Analysis Report sample1.bin

Overview

General Information

Sample Name:	sample1.bin (renamed file extension from bin to doc)
Analysis ID:	339446
MD5:	7dbd8ecfada1d39a81a58c9468b91039
SHA1:	0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:	dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Creates and opens a fake document (probably a fake document to hide exploiting)

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to delete services

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample1.doc

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Avira: detection malicious, Label: TR/Casdet.xqfgu

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Ksh1.pdf	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Ksh1.pdf	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: sample1.doc	Virustotal: Detection: 61%	Perma Link
Source: sample1.doc	Metadefender: Detection: 45%	Perma Link
Source: sample1.doc	ReversingLabs: Detection: 72%

Machine Learning detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample1.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.1.wcnwiz.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.1.cryptdll.exe.3ab0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.1.tmp_e473b4.exe.3a20000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.1.ieframe.exe.39f0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.wcnwiz.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 7.0.tmp_e473b4.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.1.SampleRes.exe.39e0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.wlanui.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 13.0.ieframe.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.0.auditpolmsg.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 7.1.tmp_e473b4.exe.3a20000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.cryptdll.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 12.1.mfc140.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.mfc140.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.1.auditpolmsg.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.NlsData0414.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.0.SampleRes.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.1.NlsData0414.exe.39c0000.1.unpack	Avira: Label: TR/Dropper.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004825E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,	15_2_004825E0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00482230 CryptEncrypt,memcpy,CryptGetHashParam,CryptDestroyHash,CryptDuplicateHash,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	15_2_00482230
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481FC0 CryptDestroyHash,CryptDuplicateHash,memcpy,	15_2_00481FC0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481FD8 CryptDestroyHash,	15_2_00481FD8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	7_2_003F38F0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_003638F0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003B38F0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_007B38F0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_002B38F0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_003E38F0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_003238F0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_006238F0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_004838F0

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 4x nop then push ebp

7_2_0041FA20

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49170 -> 177.130.51.198:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 177.130.51.198 177.130.51.198

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WspServicosdeTelecomunicacoesLtdaBR WspServicosdeTelecomunicacoesLtdaBR

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80

Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5C9B88B-61BE-41BF-89DB-AF92964D1C77}.tmp

Jump to behavior

Source: certutil.exe, 00000001.00000002.2223417988.00000000022A0000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000007.00000002.2258709906.00000000030D0000.00000002.00000001.sdmp, auditpolmsg.exe, 00000008.00000002.2265231662.0000000002F30000.00000002.00000001.sdmp, wcnwiz.exe, 00000009.00000002.2269936188.0000000003060000.00000002.00000001.sdmp, SampleRes.exe, 0000000A.00000002.2273974582.0000000002F20000.00000002.00000001.sdmp, NlsData0414.exe, 0000000B.00000002.2278988967.0000000003000000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: certutil.exe, 00000001.00000002.2223417988.00000000022A0000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000007.00000002.2258709906.00000000030D0000.00000002.00000001.sdmp, auditpolmsg.exe, 00000008.00000002.2265231662.0000000002F30000.00000002.00000001.sdmp, wcnwiz.exe, 00000009.00000002.2269936188.0000000003060000.00000002.00000001.sdmp, SampleRes.exe, 0000000A.00000002.2273974582.0000000002F20000.00000002.00000001.sdmp, NlsData0414.exe, 0000000B.00000002.2278988967.0000000003000000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: certutil.exe, 00000001.00000002.2223923762.0000000002770000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung
Source: certutil.exe, 00000001.00000002.2223923762.0000000002770000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.2256698017.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2262096055.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2279698396.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2266631097.0000000000578000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2252976219.0000000000588000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292365132.00000000008C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2286180989.0000000000908000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257551859.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2276010487.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335114479.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2256830860.0000000000586000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2275531038.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335374791.0000000000481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285331820.00000000008E4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2280766001.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265953499.0000000000546000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271093826.0000000000576000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285132994.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2263042599.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271279815.00000000007B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292162710.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2276502729.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2271289978.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265821061.00000000003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2280282398.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262078055.0000000000361000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2292126114.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.mfc140.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SampleRes.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ieframe.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cryptdll.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wlanui.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tmp_e473b4.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NlsData0414.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wcnwiz.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.auditpolmsg.exe.360000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_004825E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,

15_2_004825E0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2252845078.00000000002FD000.00000004.00000020.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" from the yellow bar above. QNN q 2 Once you have enabled editing, please click
Source: Screenshot number: 4	Screenshot OCR: Enable content" on the yellow bar above. Em> "this document is completely safety to open Page: 1 o
Source: Document image extraction number: 0	Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
Source: Document image extraction number: 0	Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open

