Play interactive tourEdit tour
Analysis Report COVID-19.doc
Overview
General Information
Detection
Meterpreter
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Yara detected Meterpreter
Bypasses PowerShell execution policy
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after checking mutex)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Suspicious javascript / visual basic script found (invalid extension)
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which reads its own file name (might be used to evade sandboxes)
Document contains embedded VBA macros
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | unknown |
| |
Click to see the 8 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | unknown |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | unknown |
| |
Click to see the 2 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Suspicious Svchost Process | Show sources |
Source: | Author: Florian Roth: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Yara detected Meterpreter | Show sources |
Source: | File source: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: |
Source: | HTTP traffic detected: |