Analysis Report purchase order_2242021.doc

Overview

General Information

Sample Name: purchase order_2242021.doc
Analysis ID: 357325
MD5: f0c779ec7573308d5c5bbf15762391d5
SHA1: 6934649699360c8cf7a0d8dee37c994082268054
SHA256: fe38000650bb91c8e0d5aee0a0bff8136d849d58dc6f7d9f35d33788abd9a799
Tags: doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected GuLoader
Connects to a URL shortener service
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt ReversingLabs: Detection: 12%
Source: C:\Users\Public\69577.exe ReversingLabs: Detection: 12%
Multi AV Scanner detection for submitted file
Source: purchase order_2242021.doc Virustotal: Detection: 43% Perma Link
Source: purchase order_2242021.doc ReversingLabs: Detection: 27%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 5.79.72.163:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 67.199.248.11:80

Networking:

barindex
Connects to a URL shortener service
Source: unknown DNS query: name: bit.ly
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View IP Address: 5.79.72.163 5.79.72.163
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /3qO7045 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6618253-1CF8-4E74-AA78-05F4F57053A0}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /3qO7045 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp String found in binary or memory: http://JSQBKI.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000005.00000002.2351474503.00000000005BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp String found in binary or memory: https://cbzrfq.bl.files.1drv.com/
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp String found in binary or memory: https://cbzrfq.bl.files.1drv.com/D
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: https://cbzrfq.bl.files.1drv.com/y4mw_bU6RxcRDqG2orF_kxpFaZd0uY1XmxWWfx-XauAPJLaxLYBgtFEfSbIefZC0rnX
Source: RegAsm.exe, 00000005.00000002.2351474503.00000000005BD000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2351491082.00000000005D8000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21108&authkey=AN1oxHG
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 3qO7045[1].htm.2.dr String found in binary or memory: https://u.teknik.io/PWua8.txt
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\69577.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\69577.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096AA5 NtProtectVirtualMemory,NtQueryInformationProcess, 5_2_00096AA5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096F2E LoadLibraryA,NtQueryInformationProcess, 5_2_00096F2E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097007 NtQueryInformationProcess, 5_2_00097007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097013 NtQueryInformationProcess, 5_2_00097013
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009705C NtQueryInformationProcess, 5_2_0009705C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097081 NtQueryInformationProcess, 5_2_00097081
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097097 NtQueryInformationProcess, 5_2_00097097
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000970B2 NtQueryInformationProcess, 5_2_000970B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000970C9 NtQueryInformationProcess, 5_2_000970C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009710B NtQueryInformationProcess, 5_2_0009710B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097151 NtQueryInformationProcess, 5_2_00097151
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009717A NtQueryInformationProcess, 5_2_0009717A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00097190 NtQueryInformationProcess, 5_2_00097190
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000971A9 NtQueryInformationProcess, 5_2_000971A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000971DE NtQueryInformationProcess, 5_2_000971DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000971F7 NtQueryInformationProcess, 5_2_000971F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009720F NtQueryInformationProcess, 5_2_0009720F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096A5F NtProtectVirtualMemory, 5_2_00096A5F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096A7D NtQueryInformationProcess, 5_2_00096A7D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096A7F NtQueryInformationProcess, 5_2_00096A7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009729D NtQueryInformationProcess, 5_2_0009729D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096ABF NtQueryInformationProcess, 5_2_00096ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096AF6 NtQueryInformationProcess, 5_2_00096AF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096B15 NtQueryInformationProcess, 5_2_00096B15
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096E84 NtQueryInformationProcess, 5_2_00096E84
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096F47 NtQueryInformationProcess, 5_2_00096F47
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096F75 NtQueryInformationProcess, 5_2_00096F75
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096FA1 NtQueryInformationProcess, 5_2_00096FA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096FBD NtQueryInformationProcess, 5_2_00096FBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096FD8 NtQueryInformationProcess, 5_2_00096FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0097B0BA NtQuerySystemInformation, 5_2_0097B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0097B089 NtQuerySystemInformation, 5_2_0097B089
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@8/19@4/2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0097AF3E AdjustTokenPrivileges, 5_2_0097AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0097AF07 AdjustTokenPrivileges, 5_2_0097AF07
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$rchase order_2242021.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCAAE.tmp Jump to behavior
Source: C:\Users\Public\69577.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: purchase order_2242021.doc Virustotal: Detection: 43%
Source: purchase order_2242021.doc ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: purchase order_2242021.doc Static file information: File size 1797651 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2464, type: MEMORY