Document contains an embedded VBA macro with suspicious strings

Source: sample1.doc	OLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: sample1.doc	OLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	7_2_003E0400
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_002D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	8_2_002D0400
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	9_2_003A0400
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	10_2_007A0400
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	11_2_002A0400
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_002D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	12_2_002D0400
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00310400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	13_2_00310400
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00610400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	14_2_00610400
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00460400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	15_2_00460400

Contains functionality to delete services

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe

Code function: 8_2_00368E80 CloseServiceHandle,OpenSCManagerW,DeleteService,OpenServiceW,OpenServiceW,CloseServiceHandle,

8_2_00368E80

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerED0D.tmp

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerED0D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040314D	7_2_0040314D
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004052D4	7_2_004052D4
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00409350	7_2_00409350
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00406DA8	7_2_00406DA8
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F78B0	7_2_003F78B0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F1C70	7_2_003F1C70
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F65E0	7_2_003F65E0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00361C70	8_2_00361C70
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003678B0	8_2_003678B0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003665E0	8_2_003665E0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B1C70	9_2_003B1C70
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B78B0	9_2_003B78B0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B65E0	9_2_003B65E0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B1C70	10_2_007B1C70
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B65E0	10_2_007B65E0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B78B0	10_2_007B78B0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B1C70	11_2_002B1C70
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B78B0	11_2_002B78B0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B65E0	11_2_002B65E0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E1C70	12_2_003E1C70
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E78B0	12_2_003E78B0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E65E0	12_2_003E65E0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00321C70	13_2_00321C70
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003278B0	13_2_003278B0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003265E0	13_2_003265E0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00621C70	14_2_00621C70
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006265E0	14_2_006265E0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006278B0	14_2_006278B0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481C70	15_2_00481C70
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004865E0	15_2_004865E0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004878B0	15_2_004878B0

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample1.doc	OLE, VBA macro line: Private Sub Document_Close()
Source: sample1.doc	OLE, VBA macro line: Form_Close
Source: sample1.doc	OLE, VBA macro line: Private Sub Form_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Close	Name: Document_Close
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Form_Close	Name: Form_Close

Document contains embedded VBA macros

Source: sample1.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Ksh1.pdf FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC

Yara signature match

Source: 00000005.00000002.2252845078.00000000002FD000.00000004.00000020.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: tmp_e473b4.exe, 00000007.00000002.2256739325.000000000042A000.00000004.00020000.sdmp, auditpolmsg.exe, 00000008.00000002.2262233717.000000000042A000.00000004.00020000.sdmp, wcnwiz.exe, 00000009.00000002.2265887565.000000000042A000.00000004.00020000.sdmp, SampleRes.exe, 0000000A.00000002.2270581839.000000000042A000.00000004.00020000.sdmp, NlsData0414.exe, 0000000B.00000002.2276043532.000000000042A000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\aseb\Aseb.vbp
Source: tmp_e473b4.exe, auditpolmsg.exe, 00000008.00000000.2256345076.0000000000401000.00000020.00020000.sdmp, wcnwiz.exe, 00000009.00000002.2265851700.0000000000401000.00000020.00020000.sdmp, SampleRes.exe, 0000000A.00000002.2270507971.0000000000401000.00000020.00020000.sdmp, NlsData0414.exe, 0000000B.00000000.2270019597.0000000000401000.00000020.00020000.sdmp, ieframe.exe, 0000000D.00000002.2285194003.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AC:\aseb\Aseb.vbp

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/19@0/1

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	7_2_003F8970
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	8_2_00368970
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	9_2_003B8970
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	10_2_007B8970
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	11_2_002B8970
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	12_2_003E8970
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	13_2_00328970
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	14_2_00628970

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_00484C80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,CloseHandle,CloseHandle,

15_2_00484C80

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 7_2_003F5040 ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

7_2_003F5040

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ample1.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBEFA.tmp

Jump to behavior

Source: sample1.doc

OLE indicator, Word Document stream: true

Source: sample1.doc

OLE document summary: title field not present or empty

Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.9.5.9.7.2...............#.......(d......................*.......q(.v............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .4.4.6.9.7.6.............#.......(d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..".....................................(.P.............,.......x.......................#........3................".....b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#........3..............(.................".............	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample1.doc	Virustotal: Detection: 61%
Source: sample1.doc	Metadefender: Detection: 45%
Source: sample1.doc	ReversingLabs: Detection: 72%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
Source: unknown	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe
Source: unknown	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe
Source: unknown	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe
Source: unknown	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe
Source: unknown	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe
Source: unknown	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe
Source: unknown	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe
Source: unknown	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404803 push ecx; iretd	7_2_004047EF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404021 push ecx; retf	7_2_00404037
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00408839 push esi; iretd	7_2_00408893
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040610E push ecx; retf	7_2_0040611B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A12E push ecx; iretd	7_2_0040A12F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004031D1 push ecx; iretd	7_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040721C pushad ; iretd	7_2_00407223
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040321E push ecx; iretd	7_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403236 push ecx; iretd	7_2_00403287
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00405AE2 push ecx; ret	7_2_00405B3F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004062F6 push ebx; iretd	7_2_004062F7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040AAF9 push esp; retf	7_2_0040AB17
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403B4E push ecx; retf	7_2_00403B4F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404B02 push ecx; ret	7_2_00404B03
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403B35 push ecx; retf	7_2_00403B47
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004053DD push ecx; ret	7_2_004053E7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00408464 push ecx; ret	7_2_0040847B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00407C76 push ebp; retf	7_2_00407C78
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A404 push ecx; ret	7_2_0040A497
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004074C5 push ecx; iretd	7_2_004074CF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004044D5 push ecx; iretd	7_2_004044F3
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004054B6 push ecx; retf	7_2_004054B7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040450F push ecx; retf	7_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404539 push ecx; retf	7_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00406DA8 push eax; retf	7_2_00406FAF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A646 push edx; iretd	7_2_0040A647
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403E52 push eax; ret	7_2_00403E54
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00405655 push ecx; retf	7_2_0040565F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00407E7E push ecx; iretd	7_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00409E0A push ecx; ret	7_2_00409E0B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040869A push ecx; retf	7_2_0040869B

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Executable created and started: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Executable created and started: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Executable created and started: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Executable created and started: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Executable created and started: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Executable created and started: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Executable created and started: C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Executable created and started: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown

Process created: cmd line: ksh1.pdf

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File opened: C:\Windows\SysWOW64\srclient\auditpolmsg.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	File opened: C:\Windows\SysWOW64\mfc110\wcnwiz.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	File opened: C:\Windows\SysWOW64\capiprovider\SampleRes.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	File opened: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	File opened: C:\Windows\SysWOW64\KBDNO\mfc140.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	File opened: C:\Windows\SysWOW64\advapi32\ieframe.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	File opened: C:\Windows\SysWOW64\nshipsec\cryptdll.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	File opened: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: sample1.doc

Stream path 'Data' entropy: 7.97862280177 (max. 8.0)

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	7_2_003F5040
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	8_2_00365040
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	9_2_003B5040
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	10_2_007B5040
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	11_2_002B5040
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	12_2_003E5040
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	13_2_00325040
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	14_2_00625040

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Window / User API: threadDelayed 9920	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Window / User API: threadDelayed 9631	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Window / User API: threadDelayed 9912	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Window / User API: threadDelayed 9929	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Window / User API: threadDelayed 9899	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Window / User API: threadDelayed 9884	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Window / User API: threadDelayed 9522	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Window / User API: threadDelayed 478	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Window / User API: threadDelayed 468	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Window / User API: threadDelayed 5127	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Window / User API: threadDelayed 9524	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Window / User API: threadDelayed 476	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\certutil.exe

Dropped PE file which has not been started: C:\Users\Public\Ksh1.pdf

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe TID: 600	Thread sleep count: 9631 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe TID: 600	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe TID: 2296	Thread sleep count: 9912 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe TID: 2296	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe TID: 2108	Thread sleep count: 9929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe TID: 2108	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe TID: 2940	Thread sleep count: 9899 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe TID: 2940	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe TID: 1820	Thread sleep count: 9884 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe TID: 1820	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe TID: 2300	Thread sleep count: 9522 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe TID: 2300	Thread sleep count: 478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2732	Thread sleep count: 468 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2732	Thread sleep count: 5127 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2068	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	7_2_003F38F0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_003638F0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003B38F0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_007B38F0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_002B38F0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_003E38F0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_003238F0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_006238F0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_004838F0

