Loading ...

Play interactive tourEdit tour

Analysis Report PL_503_13_570.docx

Overview

General Information

Sample Name:PL_503_13_570.docx
Analysis ID:404284
MD5:158e499db47d9c6a56449c86f3b1596f
SHA1:6d0e9274649112ec7e9a757168b7de6eb2c48ff2
SHA256:5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Vidar stealer
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains no OLE stream with summary information
Document has an unknown application name
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2152 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2620 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • toqqx.exe (PID: 2828 cmdline: C:\Users\user\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
      • toqqx.exe (PID: 2540 cmdline: C:\Users\user\AppData\Local\Temp\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
        • cmd.exe (PID: 3036 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit MD5: AD7B9C14083B52BC532FBA5948342B98)
          • taskkill.exe (PID: 2296 cmdline: taskkill /pid 2540 MD5: 94BDCAFBD584C979B385ADEE14B08AB4)
  • EQNEDT32.EXE (PID: 2944 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2480 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • toqqx.exe (PID: 2896 cmdline: C:\Users\user\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
      • toqqx.exe (PID: 2492 cmdline: C:\Users\user\AppData\Local\Temp\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
  • EQNEDT32.EXE (PID: 2276 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2228 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": "198.98.60.43", "RC4 Key": "056139954853430408"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: toqqx.exe PID: 2540JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 31.210.20.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2620, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2620, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\toqqx.exe, CommandLine: C:\Users\user\toqqx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\toqqx.exe, NewProcessName: C:\Users\user\toqqx.exe, OriginalFileName: C:\Users\user\toqqx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2620, ProcessCommandLine: C:\Users\user\toqqx.exe, ProcessId: 2828

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 8.2.toqqx.exe.3526ab8.5.unpackMalware Configuration Extractor: Vidar {"C2 url": "198.98.60.43", "RC4 Key": "056139954853430408"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exeReversingLabs: Detection: 46%
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeReversingLabs: Detection: 46%
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeReversingLabs: Detection: 46%
    Source: C:\Users\user\toqqx.exeReversingLabs: Detection: 46%
    Multi AV Scanner detection for submitted fileShow sources
    Source: PL_503_13_570.docxVirustotal: Detection: 36%Perma Link
    Source: PL_503_13_570.docxReversingLabs: Detection: 34%
    Source: 4.2.toqqx.exe.34fea98.5.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.3526ab8.5.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 4.2.toqqx.exe.3576ad8.7.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.34fea98.6.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.3576ad8.7.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 4.2.toqqx.exe.3526ab8.6.unpackAvira: Label: TR/Patched.Ren.Gen