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3918 second address: 00000000005D3918 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F957CAC2328h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F957CAC2332h 0x0000001f cmp bx, bx 0x00000022 cmp bx, dx 0x00000025 pop ecx 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F957CAC22F7h 0x0000002e cmp ah, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 call 00007F957CAC23A9h 0x00000038 call 00007F957CAC2338h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D38DF second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c pushad 0x0000000d mov bx, 2AB1h 0x00000011 cmp bx, 2AB1h 0x00000016 jne 00007F957C382536h 0x0000001c popad 0x0000001d ret 0x0000001e jmp 00007F957C3859D2h 0x00000020 test dx, ax 0x00000023 jmp 00007F957C3859D2h 0x00000025 cmp eax, edx 0x00000027 jmp 00007F957C3859D2h 0x00000029 test bl, bl 0x0000002b jmp 00007F957C3859D2h 0x0000002d test dh, dh 0x0000002f mov dword ptr [ebp+0000009Ch], 00000000h 0x00000039 jmp 00007F957C3859D2h 0x0000003b test bx, ax 0x0000003e xor edi, edi 0x00000040 jmp 00007F957C3859D2h 0x00000042 test bl, 00000069h 0x00000045 mov ecx, 000186A0h 0x0000004a jmp 00007F957C3859D2h 0x0000004c test dx, ax 0x0000004f jmp 00007F957C3859D2h 0x00000051 cmp eax, edx 0x00000053 test dx, cx 0x00000056 cmp bx, dx 0x00000059 push ecx 0x0000005a call 00007F957C385A62h 0x0000005f call 00007F957C385A22h 0x00000064 lfence 0x00000067 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3A7D second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test cl, 00000016h 0x0000000d add dword ptr [ebp+0000009Ch], 01h 0x00000014 jmp 00007F957C3859D2h 0x00000016 test eax, ecx 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007F957C385959h 0x00000020 cmp bx, dx 0x00000023 push ecx 0x00000024 call 00007F957C385A62h 0x00000029 call 00007F957C385A22h 0x0000002e lfence 0x00000031 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3473 second address: 00000000005D5189 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c test ch, ah 0x0000000e jmp 00007F957C387110h 0x00000013 call 00007F957C384277h 0x00000018 pop eax 0x00000019 cmp ax, dx 0x0000001c push edi 0x0000001d push eax 0x0000001e call 00007F957C387693h 0x00000023 jmp 00007F957C3859D2h 0x00000025 pushad 0x00000026 mov ebx, 000000ACh 0x0000002b rdtsc
Tries to detect Any.run
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3918 second address: 00000000005D3918 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F957CAC2328h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F957CAC2332h 0x0000001f cmp bx, bx 0x00000022 cmp bx, dx 0x00000025 pop ecx 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F957CAC22F7h 0x0000002e cmp ah, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 call 00007F957CAC23A9h 0x00000038 call 00007F957CAC2338h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D38DF second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c pushad 0x0000000d mov bx, 2AB1h 0x00000011 cmp bx, 2AB1h 0x00000016 jne 00007F957C382536h 0x0000001c popad 0x0000001d ret 0x0000001e jmp 00007F957C3859D2h 0x00000020 test dx, ax 0x00000023 jmp 00007F957C3859D2h 0x00000025 cmp eax, edx 0x00000027 jmp 00007F957C3859D2h 0x00000029 test bl, bl 0x0000002b jmp 00007F957C3859D2h 0x0000002d test dh, dh 0x0000002f mov dword ptr [ebp+0000009Ch], 00000000h 0x00000039 jmp 00007F957C3859D2h 0x0000003b test bx, ax 0x0000003e xor edi, edi 0x00000040 jmp 00007F957C3859D2h 0x00000042 test bl, 00000069h 0x00000045 mov ecx, 000186A0h 0x0000004a jmp 00007F957C3859D2h 0x0000004c test dx, ax 0x0000004f jmp 00007F957C3859D2h 0x00000051 cmp eax, edx 0x00000053 test dx, cx 0x00000056 cmp bx, dx 0x00000059 push ecx 0x0000005a call 00007F957C385A62h 0x0000005f call 00007F957C385A22h 0x00000064 lfence 0x00000067 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3B4F second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F957CAC4627h 0x0000001d popad 0x0000001e call 00007F957CAC236Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3A7D second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test cl, 00000016h 0x0000000d add dword ptr [ebp+0000009Ch], 01h 0x00000014 jmp 00007F957C3859D2h 0x00000016 test eax, ecx 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007F957C385959h 0x00000020 cmp bx, dx 0x00000023 push ecx 0x00000024 call 00007F957C385A62h 0x00000029 call 00007F957C385A22h 0x0000002e lfence 0x00000031 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D534E second address: 00000000005D534E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dx, word ptr [esi+ecx] 0x0000000f jmp 00007F957CAC2332h 0x00000011 test dh, 00000068h 0x00000014 cmp bx, dx 0x00000017 jne 00007F957CAC2293h 0x0000001d push dword ptr [esp+04h] 0x00000021 jmp 00007F957CAC2332h 0x00000023 test bx, ax 0x00000026 call 00007F957CAC2555h 0x0000002b mov ebx, dword ptr [esp+04h] 0x0000002f xor ecx, ecx 0x00000031 add ecx, 02h 0x00000034 cmp word ptr [ebx+ecx], 0000h 0x00000039 jne 00007F957CAC2318h 0x0000003b add ecx, 