file has an executable .text section and no other executable sectionShow sources
Source: 7PO#6017060628.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\7PO#6017060628.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Reads ini filesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\7PO#6017060628.exe 'C:\Users\user\Desktop\7PO#6017060628.exe'
Source: unknownProcess created: C:\Users\user\Desktop\7PO#6017060628.exe 'C:\Users\user\Desktop\7PO#6017060628.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\install.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess created: C:\Users\user\Desktop\7PO#6017060628.exe 'C:\Users\user\Desktop\7PO#6017060628.exe'
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\install.bat' '
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: C:\Users\user\AppData\Roaming\Word.exeProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Source: C:\Users\user\AppData\Roaming\Word.exeProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeUnpacked PE file: 2.2.7PO#6017060628.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\Word.exeUnpacked PE file: 7.2.Word.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\Word.exeUnpacked PE file: 9.2.Word.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeUnpacked PE file: 2.2.7PO#6017060628.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Word.exeUnpacked PE file: 7.2.Word.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Word.exeUnpacked PE file: 9.2.Word.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
PE file contains an invalid checksumShow sources
Source: 7PO#6017060628.exeStatic PE information: real checksum: 0xa79f4 should be: 0xa8403
Source: Word.exe.2.drStatic PE information: real checksum: 0xa79f4 should be: 0xa8403
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_004025D5 push 004010FAh; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_004025EC push 004010FAh; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_00402600 push 004010FAh; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_00402614 push 004010FAh; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D2A26 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D2A03 push esi; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D2A43 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D2898 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D26F7 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D26DC push esi; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D28D8 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D273F push ebp; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D296F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D275F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D294F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D29AC push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D29C2 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040FCF0 push eax; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0041C6EA push es; ret
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00592A43 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00592A03 push esi; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00592A26 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005928D8 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005926DC push esi; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005926F7 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00592898 push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0059275F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0059294F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0059296F push ebx; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0059273F push ebp; iretd
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005929C2 push ebx; iretd

Persistence and Installation Behavior:

barindex
Contains functionality to download and launch executablesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basi
Drops PE filesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeFile created: C:\Users\user\AppData\Roaming\Word.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Office Word ManagerJump to behavior
Source: C:\Users\user\Desktop\7PO#6017060628.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Office Word ManagerJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7PO#6017060628.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00401102 in eax, dx
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: 7PO#6017060628.exe, Word.exe, 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmp, Word.exe, 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmp, Word.exe, 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmp, Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpBinary or memory string: SBIEDLL.DLL
Source: 7PO#6017060628.exe, 00000002.00000002.17344909271.0000000000410000.00000004.00020000.sdmp, Word.exe, 00000007.00000002.17737403419.0000000000410000.00000004.00020000.sdmp, Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpBinary or memory string: OSBIEDLL.DLL
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeAPI coverage: 7.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Roaming\Word.exe TID: 2816Thread sleep count: 96 > 30
Source: C:\Users\user\AppData\Roaming\Word.exe TID: 2816Thread sleep time: -96000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Word.exe TID: 3020Thread sleep count: 40 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Word.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Word.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040376Fh
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040376Fh
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$ch
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_t
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$bas
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basi
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDAB
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 7PO#6017060628.exe, Word.exe, 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmp, Word.exe, 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmp, Word.exe, 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmp, Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 7PO#6017060628.exe, 00000000.00000002.17346376010.0000000004D56000.00000040.00000001.sdmp, 7PO#6017060628.exe, 00000002.00000002.17349065164.00000000029E6000.00000040.00000001.sdmp, Word.exe, 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmp, Word.exe, 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmp, Word.exe, 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmp, Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D0C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D0C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D1565 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D0BB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 0_2_023D09ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_004011A3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00590C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00590C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00591565 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_005909ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00590BB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A80C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A80C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A80BB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A809ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 6_2_02A81565 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C0C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C0C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C1565 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C0BB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 7_2_021C09ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D0C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D0C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D1565 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D09ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 8_2_006D0BB6 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040D477 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Word.exe 'C:\Users\user\AppData\Roaming\Word.exe'
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: art]Apong|cmd|0|cmd|Program Manager|cmd|485|cmd|5191078Roaming\Word.exe|cmd||
Source: Word.exe, 00000007.00000002.17738622841.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Word.exe, 00000007.00000002.17738622841.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|3846521/Suz
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: d|0|cmd|Program Managercmd|avies|cmd|
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|485cmd|
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|485|cmd|a
Source: Word.exe, 00000007.00000002.17738622841.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Program Manager6
Source: Word.exe, 00000007.00000002.17738622841.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|485|cmd|5191078avies|cmd|US|cmd|Windows 10 Ent
Source: Word.exe, 00000007.00000002.17738885355.0000000002346000.00000004.00000040.sdmpBinary or memory string: Program Managerz

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_00402832 Sleep,GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040E549 GetComputerNameExW,GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

Stealing of Sensitive Information:

barindex
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
Contains functionality to steal Firefox passwords or cookiesShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: \key3.db

Remote Access Functionality:

barindex
Detected Remcos RATShow sources
Source: 7PO#6017060628.exe, 00000000.00000002.17346376010.0000000004D56000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: 7PO#6017060628.exe, 00000000.00000002.17346376010.0000000004D56000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: 7PO#6017060628.exeString found in binary or memory: Remcos_Mutex_Inj
Source: 7PO#6017060628.exe, 00000002.00000002.17349065164.00000000029E6000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: Word.exe, 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Word.exe, 00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: Word.exe, 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Word.exe, 00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: Word.exe, 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Word.exe, 00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Word.exe, 00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
BOT functionalities found, sample is likely a BOTShow sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: 2_2_0040A71E downloadfromurltofile prockill execcom updatefromurl
Contains functionality to launch a control a shell (cmd.exe)Show sources
Source: C:\Users\user\Desktop\7PO#6017060628.exeCode function: cmd.exe

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 163029 Sample: 7PO#6017060628.exe Startdate: 14/08/2019 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus or Machine Learning detection for sample 2->44 46 Detected Remcos RAT 2->46 48 6 other signatures 2->48 9 7PO#6017060628.exe 2->9         started        12 Word.exe 2->12         started        process3 signatures4 60 Detected unpacking (changes PE section rights) 9->60 62 Detected unpacking (overwrites its own PE header) 9->62 64 BOT functionalities found, sample is likely a BOT 9->64 66 5 other signatures 9->66 14 7PO#6017060628.exe 1 4 9->14         started        17 Word.exe 12->17         started        process5 file6 33 C:\Users\user\AppData\Roaming\Word.exe, PE32 14->33 dropped 35 C:\Users\user\...\Word.exe:Zone.Identifier, ASCII 14->35 dropped 19 cmd.exe 1 14->19         started        process7 signatures8 50 Uses ping.exe to sleep 19->50 22 Word.exe 19->22         started        25 PING.EXE 1 19->25         started        28 conhost.exe 19->28         started        process9 dnsIp10 52 Antivirus or Machine Learning detection for dropped file 22->52 54 Detected unpacking (changes PE section rights) 22->54 56 Detected unpacking (overwrites its own PE header) 22->56 30 Word.exe 1 1 22->30         started        37 127.0.0.1 unknown unknown 25->37 signatures11 process12 dnsIp13 39 qbi.ddns.net 98.143.144.233, 49718, 8877 unknown United States 30->39 signatures14 58 Detected TCP or UDP traffic on non-standard ports 39->58

Simulations

Behavior and APIs

TimeTypeDescription
06:03:09API Interceptor2x Sleep call for process: 7PO#6017060628.exe modified
06:03:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Office Word Manager "C:\Users\user\AppData\Roaming\Word.exe"
06:03:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Office Word Manager "C:\Users\user\AppData\Roaming\Word.exe"

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
7PO#6017060628.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Word.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.7PO#6017060628.exe.400000.1.unpack100%AviraHEUR/AGEN.1029676Download File
8.0.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
7.2.Word.exe.2a96000.1.unpack100%AviraHEUR/AGEN.1029676Download File
2.2.7PO#6017060628.exe.29e6000.2.unpack100%AviraHEUR/AGEN.1029676Download File
6.0.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
9.0.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
9.2.Word.exe.400000.0.unpack100%AviraHEUR/AGEN.1029676Download File
7.2.Word.exe.400000.0.unpack100%AviraHEUR/AGEN.1029676Download File
0.2.7PO#6017060628.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
7.0.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
0.0.7PO#6017060628.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
8.2.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
6.2.Word.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
9.2.Word.exe.2ac6000.1.unpack100%AviraHEUR/AGEN.1029676Download File
2.0.7PO#6017060628.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File

Domains

SourceDetectionScannerLabelLink
qbi.ddns.net8%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.17409548310.0000000000410000.00000004.00020000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x1034:$remcos: Remcos
  • 0x18a8:$remcos: Remcos
  • 0x18e0:$url: Breaking-Security.Net
  • 0x60ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000000.00000002.17346376010.0000000004D56000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000006.00000002.17374600640.00000000045B6000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000008.00000002.17411140757.0000000004E76000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000002.00000002.17349065164.00000000029E6000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000007.00000002.17737403419.0000000000410000.00000004.00020000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x1034:$remcos: Remcos
  • 0x18a8:$remcos: Remcos
  • 0x18e0:$url: Breaking-Security.Net
  • 0x60ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000002.00000002.17344909271.0000000000410000.00000004.00020000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x1034:$remcos: Remcos
  • 0x18a8:$remcos: Remcos
  • 0x18e0:$url: Breaking-Security.Net
  • 0x60ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000007.00000002.17740452978.0000000002A96000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
00000009.00000002.17412356602.0000000002AC6000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00

Unpacked PEs

SourceRuleDescriptionAuthorStrings
2.2.7PO#6017060628.exe.29e6000.2.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
2.2.7PO#6017060628.exe.400000.1.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
9.2.Word.exe.400000.0.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
7.2.Word.exe.2a96000.1.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
2.2.7PO#6017060628.exe.29e6000.2.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
7.2.Word.exe.2a96000.1.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
7.2.Word.exe.400000.0.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
9.2.Word.exe.2ac6000.1.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00
9.2.Word.exe.2ac6000.1.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
  • 0x11034:$remcos: Remcos
  • 0x118a8:$remcos: Remcos
  • 0x118e0:$url: Breaking-Security.Net
  • 0x160ea:$resource: S\x00E\x00T\x00T\x00I\x00N\x00G\x00S\x00

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
98.143.144.23345Customs_Papers and document.exeGet hashmaliciousBrowse
    18Payment Swift Copy 08-07-2019.exeGet hashmaliciousBrowse
      22Customs_Papers and document.exeGet hashmaliciousBrowse
        3Revised invoices with Changed Account.exeGet hashmaliciousBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          qbi.ddns.net15PO_287109139.exeGet hashmaliciousBrowse
          • 105.112.106.227
          1URGENT PO_367782827.exeGet hashmaliciousBrowse
          • 91.193.75.171
          7Payment Swift Copy 13-06-2019.exeGet hashmaliciousBrowse
          • 91.193.75.171
          51PR 0597304969.exeGet hashmaliciousBrowse
          • 105.112.122.72
          20PO_367782827 VERY URGENT.exeGet hashmaliciousBrowse
          • 105.112.112.218
          45Customs_Papers and document.exeGet hashmaliciousBrowse
          • 98.143.144.233
          18Payment Swift Copy 08-07-2019.exeGet hashmaliciousBrowse
          • 98.143.144.233
          21NEW PO 00002579.exeGet hashmaliciousBrowse
          • 185.222.202.29
          39NEW ORDER.exeGet hashmaliciousBrowse
          • 91.193.75.171
          53PO_287109139.exeGet hashmaliciousBrowse
          • 91.193.75.171
          22Customs_Papers and document.exeGet hashmaliciousBrowse
          • 98.143.144.233
          32PR 0597304969.exeGet hashmaliciousBrowse
          • 105.112.113.149
          47FAN Courier Arad.exeGet hashmaliciousBrowse
          • 105.112.99.101
          1PO_287109139.exeGet hashmaliciousBrowse
          • 105.112.112.162
          13Subject Urgent Order.exeGet hashmaliciousBrowse
          • 105.112.112.73
          3Revised invoices with Changed Account.exeGet hashmaliciousBrowse
          • 98.143.144.233
          6OUT STANDING INVOICE.exeGet hashmaliciousBrowse
          • 105.112.113.109

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownrequest.docGet hashmaliciousBrowse
          • 192.168.0.44
          FERK444259.docGet hashmaliciousBrowse
          • 192.168.0.44
          b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
          • 192.168.0.40
          Setup.exeGet hashmaliciousBrowse
          • 192.168.0.40
          base64.pdfGet hashmaliciousBrowse
          • 192.168.0.40
          file.pdfGet hashmaliciousBrowse
          • 192.168.0.40
          Spread sheet 2.pdfGet hashmaliciousBrowse
          • 192.168.0.40
          request_08.30.docGet hashmaliciousBrowse
          • 192.168.0.44
          P_2038402.xlsxGet hashmaliciousBrowse
          • 192.168.0.44
          48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
          • 192.168.0.22
          seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
          • 192.168.0.40
          Adm_Boleto.via2.comGet hashmaliciousBrowse
          • 192.168.0.40
          QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
          • 192.168.0.40
          pptxb.pdfGet hashmaliciousBrowse
          • 192.168.0.40

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.