Loading ...

Play interactive tourEdit tour

Analysis Report Deadly Variants of Covid 19.doc

Overview

General Information

Sample Name:Deadly Variants of Covid 19.doc
Analysis ID:356233
MD5:3d9171d094dae1fb8da244756dd9733c
SHA1:91e43ec7a21e7e8c1fc2a6202ca3545974084ad2
SHA256:4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c
Tags:COVID-19docWHO

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected AsyncRAT
Connects to a URL shortener service
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 896 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2276 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • 69577.exe (PID: 2384 cmdline: C:\Users\Public\69577.exe MD5: DCCD2F6A61F8D95552863B537F2B6698)
      • schtasks.exe (PID: 824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • 69577.exe (PID: 2468 cmdline: C:\Users\Public\69577.exe MD5: DCCD2F6A61F8D95552863B537F2B6698)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: 69577.exe PID: 2384JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.69577.exe.25b56fc.5.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              7.2.69577.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                4.2.69577.exe.25b56fc.5.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  4.2.69577.exe.249fdd4.4.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    4.2.69577.exe.249fdd4.4.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2276, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2384
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2276, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2276, TargetFilename: C:\Users\Public\69577.exe
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Users\Public\69577.exe, ParentProcessId: 2384, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rLliXAh' /XML 'C:\Users\user\AppData\Local\Temp\tmpA055.tmp', ProcessId: 824
                      Sigma detected: Executables Started in Suspicious FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2276, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2384
                      Sigma detected: Execution in Non-Executable FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2276, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2384
                      Sigma detected: Suspicious Program Location Process StartsShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2276, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2384

