Analysis Report DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

Overview

General Information

Sample Name: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc
Analysis ID: 358185
MD5: 3564ae31fbd0417674e60e71cb1b0f10
SHA1: 845e9c3d36ded3de8a57c6c81c7318577b851626
SHA256: fb678c5c0e9dfb294c67907f2d195ab7a5046458e00983e74319b272de7f06b4
Tags: DHLdoc
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Connects to a URL shortener service
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides threads from debuggers
Modifies the hosts file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt ReversingLabs: Detection: 27%
Source: C:\Users\user\subfolder1\filename1.exe ReversingLabs: Detection: 27%
Source: C:\Users\Public\69577.exe ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc ReversingLabs: Detection: 22%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80

Networking:

barindex
Connects to a URL shortener service
Source: unknown DNS query: name: bit.ly
Source: unknown DNS query: name: bit.ly
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View IP Address: 5.79.72.163 5.79.72.163
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /2NYVK6q HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA91A7-30AB-4901-9D2A-3CE504568F55}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /2NYVK6q HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comj equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.2367991308.000000001DB80000.00000004.00000001.sdmp String found in binary or memory: http://mscrl.micros
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000006.00000002.2361921486.000000000085D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: https://1ae2wq.bl.files.1drv.com/
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: https://1ae2wq.bl.files.1drv.com/D
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp String found in binary or memory: https://1ae2wq.bl.files.1drv.com/y4mF77Blnwr8TsPyz2B-1c6fGLZjEGCG_1HZbGIwXU3xbZegnh_KEVDyUwwuL1T_Nh-
Source: RegAsm.exe, 00000006.00000002.2361986527.000000000087A000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21111&authkey=AAYIwGN
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 2NYVK6q[1].htm.2.dr String found in binary or memory: https://u.teknik.io/WLjtp.txt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\69577.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\69577.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00096FFB NtProtectVirtualMemory, 6_2_00096FFB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_005EB362 NtQuerySystemInformation, 6_2_005EB362
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_005EB331 NtQuerySystemInformation, 6_2_005EB331
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00BA02C8 6_2_00BA02C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00BA0CD8 6_2_00BA0CD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7BE920 6_2_1D7BE920
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7B0007 6_2_1D7B0007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7BF730 6_2_1D7BF730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7BFA97 6_2_1D7BFA97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7BF12C 6_2_1D7BF12C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1D7BF7AC 6_2_1D7BF7AC
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409842 10_2_00409842
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409870 10_2_00409870
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409815 10_2_00409815
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004098C5 10_2_004098C5
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409892 10_2_00409892
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409951 10_2_00409951
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409923 10_2_00409923
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004099D3 10_2_004099D3
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004099FA 10_2_004099FA
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004099A5 10_2_004099A5
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409A53 10_2_00409A53
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409A22 10_2_00409A22
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409AB0 10_2_00409AB0
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409761 10_2_00409761
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00409735 10_2_00409735
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004097EC 10_2_004097EC
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_004093F5 10_2_004093F5
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040978F 10_2_0040978F
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_00405935 10_2_00405935
PE file contains strange resources
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.adwa.expl.evad.winDOC@7/21@6/2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_005EB1E6 AdjustTokenPrivileges, 6_2_005EB1E6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_005EB1AF AdjustTokenPrivileges, 6_2_005EB1AF
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$L_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRB24E.tmp Jump to behavior
Source: C:\Users\Public\69577.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc Static file information: File size 1410843 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2361430773.0000000000092000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1796, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_000938E5 push ds; retf 6_2_00093911
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1E080B4F push ds; retn 0020h 6_2_1E080B4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1E080929 push ds; retn 0008h 6_2_1E080A34
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040E0BD push ecx; ret 10_2_0040E0BE
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040ED57 push ds; ret 10_2_0040ED72
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040CD22 push ecx; ret 10_2_0040CD2A
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040B93D push ebx; ret 10_2_0040B93E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040DDC9 push edx; ret 10_2_0040DDCA
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040D5D9 push ebp; retf 10_2_0040D5DA
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040D5DB push FFFFFFC3h; ret 10_2_0040D742
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040ED8A push ds; ret 10_2_0040EDAA
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040CA85 push ecx; ret 10_2_0040CA86
Source: C:\Users\user\subfolder1\filename1.exe Code function: 10_2_0040B383 push esi; ret 10_2_0040B38A

