Loading ...

Play interactive tourEdit tour

Analysis Report sample1.bin

Overview

General Information

Sample Name:sample1.bin (renamed file extension from bin to doc)
Analysis ID:339441
MD5:7dbd8ecfada1d39a81a58c9468b91039
SHA1:0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Changes security center settings (notifications, updates, antivirus, firewall)
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 1536 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6192 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6720 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6776 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6792 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6880 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6944 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6976 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • certutil.exe (PID: 6392 cmdline: Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf MD5: EB199893441CED4BBBCB547FE411CF2D)
    • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: sample1.docAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfAvira: detection malicious, Label: TR/Casdet.xqfgu
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfMetadefender: Detection: 40%Perma Link
Source: C:\Users\Public\Ksh1.pdfReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted fileShow sources
Source: sample1.docVirustotal: Detection: 61%Perma Link
Source: sample1.docMetadefender: Detection: 45%Perma Link
Source: sample1.docReversingLabs: Detection: 72%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\Public\Ksh1.pdfJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: sample1.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: winword.exeMemory has grown: Private usage: 0MB later: 129MB
Source: global trafficDNS query: name: pornthash.mobi

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49744 -> 177.130.51.198:80
Source: unknownDNS traffic detected: queries for: pornthash.mobi
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: svchost.exe, 0000000D.00000002.309801474.0000022F01413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.aadrm.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.cortana.ai
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.office.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.onedrive.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 0000000D.00000003.308679000.0000022F01461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://augloop.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://augloop.office.com/v2
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.entity.
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cortana.ai
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cortana.ai/api
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://cr.office.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C8E730CE-6109-4C50-987F-9ABD6FDBDF02.0.drString found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 0000000D.00000003.308691668.0000022F0145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308691668.0