02h 0x0000003e cmp word ptr [ebx+ecx], 0000h 0x00000043 jne 00007F957CAC2318h 0x00000045 add ecx, 02h 0x00000048 cmp word ptr [ebx+ecx], 0000h 0x0000004d jne 00007F957CAC2318h 0x0000004f add ecx, 02h 0x00000052 cmp word ptr [ebx+ecx], 0000h 0x00000057 jne 00007F957CAC2318h 0x00000059 add ecx, 02h 0x0000005c cmp word ptr [ebx+ecx], 0000h 0x00000061 jne 00007F957CAC2318h 0x00000063 add ecx, 02h 0x00000066 cmp word ptr [ebx+ecx], 0000h 0x0000006b jne 00007F957CAC2318h 0x0000006d add ecx, 02h 0x00000070 cmp word ptr [ebx+ecx], 0000h 0x00000075 jne 00007F957CAC2318h 0x00000077 retn 0004h 0x0000007a jmp 00007F957CAC2332h 0x0000007c cmp dh, dh 0x0000007e sub ecx, 02h 0x00000081 add eax, 02h 0x00000084 jmp 00007F957CAC2332h 0x00000086 cmp dl, cl 0x00000088 mov bx, word ptr [eax+ecx] 0x0000008c jmp 00007F957CAC2332h 0x0000008e pushad 0x0000008f lfence 0x00000092 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000005D3473 second address: 00000000005D5189 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c test ch, ah 0x0000000e jmp 00007F957C387110h 0x00000013 call 00007F957C384277h 0x00000018 pop eax 0x00000019 cmp ax, dx 0x0000001c push edi 0x0000001d push eax 0x0000001e call 00007F957C387693h 0x00000023 jmp 00007F957C3859D2h 0x00000025 pushad 0x00000026 mov ebx, 000000ACh 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000093B4F second address: 0000000000093B4F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F957CAC4627h 0x0000001d popad 0x0000001e call 00007F957CAC236Ah 0x00000023 lfence 0x00000026 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009381F rdtsc 5_2_0009381F
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2412 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3008 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\Public\69577.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\69577.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009381F rdtsc 5_2_0009381F
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000959F0 mov eax, dword ptr fs:[00000030h] 5_2_000959F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009640D mov eax, dword ptr fs:[00000030h] 5_2_0009640D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0009643D mov eax, dword ptr fs:[00000030h] 5_2_0009643D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096432 mov eax, dword ptr fs:[00000030h] 5_2_00096432
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096451 mov eax, dword ptr fs:[00000030h] 5_2_00096451
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096477 mov eax, dword ptr fs:[00000030h] 5_2_00096477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00096499 mov eax, dword ptr fs:[00000030h] 5_2_00096499
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000955CD mov eax, dword ptr fs:[00000030h] 5_2_000955CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000936C3 mov eax, dword ptr fs:[00000030h] 5_2_000936C3
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\Public\69577.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 90000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612 Jump to behavior
Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_000938DD cpuid 5_2_000938DD
Source: C:\Users\Public\69577.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2464, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357325 Sample: purchase order_2242021.doc Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected GuLoader 2->44 46 11 other signatures 2->46 8 EQNEDT32.EXE 17 2->8         started        13 WINWORD.EXE 291 26 2->13         started        process3 dnsIp4 34 teknik.io 5.79.72.163, 443, 49168 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->34 36 bit.ly 67.199.248.11, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 8->36 38 u.teknik.io 8->38 24 C:\Users\user\AppData\Local\...\PWua8[1].txt, PE32 8->24 dropped 26 C:\Users\Public\69577.exe, PE32 8->26 dropped 54 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->54 15 69577.exe 1 8->15         started        file5 signatures6 process7 signatures8 56 Multi AV Scanner detection for dropped file 15->56 58 Writes to foreign memory regions 15->58 60 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 15->60 62 3 other signatures 15->62 18 RegAsm.exe 12 15->18         started        process9 dnsIp10 28 onedrive.live.com 18->28 30 cbzrfq.bl.files.1drv.com 18->30 32 bl-files.fe.1drv.com 18->32 48 Tries to detect Any.run 18->48 50 Tries to detect virtualization through RDTSC time measurements 18->50 52 Hides threads from debuggers 18->52 22 dw20.exe 18->22         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.199.248.11
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS false
5.79.72.163
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false

Contacted Domains

Name IP Active
bit.ly 67.199.248.11 true
teknik.io 5.79.72.163 true
onedrive.live.com unknown unknown
cbzrfq.bl.files.1drv.com unknown unknown
u.teknik.io unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bit.ly/3qO7045 false
    		high