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0009689E LoadLibraryA, 6_2_0009689E
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000002A69EF second address: 00000000002A69EF instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000002A6B43 second address: 00000000002A6B43 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000000917FD second address: 00000000000917FD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000000916A4 second address: 00000000000916A4 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000002A69EF second address: 00000000002A69EF instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000002A6B43 second address: 00000000002A6B43 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000000917FD second address: 00000000000917FD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000000916A4 second address: 00000000000916A4 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00094580 rdtsc 6_2_00094580
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2516 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2516 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2408 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\Public\69577.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\69577.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00094580 rdtsc 6_2_00094580
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00094450 LdrInitializeThunk, 6_2_00094450
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0009689E mov eax, dword ptr fs:[00000030h] 6_2_0009689E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_000968B9 mov eax, dword ptr fs:[00000030h] 6_2_000968B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_000968D6 mov eax, dword ptr fs:[00000030h] 6_2_000968D6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_000968EE mov eax, dword ptr fs:[00000030h] 6_2_000968EE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0009690A mov eax, dword ptr fs:[00000030h] 6_2_0009690A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0009692B mov eax, dword ptr fs:[00000030h] 6_2_0009692B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00096941 mov eax, dword ptr fs:[00000030h] 6_2_00096941
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0009399A mov eax, dword ptr fs:[00000030h] 6_2_0009399A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00093997 mov eax, dword ptr fs:[00000030h] 6_2_00093997
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00095A17 mov eax, dword ptr fs:[00000030h] 6_2_00095A17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00095EFD mov eax, dword ptr fs:[00000030h] 6_2_00095EFD
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\69577.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 90000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\69577.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358185 Sample: DHL_ DELIVERY_ PICKUP _CONF... Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected GuLoader 2->56 58 10 other signatures 2->58 7 EQNEDT32.EXE 17 2->7         started        12 filename1.exe 1 2->12         started        14 WINWORD.EXE 291 26 2->14         started        process3 dnsIp4 38 67.199.248.11, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 7->38 40 teknik.io 5.79.72.163, 443, 49166 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 7->40 42 2 other IPs or domains 7->42 28 C:\Users\user\AppData\Local\...\WLjtp[1].txt, PE32 7->28 dropped 30 C:\Users\Public\69577.exe, PE32 7->30 dropped 68 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->68 16 69577.exe 1 7->16         started        70 Multi AV Scanner detection for dropped file 12->70 file5 signatures6 process7 signatures8 44 Multi AV Scanner detection for dropped file 16->44 46 Writes to foreign memory regions 16->46 48 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 16->48 50 3 other signatures 16->50 19 RegAsm.exe 1 16 16->19         started        process9 dnsIp10 32 onedrive.live.com 19->32 34 bl-files.fe.1drv.com 19->34 36 1ae2wq.bl.files.1drv.com 19->36 24 C:\Users\user\subfolder1\filename1.exe, PE32 19->24 dropped 26 C:\Windows\System32\drivers\etc\hosts, ASCII 19->26 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->62 64 Contains functionality to detect hardware virtualization (CPUID execution measurement) 19->64 66 5 other signatures 19->66 file11 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.199.248.11
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS true
5.79.72.163
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false

Contacted Domains

Name IP Active
bit.ly 67.199.248.10 true
teknik.io 5.79.72.163 true
onedrive.live.com unknown unknown
1ae2wq.bl.files.1drv.com unknown unknown
u.teknik.io unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bit.ly/2NYVK6q false
    		high