Source: SampleRes.exe, 0000000A.00000002.2271114841.000000000058F000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	7_2_003F4DF0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F3F00 mov eax, dword ptr fs:[00000030h]	7_2_003F3F00
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00363F00 mov eax, dword ptr fs:[00000030h]	8_2_00363F00
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00364DF0 mov eax, dword ptr fs:[00000030h]	8_2_00364DF0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B3F00 mov eax, dword ptr fs:[00000030h]	9_2_003B3F00
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B4DF0 mov eax, dword ptr fs:[00000030h]	9_2_003B4DF0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B3F00 mov eax, dword ptr fs:[00000030h]	10_2_007B3F00
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B4DF0 mov eax, dword ptr fs:[00000030h]	10_2_007B4DF0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B3F00 mov eax, dword ptr fs:[00000030h]	11_2_002B3F00
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B4DF0 mov eax, dword ptr fs:[00000030h]	11_2_002B4DF0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E3F00 mov eax, dword ptr fs:[00000030h]	12_2_003E3F00
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E4DF0 mov eax, dword ptr fs:[00000030h]	12_2_003E4DF0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00323F00 mov eax, dword ptr fs:[00000030h]	13_2_00323F00
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00324DF0 mov eax, dword ptr fs:[00000030h]	13_2_00324DF0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00623F00 mov eax, dword ptr fs:[00000030h]	14_2_00623F00
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00624DF0 mov eax, dword ptr fs:[00000030h]	14_2_00624DF0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00483F00 mov eax, dword ptr fs:[00000030h]	15_2_00483F00
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00484DF0 mov eax, dword ptr fs:[00000030h]	15_2_00484DF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 7_2_003F9860 GetModuleFileNameW,SHGetFolderPathW,SHGetFolderPathW,OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,SHGetFolderPathW,SHGetFolderPathW,

7_2_003F9860

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 7_2_003F80A0 SetFileInformationByHandle,GetSystemTimeAsFileTime,_snwprintf,GetProcessHeap,HeapFree,CreateFileW,CreateFileW,CloseHandle,

7_2_003F80A0

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_004853D0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

15_2_004853D0

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.2256698017.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2262096055.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2279698396.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2266631097.0000000000578000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2252976219.0000000000588000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292365132.00000000008C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2286180989.0000000000908000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257551859.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2276010487.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335114479.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2256830860.0000000000586000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2275531038.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335374791.0000000000481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285331820.00000000008E4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2280766001.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265953499.0000000000546000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271093826.0000000000576000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285132994.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2263042599.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271279815.00000000007B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292162710.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2276502729.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2271289978.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265821061.00000000003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2280282398.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262078055.0000000000361000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2292126114.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.mfc140.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SampleRes.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ieframe.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cryptdll.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wlanui.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tmp_e473b4.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NlsData0414.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wcnwiz.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.auditpolmsg.exe.360000.1.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
177.130.51.198	unknown	Brazil		52747	WspServicosdeTelecomunicacoesLtdaBR	true

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample1.doc

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Avira: detection malicious, Label: TR/Casdet.xqfgu

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Ksh1.pdf	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Ksh1.pdf	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: sample1.doc	Virustotal: Detection: 61%	Perma Link
Source: sample1.doc	Metadefender: Detection: 45%	Perma Link
Source: sample1.doc	ReversingLabs: Detection: 72%

Machine Learning detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample1.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.1.wcnwiz.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.1.cryptdll.exe.3ab0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.1.tmp_e473b4.exe.3a20000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.1.ieframe.exe.39f0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.wcnwiz.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 7.0.tmp_e473b4.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.1.SampleRes.exe.39e0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.wlanui.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 13.0.ieframe.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.0.auditpolmsg.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 7.1.tmp_e473b4.exe.3a20000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.cryptdll.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 12.1.mfc140.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.mfc140.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.1.auditpolmsg.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.NlsData0414.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.0.SampleRes.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.1.NlsData0414.exe.39c0000.1.unpack	Avira: Label: TR/Dropper.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004825E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,	15_2_004825E0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00482230 CryptEncrypt,memcpy,CryptGetHashParam,CryptDestroyHash,CryptDuplicateHash,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	15_2_00482230
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481FC0 CryptDestroyHash,CryptDuplicateHash,memcpy,	15_2_00481FC0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481FD8 CryptDestroyHash,	15_2_00481FD8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	7_2_003F38F0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_003638F0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003B38F0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_007B38F0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_002B38F0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_003E38F0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_003238F0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_006238F0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_004838F0

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 4x nop then push ebp

7_2_0041FA20

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49170 -> 177.130.51.198:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 177.130.51.198 177.130.51.198

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WspServicosdeTelecomunicacoesLtdaBR WspServicosdeTelecomunicacoesLtdaBR

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80

Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5C9B88B-61BE-41BF-89DB-AF92964D1C77}.tmp