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpgReversingLabs: Detection: 10%
                      Source: C:\Users\user\AppData\Roaming\rLliXAh.exeReversingLabs: Detection: 10%
                      Source: C:\Users\Public\69577.exeReversingLabs: Detection: 10%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Deadly Variants of Covid 19.docReversingLabs: Detection: 25%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpgJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\rLliXAh.exeJoe Sandbox ML: detected
                      Source: C:\Users\Public\69577.exeJoe Sandbox ML: detected
                      Source: 7.2.69577.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\69577.exeJump to behavior
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: C:\Users\Public\69577.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h4_2_00697580
                      Source: C:\Users\Public\69577.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h4_2_00691D74
                      Source: C:\Users\Public\69577.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h4_2_00697574
                      Source: C:\Users\Public\69577.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h4_2_00691D80
                      Source: global trafficDNS query: name: bit.ly
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 79.134.225.49:5000 -> 192.168.2.22:49169
                      Connects to a URL shortener serviceShow sources
                      Source: unknownDNS query: name: bit.ly
                      Uses dynamic DNS servicesShow sources
                      Source: unknownDNS query: name: greatestyear2021.ddns.net
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 79.134.225.49:5000
                      Source: Joe Sandbox ViewIP Address: 79.134.225.49 79.134.225.49
                      Source: Joe Sandbox ViewIP Address: 93.89.224.134 93.89.224.134
                      Source: Joe Sandbox ViewIP Address: 67.199.248.10 67.199.248.10
                      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
                      Source: global trafficHTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /2Me6ei3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /2d/mgLD5CcdJx9YVKl.jpg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: sgkmudder.org.tr
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: bit.ly
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: 69577.exe, 00000007.00000003.2127625486.00000000047F2000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: 69577.exe, 00000007.00000002.2351786512.000000000047C000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enP
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, 69577.exe, 00000007.00000002.2352229975.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 69577.exe, 00000007.00000002.2354290555.0000000005BB0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: 2Me6ei3[1].htm.2.drString found in binary or memory: http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg
                      Source: 69577.exe, 00000004.00000002.2116750494.0000000005EE0000.00000002.00000001.sdmp, 69577.exe, 00000007.00000002.2353539025.0000000004CD0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: 69577.exe, 00000007.00000002.2351810236.00000000004B6000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: 69577.exe, 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000004.00000002.2115324062.00000000025C8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2115181677.0000000002481000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2351735525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 69577.exe PID: 2384, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 69577.exe PID: 2468, type: MEMORY
                      Source: Yara matchFile source: 4.2.69577.exe.25b56fc.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.69577.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.69577.exe.25b56fc.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.69577.exe.249fdd4.4.raw.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpgJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\69577.exeJump to dropped file
                      Source: C:\Users\Public\69577.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Users\Public\69577.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Users\Public\69577.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Users\Public\69577.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004659484_2_00465948
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046DD704_2_0046DD70
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004636CA4_2_004636CA
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004657204_2_00465720
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00463FA94_2_00463FA9
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046488F4_2_0046488F
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046408B4_2_0046408B
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046492F4_2_0046492F
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046412B4_2_0046412B
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004649CF4_2_004649CF
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004641CB4_2_004641CB
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00464A6A4_2_00464A6A
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004642684_2_00464268
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00464B0A4_2_00464B0A
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004643084_2_00464308
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00464BA44_2_00464BA4
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004643A84_2_004643A8
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004644424_2_00464442
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00464C414_2_00464C41
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004644E24_2_004644E2
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004674E84_2_004674E8
                      Source: C:\Users\Public\69577.exeCode function: 4_2_0046457F4_2_0046457F
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004646194_2_00464619
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00460EEA4_2_00460EEA
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004646B94_2_004646B9
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004657104_2_00465710
                      Source: C:\Users\Public\69577.exeCode function: 4_2_004647EF4_2_004647EF
                      Source: C:\Users\Public\69577.exeCode function: 4_2_00463FF14_2_00463FF1
                      Source: C:\Users\Public\69577.exeCode function: 4_2_006964184_2_00696418
                      Source: C:\Users\Public\69577.exeCode function: 4_2_006955D04_2_006955D0
                      Source: C:\Users\Public\69577.exeCode function: 4_2_006950784_2_00695078
                      Source: C:\Users\Public\69577.exeCode function: 7_2_00384DB87_2_00384DB8
                      Source: C:\Users\Public\69577.exeCode function: 7_2_003856887_2_00385688
                      Source: C:\Users\Public\69577.exeCode function: 7_2_003871F87_2_003871F8
                      Source: C:\Users\Public\69577.exeCode function: 7_2_00384A707_2_00384A70
                      Source: 7.2.69577.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'GKyOs4mqqffrORbI+/SRDpDoWIHE7D9sSHoEMvC02sIHmvCDNWQu4eQ2CSkUkryaSTqv1Lc7sX9a+95BfwlqKlGP3NE0911acn24pjupCiE=', 'Nyi0F1igo6v0KFrZP/hXZp+cU2YJnVu/jH17vtFNQvjANrhd2gEnvSMfQLWpCkMG2YDOvKHxP+/Ed1RXXjNjXg==', 'PJvf6bLPQIzvp8wi/eJWbZHAwDKMh+cb/S+IhaLtlwSfyWDkQU2XZyXl+lgfFG4zKsH7M+94v9G7neDSBUAszHbQprcp0xVzEqueEcaNfWo=', 'SzbRAzvKp9S6tfVPQfLVUFAiQFnjWbsmGAzWOjoEVvwxh7SQdPpHnJgMgW3n31m1Wi/hT6EIwlsXa7tTDyG7OG5TIESVBspdbC2Xo07c3oKXej8l/baWaLEwTfQJBdKNEQ8zpDfJP/Y80vcE7WXkivLhevxA0jUhiyeilRdeepKYb+LyWhoASZaxQ5U0KOB9hd9V4d+N9tzdsenqCbX2RFlLrpqjFk9UMCEPCvAqxm9UfwGImD7JBnHbo5b14gG5XwGAxawe+QFu2JPLStNIhbGNGrPAGaWV3eJrlCe458zkIzS9ZDQYgygVH1sxqdaWEtLF3Q7iLZNCERN+x8SQXFDyPAFtjfSvyCSU8ko2rAidaNHd6U0QhN1EVf9OsCkpi4zZ/QRMsnc1VdrAckbN9awauiSbVs5aGVMeSYbPSm7bdqfyU8GUkUGk0ksUpPXkl5CNagqniV8EuAQ2Aj/bj/0AlNABwURRx6DYo+MZmOcFi0kaKzE72HBF86b4hpQk2rbH6CqzLA+ADPojq4EuxnFvZ1UIzK55S5FEa6WIs7wu7R1U/YIiTgO+6rX8R1hTCh8UMNPl0hY2ib05HaWzOOfGAmMtBaDT/d0VQGifCWuJ1NWv25IkfVqEhMPasUO41gdIcvk2K2AdW/KyON3rwHCcb5bDoXgPMOtAw8gX+ecOLFddUKYUsGYSPXaY5BRV1ok/nqDdzkECgpRR960P+ohfMMnOf2BhYY84yUmniwHEckRhZnrYmPhUNSG9vdkVci827X1DTE6b0xupNLWji6jtz8g8xQL5WXuRNbvJMJqq+IlvwRpaQ62gwzDO7p+jFO9wbUSE+1X/QhOBojWGLvItpBNmO16U33gu10ZOYzAeD3Y6uLf4wJ5um+1Sd/xXD8YssVao0cyOcvzRnbsiPlDWUl3BhIF+E0xCOY6VtcXAVanZzff0TQgB6WEJCM+mmDOEeOpo40CbqktDHXRDgw==', 'ze7mDq6AUfAO4/XDqQ9KTDg/4gOhNcqJuhRKQPbWcWLDUwjqOkgZYOg88ry1jyxgCtiIJ2Oab8L0207OXaDh4Q==', 'w9QHBiF4GNH2OE1WWIq/iALIlOVzLN+eqm/CymJld2qvp0cHlkpQL4Im9GSZcrsfLCcV3GOanTpc07FT5fkDjA==', 'zZ0k0sT0L/YwqUO6mapP8hk2zsVknfrnj4e56GEKR0bJWQifogqCb6TzWELfE3WRd7vTZ1NLZ/TYPymQl7E0hg==', 'I6q2Evg/k/+LyIZ7xcwC8YgfnMNMpCKwrpsAsAEsWsTJkSQGH4VaK19V1ua8Wc5qxzd88ykyr3AqWIZemNNifg=='
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@8/18@3/3
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$adly Variants of Covid 19.docJump to behavior
                      Source: C:\Users\Public\69577.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmpJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................P.......................(.P.....P.......H...............Lq......................................................................Jump to behavior
                      Source: C:\Users\Public\69577.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\Public\69577.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior