Loading ...

Play interactive tourEdit tour

Analysis Report COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221085
Start date:08.04.2020
Start time:06:37:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/2@1418/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 95.1% (good quality ratio 92.4%)
  • Quality average: 82.9%
  • Quality standard deviation: 25.6%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 83
  • Number of non-executed functions: 139
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 72.247.178.43, 72.247.178.49
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Application Shimming1Access Token Manipulation1Software Packing2Credential Dumping2System Time Discovery2Remote File Copy1Man in the Browser1Data Encrypted1Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection112Deobfuscate/Decode Files or Information1Input Capture11Account Discovery1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesApplication Shimming1Obfuscated Files or Information3Credentials in Registry2Security Software Discovery13Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput Capture11Data EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationSystem Information Discovery27Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection112Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.4272.2.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://bslines.xyz/copy/five/fre.php"}
Multi AV Scanner detection for domain / URLShow sources
Source: bslines.xyzVirustotal: Detection: 7%Perma Link
Source: http://bslines.xyz/copy/five/fre.phpVirustotal: Detection: 9%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeVirustotal: Detection: 77%Perma Link
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeReversingLabs: Detection: 80%
Machine Learning detection for sampleShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00405028 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405028
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 4x nop then xor eax, eax0_2_00468B70
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 4x nop then cmp ebx, 000C625Ah0_2_00468B70
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 4x nop then call 00406010h0_2_00468B70
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 4x nop then call 00468B58h0_2_00468B70
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 4x nop then call 00406010h0_2_00468B70

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: bslines.xyz replaycode: Name error (3)
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: bslines.xyz
Urls found in memory or binary dataShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000002.1403103067.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://bslines.xyz/copy/five/fre.php
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.ibsensoftware.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004409F0 GetKeyboardState,0_2_004409F0

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045E1BC NtdllDefWindowProc_A,0_2_0045E1BC
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00428690 NtdllDefWindowProc_A,0_2_00428690
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045E964 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045E964
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045EA14 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045EA14
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045348C GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0045348C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044396C NtdllDefWindowProc_A,GetCapture,0_2_0044396C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E07DA NtCreateSection,0_2_023E07DA
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E04D5 SetThreadContext,NtResumeThread,0_2_023E04D5
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E0E74 NtQueryInformationProcess,0_2_023E0E74
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E2F28 NtUnmapViewOfSection,0_2_023E2F28
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E1E0B NtQueryInformationProcess,0_2_023E1E0B
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E4928 NtCreateSection,0_2_023E4928
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E5E4A SetThreadContext,NtResumeThread,0_2_023E5E4A
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004586B40_2_004586B4
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045348C0_2_0045348C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_0040549C2_2_0040549C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_004029D42_2_004029D4
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_0040549C2_1_0040549C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_004029D42_1_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00403E4C appears 73 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00405B6F appears 84 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00404BEE appears 56 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00404B22 appears 54 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00412093 appears 40 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 0041219C appears 90 times
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: String function: 00405FE0 appears 64 times
PE file contains strange resourcesShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000000.00000002.777101669.00000000023D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/2@1418/0
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0041E6A4 GetLastError,FormatMessageA,0_2_0041E6A4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_1_0040650A
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00408306 GetDiskFreeSpaceA,0_2_00408306
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_023E174E CreateToolhelp32Snapshot,Process32FirstW,0_2_023E174E
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,2_2_0040434D
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00416BF8 FreeResource,0_2_00416BF8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\4216a73197943a17d1161a6bdc4512b0_59407d34-c8c5-44df-a766-ba8a11cb1cb0Jump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeVirustotal: Detection: 77%
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeReversingLabs: Detection: 80%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe 'C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe 'C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe'
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess created: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe 'C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe' Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeUnpacked PE file: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeUnpacked PE file: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 2656, type: MEMORY
Source: Yara matchFile source: Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 4272, type: MEMORY
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044A914 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0044A914
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00468B70 push 00468D20h; ret 0_2_00468D18
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044AF60 push 0044AFEDh; ret 0_2_0044AFE5
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0043A060 push 0043A0D5h; ret 0_2_0043A0CD
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0043A0D8 push 0043A131h; ret 0_2_0043A129
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0046212C push 00462158h; ret 0_2_00462150
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044C2BC push 0044C2E8h; ret 0_2_0044C2E0
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004603FC push 00460456h; ret 0_2_0046044E
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00464434 push 004644EEh; ret 0_2_004644E6
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0041043A push 004104B2h; ret 0_2_004104AA
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0041043C push 004104B2h; ret 0_2_004104AA
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0041A49C push ecx; mov dword ptr [esp], edx0_2_0041A4A1
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004104B4 push 0041055Ch; ret 0_2_00410554
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00410650 push 0041067Ch; ret 0_2_00410674
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00460604 push 00460630h; ret 0_2_00460628
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004646D4 push 00464700h; ret 0_2_004646F8
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00430698 push 0043070Eh; ret 0_2_00430706
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0046470C push 00464738h; ret 0_2_00464730
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00440790 push ecx; mov dword ptr [esp], ecx0_2_00440794
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004607AC push 004607D8h; ret 0_2_004607D0
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00468884 push 004688B0h; ret 0_2_004688A8
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00406884 push ecx; mov dword ptr [esp], eax0_2_00406885
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00426888 push 004268E1h; ret 0_2_004268D9
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0040C978 push ecx; mov dword ptr [esp], edx0_2_0040C97D
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00416994 push ecx; mov dword ptr [esp], edx0_2_00416996
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00406A70 push 00406A9Ch; ret 0_2_00406A94
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00412A10 push ecx; mov dword ptr [esp], edx0_2_00412A15
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00406AA8 push 00406AD4h; ret 0_2_00406ACC
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00424B74 push 00424BB2h; ret 0_2_00424BAA
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00424BF4 push 00424C2Ch; ret 0_2_00424C24
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00414BFC push ecx; mov dword ptr [esp], edx0_2_00414BFD
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00424BBC push 00424BE8h; ret 0_2_00424BE0

Persistence and Installation Behavior:

barindex
Creates processes with suspicious namesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile created: \covid 19 - world health organization cdc_doc pdf.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045E244 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045E244
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00446268 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00446268
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045E964 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045E964
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045EA14 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045EA14
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00445090 IsIconic,GetCapture,0_2_00445090
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0045B26C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0045B26C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00423604 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00423604
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00445944 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00445944
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044A914 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0044A914
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00439F600_2_00439F60
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0045D7B4
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeWindow / User API: threadDelayed 704Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeAPI coverage: 6.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe TID: 932Thread sleep count: 704 > 30Jump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe TID: 932Thread sleep time: -42240000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00405028 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405028
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0041EC34 GetSystemInfo,0_2_0041EC34
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess queried: DebugObjectHandleJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044A914 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0044A914
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]2_1_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,2_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeProcess created: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe 'C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000002.1403532731.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000002.1403532731.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000002.1403532731.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe, 00000002.00000002.1403532731.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004051E0
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetLocaleInfoA,GetACP,0_2_0040C1C4
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetLocaleInfoA,0_2_0040ABF0
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetLocaleInfoA,0_2_0040AC3C
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004052EC
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetLocaleInfoA,0_2_00405AD6
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: GetLocaleInfoA,0_2_00405AD8
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_004096DC GetLocalTime,0_2_004096DC
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 2_2_00406069 GetUserNameW,2_2_00406069
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_00463ACC GetTimeZoneInformation,0_2_00463ACC
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: 0_2_0044AF60 GetVersion,0_2_0044AF60
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 2656, type: MEMORY
Source: Yara matchFile source: Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 4272, type: MEMORY
Source: Yara matchFile source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: PopPassword2_2_0040D069
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: SmtpPassword2_2_0040D069
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: PopPassword2_1_0040D069
Source: C:\Users\user\Desktop\COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exeCode function: SmtpPassword2_1_0040D069