Jump to behavior

Source: certutil.exe, 00000001.00000002.2223417988.00000000022A0000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000007.00000002.2258709906.00000000030D0000.00000002.00000001.sdmp, auditpolmsg.exe, 00000008.00000002.2265231662.0000000002F30000.00000002.00000001.sdmp, wcnwiz.exe, 00000009.00000002.2269936188.0000000003060000.00000002.00000001.sdmp, SampleRes.exe, 0000000A.00000002.2273974582.0000000002F20000.00000002.00000001.sdmp, NlsData0414.exe, 0000000B.00000002.2278988967.0000000003000000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: certutil.exe, 00000001.00000002.2223417988.00000000022A0000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000007.00000002.2258709906.00000000030D0000.00000002.00000001.sdmp, auditpolmsg.exe, 00000008.00000002.2265231662.0000000002F30000.00000002.00000001.sdmp, wcnwiz.exe, 00000009.00000002.2269936188.0000000003060000.00000002.00000001.sdmp, SampleRes.exe, 0000000A.00000002.2273974582.0000000002F20000.00000002.00000001.sdmp, NlsData0414.exe, 0000000B.00000002.2278988967.0000000003000000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: certutil.exe, 00000001.00000002.2223923762.0000000002770000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung
Source: certutil.exe, 00000001.00000002.2223923762.0000000002770000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.2256698017.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2262096055.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2279698396.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2266631097.0000000000578000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2252976219.0000000000588000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292365132.00000000008C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2286180989.0000000000908000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257551859.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2276010487.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335114479.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2256830860.0000000000586000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2275531038.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335374791.0000000000481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285331820.00000000008E4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2280766001.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265953499.0000000000546000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271093826.0000000000576000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285132994.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2263042599.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271279815.00000000007B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292162710.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2276502729.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2271289978.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265821061.00000000003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2280282398.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262078055.0000000000361000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2292126114.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.mfc140.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SampleRes.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ieframe.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cryptdll.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wlanui.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tmp_e473b4.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NlsData0414.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wcnwiz.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.auditpolmsg.exe.360000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_004825E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,

15_2_004825E0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2252845078.00000000002FD000.00000004.00000020.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" from the yellow bar above. QNN q 2 Once you have enabled editing, please click
Source: Screenshot number: 4	Screenshot OCR: Enable content" on the yellow bar above. Em> "this document is completely safety to open Page: 1 o
Source: Document image extraction number: 0	Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
Source: Document image extraction number: 0	Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open

Document contains an embedded VBA macro with suspicious strings

Source: sample1.doc	OLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: sample1.doc	OLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	7_2_003E0400
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_002D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	8_2_002D0400
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	9_2_003A0400
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	10_2_007A0400
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002A0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	11_2_002A0400
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_002D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	12_2_002D0400
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00310400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	13_2_00310400
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00610400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	14_2_00610400
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00460400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	15_2_00460400

Contains functionality to delete services

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe

Code function: 8_2_00368E80 CloseServiceHandle,OpenSCManagerW,DeleteService,OpenServiceW,OpenServiceW,CloseServiceHandle,

8_2_00368E80

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerED0D.tmp

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerED0D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040314D	7_2_0040314D
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004052D4	7_2_004052D4
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00409350	7_2_00409350
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00406DA8	7_2_00406DA8
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F78B0	7_2_003F78B0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F1C70	7_2_003F1C70
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F65E0	7_2_003F65E0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00361C70	8_2_00361C70
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003678B0	8_2_003678B0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003665E0	8_2_003665E0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B1C70	9_2_003B1C70
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B78B0	9_2_003B78B0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B65E0	9_2_003B65E0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B1C70	10_2_007B1C70
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B65E0	10_2_007B65E0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B78B0	10_2_007B78B0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B1C70	11_2_002B1C70
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B78B0	11_2_002B78B0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B65E0	11_2_002B65E0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E1C70	12_2_003E1C70
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E78B0	12_2_003E78B0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E65E0	12_2_003E65E0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00321C70	13_2_00321C70
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003278B0	13_2_003278B0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003265E0	13_2_003265E0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00621C70	14_2_00621C70
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006265E0	14_2_006265E0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006278B0	14_2_006278B0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00481C70	15_2_00481C70
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004865E0	15_2_004865E0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004878B0	15_2_004878B0

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample1.doc	OLE, VBA macro line: Private Sub Document_Close()
Source: sample1.doc	OLE, VBA macro line: Form_Close
Source: sample1.doc	OLE, VBA macro line: Private Sub Form_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Close	Name: Document_Close
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Form_Close	Name: Form_Close

Document contains embedded VBA macros

Source: sample1.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Ksh1.pdf FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC

Yara signature match

Source: 00000005.00000002.2252845078.00000000002FD000.00000004.00000020.sdmp, type: MEMORY