Malware Configuration

Threatname: Lokibot

{"c2:": "http://bslines.xyz/copy/five/fre.php"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
06:37:38API Interceptor706x Sleep call for process: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe78%VirustotalBrowse
COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe81%ReversingLabsWin32.Trojan.Fareit
COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpack100%AviraHEUR/AGEN.1042789Download File
0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
bslines.xyz8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://bslines.xyz/copy/five/fre.php9%VirustotalBrowse
http://bslines.xyz/copy/five/fre.php0%Avira URL Cloudsafe
http://www.ibsensoftware.com/1%VirustotalBrowse
http://www.ibsensoftware.com/0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
    00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x13bff:$des3: 68 03 66 00 00
      • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000002.00000002.1403051114.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
      • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
      • 0x153fc:$a2: last_compatible_version
      00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x13bff:$des3: 68 03 66 00 00
          • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          00000000.00000002.777300474.0000000002630000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
          • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x153fc:$a2: last_compatible_version
          00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x13bff:$des3: 68 03 66 00 00
              • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              00000002.00000001.775033899.0000000000400000.00000040.00020000.sdmpLoki_1Loki Payloadkevoreilly
              • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x153fc:$a2: last_compatible_version
              00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
              • 0x13e78:$s1: http://
              • 0x17633:$s1: http://
              • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
              • 0x13e80:$s2: https://
              • 0x13e78:$f1: http://
              • 0x17633:$f1: http://
              • 0x13e80:$f2: https://
              00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
                00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                  • 0x12fff:$des3: 68 03 66 00 00
                  • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                  • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                  00000000.00000002.777264569.0000000002610000.00000004.00000001.sdmpLoki_1Loki Payloadkevoreilly
                  • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                  • 0x13ffc:$a2: last_compatible_version
                  Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 2656JoeSecurity_LokibotYara detected LokibotJoe Security
                    Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 2656JoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                      Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 4272JoeSecurity_LokibotYara detected LokibotJoe Security
                        Process Memory Space: COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe PID: 4272JoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
                          • 0x13278:$s1: http://
                          • 0x16233:$s1: http://
                          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
                          • 0x13280:$s2: https://
                          • 0x13278:$f1: http://
                          • 0x16233:$f1: http://
                          • 0x13280:$f2: https://
                          0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                            0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                            • 0x123ff:$des3: 68 03 66 00 00
                            • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                            • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                            0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.unpackLoki_1Loki Payloadkevoreilly
                            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                            • 0x133fc:$a2: last_compatible_version
                            2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                              2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                • 0x13bff:$des3: 68 03 66 00 00
                                • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
                                • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                • 0x153fc:$a2: last_compatible_version
                                0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
                                • 0x13e78:$s1: http://
                                • 0x17633:$s1: http://
                                • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
                                • 0x13e80:$s2: https://
                                • 0x13e78:$f1: http://
                                • 0x17633:$f1: http://
                                • 0x13e80:$f2: https://
                                0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
                                • 0x13e78:$s1: http://
                                • 0x17633:$s1: http://
                                • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
                                • 0x13e80:$s2: https://
                                • 0x13e78:$f1: http://
                                • 0x17633:$f1: http://
                                • 0x13e80:$f2: https://
                                0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                  0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                    0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                      0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                        0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                        • 0x12fff:$des3: 68 03 66 00 00
                                        • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                        • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                        0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2610000.2.raw.unpackLoki_1Loki Payloadkevoreilly
                                        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                        • 0x13ffc:$a2: last_compatible_version
                                        0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                        • 0x12fff:$des3: 68 03 66 00 00
                                        • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                        • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                        0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.unpackLoki_1Loki Payloadkevoreilly
                                        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                        • 0x13ffc:$a2: last_compatible_version
                                        2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
                                        • 0x13e78:$s1: http://
                                        • 0x17633:$s1: http://
                                        • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
                                        • 0x13e80:$s2: https://
                                        • 0x13e78:$f1: http://
                                        • 0x17633:$f1: http://
                                        • 0x13e80:$f2: https://
                                        0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                          0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                            2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                              2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                                0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                                • 0x13bff:$des3: 68 03 66 00 00
                                                • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                                • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                                0.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.2630000.3.raw.unpackLoki_1Loki Payloadkevoreilly
                                                • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                                • 0x153fc:$a2: last_compatible_version
                                                2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                                • 0x12fff:$des3: 68 03 66 00 00
                                                • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                                • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                                2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                                                • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                                • 0x13ffc:$a2: last_compatible_version
                                                2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                                  2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                                    2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                                    • 0x12fff:$des3: 68 03 66 00 00
                                                    • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                                    • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                                    2.2.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                                                    • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                                    • 0x13ffc:$a2: last_compatible_version
                                                    2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                                                      2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                                                        2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                                                        • 0x13bff:$des3: 68 03 66 00 00
                                                        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                                                        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                                                        2.1.COVID 19 - WORLD HEALTH ORGANIZATION CDC_DOC pdf.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
                                                        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                                                        • 0x153fc:$a2: last_compatible_version

                                                        Sigma Overview

                                                        No Sigma rule has matched

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASN

                                                        No context

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Screenshots

                                                        Thumbnails

                                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.