Source: tmp_e473b4.exe, 00000007.00000002.2256739325.000000000042A000.00000004.00020000.sdmp, auditpolmsg.exe, 00000008.00000002.2262233717.000000000042A000.00000004.00020000.sdmp, wcnwiz.exe, 00000009.00000002.2265887565.000000000042A000.00000004.00020000.sdmp, SampleRes.exe, 0000000A.00000002.2270581839.000000000042A000.00000004.00020000.sdmp, NlsData0414.exe, 0000000B.00000002.2276043532.000000000042A000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\aseb\Aseb.vbp
Source: tmp_e473b4.exe, auditpolmsg.exe, 00000008.00000000.2256345076.0000000000401000.00000020.00020000.sdmp, wcnwiz.exe, 00000009.00000002.2265851700.0000000000401000.00000020.00020000.sdmp, SampleRes.exe, 0000000A.00000002.2270507971.0000000000401000.00000020.00020000.sdmp, NlsData0414.exe, 0000000B.00000000.2270019597.0000000000401000.00000020.00020000.sdmp, ieframe.exe, 0000000D.00000002.2285194003.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AC:\aseb\Aseb.vbp

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/19@0/1

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	7_2_003F8970
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	8_2_00368970
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	9_2_003B8970
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	10_2_007B8970
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	11_2_002B8970
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	12_2_003E8970
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	13_2_00328970
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	14_2_00628970

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_00484C80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,CloseHandle,CloseHandle,

15_2_00484C80

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

7_2_003F5040

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ample1.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBEFA.tmp

Jump to behavior

Source: sample1.doc

OLE indicator, Word Document stream: true

Source: sample1.doc

OLE document summary: title field not present or empty

Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.9.5.9.7.2...............#.......(d......................*.......q(.v............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .4.4.6.9.7.6.............#.......(d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..".....................................(.P.............,.......x.......................#........3................".....b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............,.......x.......................#........3..............(.................".............	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample1.doc	Virustotal: Detection: 61%
Source: sample1.doc	Metadefender: Detection: 45%
Source: sample1.doc	ReversingLabs: Detection: 72%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
Source: unknown	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe
Source: unknown	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe
Source: unknown	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe
Source: unknown	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe
Source: unknown	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe
Source: unknown	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe
Source: unknown	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe
Source: unknown	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404803 push ecx; iretd	7_2_004047EF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404021 push ecx; retf	7_2_00404037
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00408839 push esi; iretd	7_2_00408893
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040610E push ecx; retf	7_2_0040611B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A12E push ecx; iretd	7_2_0040A12F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004031D1 push ecx; iretd	7_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040721C pushad ; iretd	7_2_00407223
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040321E push ecx; iretd	7_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403236 push ecx; iretd	7_2_00403287
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00405AE2 push ecx; ret	7_2_00405B3F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004062F6 push ebx; iretd	7_2_004062F7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040AAF9 push esp; retf	7_2_0040AB17
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403B4E push ecx; retf	7_2_00403B4F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404B02 push ecx; ret	7_2_00404B03
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403B35 push ecx; retf	7_2_00403B47
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004053DD push ecx; ret	7_2_004053E7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00408464 push ecx; ret	7_2_0040847B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00407C76 push ebp; retf	7_2_00407C78
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A404 push ecx; ret	7_2_0040A497
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004074C5 push ecx; iretd	7_2_004074CF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004044D5 push ecx; iretd	7_2_004044F3
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_004054B6 push ecx; retf	7_2_004054B7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040450F push ecx; retf	7_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00404539 push ecx; retf	7_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00406DA8 push eax; retf	7_2_00406FAF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040A646 push edx; iretd	7_2_0040A647
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00403E52 push eax; ret	7_2_00403E54
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00405655 push ecx; retf	7_2_0040565F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00407E7E push ecx; iretd	7_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_00409E0A push ecx; ret	7_2_00409E0B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_0040869A push ecx; retf	7_2_0040869B

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Executable created and started: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Executable created and started: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Executable created and started: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Executable created and started: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Executable created and started: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Executable created and started: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Executable created and started: C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Executable created and started: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown

Process created: cmd line: ksh1.pdf

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File opened: C:\Windows\SysWOW64\srclient\auditpolmsg.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	File opened: C:\Windows\SysWOW64\mfc110\wcnwiz.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	File opened: C:\Windows\SysWOW64\capiprovider\SampleRes.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	File opened: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	File opened: C:\Windows\SysWOW64\KBDNO\mfc140.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	File opened: C:\Windows\SysWOW64\advapi32\ieframe.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	File opened: C:\Windows\SysWOW64\nshipsec\cryptdll.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	File opened: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: sample1.doc

Stream path 'Data' entropy: 7.97862280177 (max. 8.0)

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	7_2_003F5040
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	8_2_00365040
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	9_2_003B5040
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	10_2_007B5040
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	11_2_002B5040
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	12_2_003E5040
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	13_2_00325040
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	14_2_00625040

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Window / User API: threadDelayed 9920	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Window / User API: threadDelayed 9631	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Window / User API: threadDelayed 9912	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Window / User API: threadDelayed 9929	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Window / User API: threadDelayed 9899	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Window / User API: threadDelayed 9884	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Window / User API: threadDelayed 9522	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Window / User API: threadDelayed 478	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Window / User API: threadDelayed 468	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Window / User API: threadDelayed 5127	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Window / User API: threadDelayed 9524	Jump to behavior
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Window / User API: threadDelayed 476	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\certutil.exe

Dropped PE file which has not been started: C:\Users\Public\Ksh1.pdf

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe TID: 600	Thread sleep count: 9631 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe TID: 600	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe TID: 2296	Thread sleep count: 9912 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe TID: 2296	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe TID: 2108	Thread sleep count: 9929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe TID: 2108	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe TID: 2940	Thread sleep count: 9899 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe TID: 2940	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe TID: 1820	Thread sleep count: 9884 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe TID: 1820	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe TID: 2300	Thread sleep count: 9522 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe TID: 2300	Thread sleep count: 478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2732	Thread sleep count: 468 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2732	Thread sleep count: 5127 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe TID: 2068	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	7_2_003F38F0
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_003638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_003638F0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003B38F0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_007B38F0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_002B38F0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_003E38F0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_003238F0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_006238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_006238F0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_004838F0

Source: SampleRes.exe, 0000000A.00000002.2271114841.000000000058F000.00000004.00000020.sdmp

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	7_2_003F4DF0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 7_2_003F3F00 mov eax, dword ptr fs:[00000030h]	7_2_003F3F00
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00363F00 mov eax, dword ptr fs:[00000030h]	8_2_00363F00
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Code function: 8_2_00364DF0 mov eax, dword ptr fs:[00000030h]	8_2_00364DF0
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B3F00 mov eax, dword ptr fs:[00000030h]	9_2_003B3F00
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Code function: 9_2_003B4DF0 mov eax, dword ptr fs:[00000030h]	9_2_003B4DF0
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B3F00 mov eax, dword ptr fs:[00000030h]	10_2_007B3F00
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Code function: 10_2_007B4DF0 mov eax, dword ptr fs:[00000030h]	10_2_007B4DF0
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B3F00 mov eax, dword ptr fs:[00000030h]	11_2_002B3F00
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Code function: 11_2_002B4DF0 mov eax, dword ptr fs:[00000030h]	11_2_002B4DF0
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E3F00 mov eax, dword ptr fs:[00000030h]	12_2_003E3F00
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Code function: 12_2_003E4DF0 mov eax, dword ptr fs:[00000030h]	12_2_003E4DF0
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00323F00 mov eax, dword ptr fs:[00000030h]	13_2_00323F00
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Code function: 13_2_00324DF0 mov eax, dword ptr fs:[00000030h]	13_2_00324DF0
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00623F00 mov eax, dword ptr fs:[00000030h]	14_2_00623F00
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Code function: 14_2_00624DF0 mov eax, dword ptr fs:[00000030h]	14_2_00624DF0
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00483F00 mov eax, dword ptr fs:[00000030h]	15_2_00483F00
Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Code function: 15_2_00484DF0 mov eax, dword ptr fs:[00000030h]	15_2_00484DF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

7_2_003F9860

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\srclient\auditpolmsg.exe C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\srclient\auditpolmsg.exe	Process created: C:\Windows\SysWOW64\mfc110\wcnwiz.exe C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110\wcnwiz.exe	Process created: C:\Windows\SysWOW64\capiprovider\SampleRes.exe C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Jump to behavior
Source: C:\Windows\SysWOW64\capiprovider\SampleRes.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe	Process created: C:\Windows\SysWOW64\KBDNO\mfc140.exe C:\Windows\SysWOW64\KBDNO\mfc140.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNO\mfc140.exe	Process created: C:\Windows\SysWOW64\advapi32\ieframe.exe C:\Windows\SysWOW64\advapi32\ieframe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\advapi32\ieframe.exe	Process created: C:\Windows\SysWOW64\nshipsec\cryptdll.exe C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Jump to behavior
Source: C:\Windows\SysWOW64\nshipsec\cryptdll.exe	Process created: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 7_2_003F80A0 SetFileInformationByHandle,GetSystemTimeAsFileTime,_snwprintf,GetProcessHeap,HeapFree,CreateFileW,CreateFileW,CloseHandle,

7_2_003F80A0

Source: C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe

Code function: 15_2_004853D0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

15_2_004853D0

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.2256698017.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2262096055.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2279698396.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2266631097.0000000000578000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2252976219.0000000000588000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292365132.00000000008C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2286180989.0000000000908000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2257551859.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2276010487.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335114479.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2256830860.0000000000586000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2275531038.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2335374791.0000000000481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285331820.00000000008E4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2280766001.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265953499.0000000000546000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271093826.0000000000576000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2285132994.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2263042599.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2271279815.00000000007B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2292162710.0000000000621000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2276502729.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2271289978.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2265821061.00000000003B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2280282398.00000000005F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262078055.0000000000361000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2292126114.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.mfc140.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SampleRes.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ieframe.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cryptdll.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wlanui.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tmp_e473b4.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NlsData0414.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.wcnwiz.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.auditpolmsg.exe.360000.1.unpack, type: UNPACKEDPE

ID:	339446
Product:	CloudBasic
Start time:	03:59:37
Start date:	14.01.2021
Sample:	sample1.bin
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7dbd8ecfada1d39a81a58c9468b91039
SHA1:	0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:	dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc	ASCII text, with very long lines, with no line terminators	7E9AB23E4F7C98AF0A03B64E3C14D7F6	BAD0DC91FB2929FDBF66E569257BABA97E1EC233	532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc	data	DA122309698B26E96848A6A829EEF5C1	DFA1B8C96C19827A595EEB15B2EC5386F9746CEF	26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.doc	ASCII text, with very long lines, with CRLF line terminators	1D35754EDB0B7AA76891735215FC048A	E0B1C34B3C39C1F097B7A3749174D098DC51E265	C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.doc	ASCII text, with very long lines, with no line terminators	7E9AB23E4F7C98AF0A03B64E3C14D7F6	BAD0DC91FB2929FDBF66E569257BABA97E1EC233	532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0666.doc	data	DA122309698B26E96848A6A829EEF5C1	DFA1B8C96C19827A595EEB15B2EC5386F9746CEF	26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0798.doc	ASCII text, with very long lines, with CRLF line terminators	1D35754EDB0B7AA76891735215FC048A	E0B1C34B3C39C1F097B7A3749174D098DC51E265	C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{35EB0BAB-3BC6-4A41-A07F-15EEA53DBB38}.tmp	data	EAA701BCC2359F9297273D117620CA80	D9E2AC26703E2668720A5B3E796DF52F3F52674A	497E3B43D545A03EE2E00324DEAC332FD13FF811F41B42F881BCAD29AE14250D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5C9B88B-61BE-41BF-89DB-AF92964D1C77}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 11:01:41 2021, mtime=Thu Jan 14 11:01:41 2021, atime=Thu Jan 14 11:01:42 2021, length=595972, window=hide	5C048363FB804C47823972D53B75D3A5	FF2FD7DCCF53FA0A6F7E4DED1080C26A6A8F97AE	FE5D58BEC071D21ECEAD746CFCF14EEC223B18E18282DECB92D49CB8607885AA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jul 14 02:20:08 2009, mtime=Thu Jan 14 11:01:41 2021, atime=Thu Jan 14 11:01:41 2021, length=4096, window=hide	13715C1A57AC925C6D3529F23D8A0489	7475EF6A91727FD8449840C0B783B3FD34D5D7F1	29832B00F50E3D4E063F7C97E2430C5A0F833CB5D3A2E66C1DFE2AE990C94832
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	9DDA3519F04FDEEB47B198EDD010E507	AC6C4075745C0F0064ADED9504934DDA44CB30E9	A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 11:00:31 2021, mtime=Thu Jan 14 11:00:31 2021, atime=Thu Jan 14 11:00:33 2021, length=856064, window=hide	2EAF88677CD16A68B2CD4263BA9E7CE0	AA9B6C640105E9474BABBF76571C364926445178	919A3D28BFBE2D4CE57DCF0A8B1400DB858BAD490FEB436C3F4EFE343EB262BB
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Desktop\~$ample1.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\Ksh1.pdf	PE32 executable (DLL) (console) Intel 80386, for MS Windows	706EA7F029E6BC4DBF845DB3366F9A0E	942443DFB8784066523DB761886115E08C99575F	FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
C:\Users\Public\~$Ksh1.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~$Ksh1.xls	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~WRD0000.tmp	ASCII text, with very long lines, with CRLF line terminators	D631AB4CEFF199B52FF4E4B7AAD0199D	F30002C31BF32184507182100942A2012F0B8703	9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\Public\~WRD0004.tmp	ASCII text, with very long lines, with CRLF line terminators	D631AB4CEFF199B52FF4E4B7AAD0199D	F30002C31BF32184507182100942A2012F0B8703	9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE

Analysis Report sample1.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs